Setting up a Private Registry for HPSB

  1. To create a CA / Signed Certificate, provide a container IP.

     openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -addext "subjectAltName = IP:150.240.76.1" -x509 -days 365 -out certs/domain.crt
    

    The following message appears:

    "You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN."

    "There are quite a few fields but you can leave some blank. For some fields, there will be a default value, however, if you enter '.', the field will be left blank."

  2. Enter the required details to incorporate in your certificate.

    "Country Name, State of Province Name, Locality Name, Organization Name, State or Province Name, Locality Name, Organization name, Organizational Unit name, Common Name (For example, server FQDN or Your name), and Email Address"

  3. Convert the certificate to base64.

    base64 -i certs/domain.crt | tr -d '\n'
    
  4. To create an Auth Token, use a docker http image.

    docker run  --entrypoint htpasswd httpd:2 -Bbn testuser testpassword > auth/htpasswd
    
  5. Create a registry using the token.

    docker run -d \
       -p 5000:5000 \
       --restart=always \
       --name registry \
       -v "$(pwd)"/auth:/auth \
       -e "REGISTRY_AUTH=htpasswd" \
       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v "$(pwd)"/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
       registry:2
    

    Note: Once the registry is up and running, you can push the image.

    docker ps
    
    CONTAINER 
    ID             IMAGE        COMMAND                  CREATED         STATUS         PORTS                    NAMES
    8cdf3075bd9f   registry:2   "/entrypoint.sh /etc…"   7 seconds ago   Up 6 seconds   0.0.0.0:5000->5000/tcp   registry 
    
  6. Push the SBS image into the registry.

    a. Log in to the registry using the username and password.

    docker login -u testuser http://localhost:5000
    docker push localhost:5000/sbs12:1.3.0.16
    

    b. Docker tag:

    docker tag secure-docker-build:1.3.0.16 localhost/secure-docker-build:1.3.0.16
    

    c. Docker push:

    docker push localhost:5000/secure-docker-build:1.3.0.16
    
  7. View the pushed docker images.

    docker images
    REPOSITORY            		 TAG        IMAGE ID       CREATED        SIZE
    httpd                  		  2         8c47575322dd   7 days ago     162MB
    localhost:5000/secure-docker-build 1.3.0.16   c628c5f2f96a   13 days ago    2.66GB
    registry               		2          4082b3ffee44   2 weeks ago    26.1MB
    

    Here is a sample workload file:

    workload: hyper-protect-basic.boTK7KMH3mGmcoKoCNwBV8moGoOD82r58lL**************ITmFvmO1uBGX0=
    env: |
    type: env
    logging:
       logDNA:
          hostname: syslog-a.us-south.logging.cloud.ibm.com
          ingestionKey: ab00e3********a83413
          port: 6514
    cacerts:
       - certificate: “Provide the key generated from Step 7”
    volumes:
       hpsb:
          seed: "testing"
      auths:
       "150.238.70.28:5000": “Either enter docker.io and the username and Password OR If you are providing container IP, enter the ip with the port value”
          password: testpassword
          username: tesuser
        env:
       CLIENT_CRT: "LS0tLS1C0FUR*********S0tLS0tCg=="
       CLIENT_CA: "LS0tLS1CRNFUlR***********JRklDQVRFLS0tLS0K"
       SERVER_CRT: "LS0tLS1Ca0Z5Ylh*************EREFLQmdOVkJBb0FURS0tLS0tCg=="
       SERVER_KEY: "LS0tLS1CRUdJTiBQR***********1AgR1AgTUVTU0FHRS0tLS0tCg=="
       registry: "150.238.70.28:5000/secure-docker-build" “enter either docker.io/name/imagename Or ip of the container and the image name”