diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index a5f2aba..03deab4 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -714,29 +714,25 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/registry/config.yml sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/config.yml ``` -#### 5.4 Generate TLS Certificate +#### 5.4 Generate TLS Certificate and Install in Docker Trust Store **Choose one of the following options based on whether you have a domain name:** -### **Option A: Self-Signed Certificate (No Domain Required)** +--- -This option works with IP addresses and is suitable for development/testing environments. +#### **Option A: Self-Signed Certificate (No Domain Required)** + +**Perform all of these steps if you do NOT have a domain name:** ```bash -# Create certificate directory +# 1. Generate self-signed certificate sudo mkdir -p /opt/registry/certs sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs cd /opt/registry/certs - -# Generate private key (4096-bit RSA) sudo -u CI_SERVICE_USER openssl genrsa -out registry.key 4096 - -# Generate certificate signing request sudo -u CI_SERVICE_USER openssl req -new -key registry.key \ -out registry.csr \ -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=YOUR_ACTUAL_IP_ADDRESS" - -# Create certificate configuration for Subject Alternative Names (SAN) sudo -u CI_SERVICE_USER tee registry.conf > /dev/null << EOF [req] distinguished_name = req_distinguished_name @@ -762,72 +758,66 @@ DNS.2 = localhost IP.1 = YOUR_ACTUAL_IP_ADDRESS IP.2 = 127.0.0.1 EOF - -# Generate self-signed certificate (valid for 365 days) sudo -u CI_SERVICE_USER openssl x509 -req -in registry.csr \ -signkey registry.key \ -out registry.crt \ -days 365 \ -extensions v3_req \ -extfile registry.conf - -# Set proper permissions sudo chmod 600 registry.key sudo chmod 644 registry.crt - -# Verify certificate sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout -echo "Self-signed TLS certificate generated successfully!" -echo "Certificate: /opt/registry/certs/registry.crt" -echo "Private key: /opt/registry/certs/registry.key" -echo "Note: This certificate will need to be renewed manually in 365 days" +# 2. Install certificate into Docker trust store +sudo mkdir -p /etc/docker/certs.d/registry +sudo cp /opt/registry/certs/registry.crt /etc/docker/certs.d/registry/ca.crt +sudo cp /opt/registry/certs/registry.crt /usr/local/share/ca-certificates/registry-ca.crt +sudo update-ca-certificates +sudo systemctl restart docker ``` -### **Option B: Let's Encrypt Certificate (Domain Required)** +--- -If you have a domain name pointing to your server, use this option for production-ready certificates. +#### **Option B: Let's Encrypt Certificate (Domain Required)** + +**Perform all of these steps if you DO have a domain name:** ```bash -# Install Certbot and Nginx plugin +# 1. Generate Let's Encrypt certificate sudo apt update sudo apt install -y certbot python3-certbot-nginx - -# Generate certificate using standalone mode sudo certbot certonly --standalone \ --email your-email@example.com \ --agree-tos \ --no-eff-email \ -d YOUR_DOMAIN_NAME - -# Verify certificate generation sudo certbot certificates - -# Create certificate directory for Caddy sudo mkdir -p /opt/registry/certs sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs - -# Copy Let's Encrypt certificates to registry directory sudo cp /etc/letsencrypt/live/YOUR_DOMAIN_NAME/fullchain.pem /opt/registry/certs/registry.crt sudo cp /etc/letsencrypt/live/YOUR_DOMAIN_NAME/privkey.pem /opt/registry/certs/registry.key - -# Set proper permissions sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs/registry.crt sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/registry/certs/registry.key sudo chmod 644 /opt/registry/certs/registry.crt sudo chmod 600 /opt/registry/certs/registry.key -echo "Let's Encrypt certificate generated successfully!" -echo "Certificate: /opt/registry/certs/registry.crt" -echo "Private key: /opt/registry/certs/registry.key" -echo "Certificate will auto-renew every 60 days" +# 2. Install certificate into Docker trust store +sudo mkdir -p /etc/docker/certs.d/YOUR_DOMAIN_NAME +sudo cp /opt/registry/certs/registry.crt /etc/docker/certs.d/YOUR_DOMAIN_NAME/ca.crt +sudo systemctl restart docker ``` -**Note**: -- For **Option A**: Replace `YOUR_ACTUAL_IP_ADDRESS` with your server's IP address -- For **Option B**: Replace `YOUR_DOMAIN_NAME` with your domain name and `your-email@example.com` with your email address +--- -#### 5.5 Install Certificate into Docker Trust Store +**Note:** +- For **Option A**: Replace `YOUR_ACTUAL_IP_ADDRESS` with your server's IP address. +- For **Option B**: Replace `YOUR_DOMAIN_NAME` with your domain name and `your-email@example.com` with your email address. + +--- + +**After completing the steps for your chosen option, continue with Step 5.7 (Start Docker Registry with Docker Compose).** + +#### 5.5 Install Certificate into Docker Trust Store (Option B Only) **Important**: This step adds the Let's Encrypt certificate to Docker's trust store. Since Let's Encrypt is a trusted CA, Docker will automatically trust this certificate. @@ -853,7 +843,7 @@ echo "Certificate installation completed successfully!" echo "Docker can now connect to the registry securely using your domain name" ``` -#### 5.6 Set Up Automatic Certificate Renewal +#### 5.6 Set Up Automatic Certificate Renewal (Option B Only) **Important**: Let's Encrypt certificates expire after 90 days, so we need to set up automatic renewal.