From 99008b4aa32668a3dc321c83c9a8314cb5c38e32 Mon Sep 17 00:00:00 2001 From: continuist Date: Sun, 29 Jun 2025 13:35:57 -0400 Subject: [PATCH] Update registry cert generation process --- CI_CD_PIPELINE_SETUP_GUIDE.md | 164 ++++++++++++++++++++++------------ 1 file changed, 107 insertions(+), 57 deletions(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 35c4b17..a8f1e98 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -465,19 +465,68 @@ sudo mkdir -p /etc/ssl/registry YOUR_ACTUAL_IP=$(curl -4 -s ifconfig.me) echo "Your IP address is: $YOUR_ACTUAL_IP" -# Generate self-signed certificate with actual IP in system directory -sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=$YOUR_ACTUAL_IP" +# Create OpenSSL configuration file with proper SANs +sudo tee /etc/ssl/registry/openssl.conf << EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = US +ST = State +L = City +O = Organization +CN = $YOUR_ACTUAL_IP + +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +IP.1 = $YOUR_ACTUAL_IP +DNS.1 = $YOUR_ACTUAL_IP +DNS.2 = localhost +EOF + +# Generate self-signed certificate with proper SANs +sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf # Set proper permissions sudo chmod 600 /etc/ssl/registry/registry.key sudo chmod 644 /etc/ssl/registry/registry.crt +sudo chmod 644 /etc/ssl/registry/openssl.conf ``` -**Important**: The certificate is now generated in the system SSL directory `/etc/ssl/registry/` with your actual CI/CD Linode IP address automatically. +**Important**: The certificate is now generated with proper Subject Alternative Names (SANs) including your IP address, which is required for TLS certificate validation by Docker and other clients. **Note**: The permissions are set to: - `registry.key`: `600` (owner read/write only) - private key must be secure - `registry.crt`: `644` (owner read/write, group/others read) - certificate can be read by services +- `openssl.conf`: `644` (owner read/write, group/others read) - configuration file for reference + +#### 5.1.1 Configure Docker to Trust Harbor Registry + +```bash +# Add the certificate to system CA certificates +sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt +sudo update-ca-certificates + +# Configure Docker to trust the Harbor registry +sudo mkdir -p /etc/docker +sudo tee /etc/docker/daemon.json << EOF +{ + "insecure-registries": ["YOUR_CI_CD_IP"], + "registry-mirrors": [] +} +EOF + +# Restart Docker to apply the new configuration +sudo systemctl restart docker +``` + +**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. This configuration tells Docker to trust your Harbor registry and allows Docker login to work properly. #### 5.2 Generate Secure Passwords and Secrets @@ -730,78 +779,79 @@ Your Harbor registry is now configured with the following access model: - ✅ **Role-based access control**: Different user roles (admin, developer, guest) - ✅ **Audit logs**: Complete trail of all operations -### Step 6: Configure Docker for Harbor Access +### Step 6: Test Harbor Setup -#### 6.1 Configure Docker for Harbor Access +#### 6.1 Verify Harbor Installation ```bash -# Copy the certificate to Docker's trusted certificates -sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt -sudo update-ca-certificates +# Check if all Harbor containers are running +cd /opt/APP_NAME/harbor +docker compose ps -# Configure Docker to trust Harbor registry -sudo tee /etc/docker/daemon.json << EOF -{ - "insecure-registries": ["YOUR_CI_CD_IP"], - "registry-mirrors": [] -} -EOF +# Test Harbor API (HTTPS) +curl -k https://localhost/api/v2.0/health + +# Test Harbor UI (HTTPS) +curl -k -I https://localhost + +# Expected output: HTTP/1.1 200 OK ``` -**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. +**Important**: All Harbor services should show as "Up" in the `docker compose ps` output. The health check should return a JSON response indicating all services are healthy. -#### 6.2 Restart Docker +#### 6.2 Test Docker Login ```bash +# Test Docker login to Harbor +docker login YOUR_CI_CD_IP +# Enter: ci-user and your-secure-password +``` + +**Expected output**: `Login Succeeded` message. + +**If you get certificate errors**: Make sure you've completed Step 5.1.1 (Configure Docker to Trust Harbor Registry) and restarted Docker. + +#### 6.3 Troubleshooting Common Issues + +**Certificate Issues**: +```bash +# If you get "tls: failed to verify certificate" errors: +# 1. Verify certificate has proper SANs +openssl x509 -in /etc/ssl/registry/registry.crt -text -noout | grep -A 5 "Subject Alternative Name" + +# 2. Regenerate certificate if SANs are missing +sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf + +# 3. Restart Harbor and Docker +cd /opt/APP_NAME/harbor && docker compose down && docker compose up -d sudo systemctl restart docker ``` -### Harbor Access Model - -Your Harbor registry is now configured with the following access model: - -#### **Public Read Access** -Anyone can pull images from the APP_NAME project without authentication: +**Connection Issues**: ```bash -# From any machine (public access to APP_NAME project) -docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest -docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest +# If you get "connection refused" errors: +# 1. Check if Harbor is running +docker compose ps + +# 2. Check Harbor logs +docker compose logs + +# 3. Verify ports are open +netstat -tuln | grep -E ':(80|443)' ``` -#### **Authenticated Write Access** -Only authenticated users can push images: +**Docker Configuration Issues**: ```bash -# Login to Harbor first -docker login YOUR_CI_CD_IP -# Enter: ci-user and your-secure-password +# If Docker still can't connect after certificate fixes: +# 1. Verify Docker daemon configuration +cat /etc/docker/daemon.json -# Then push to Harbor -docker push YOUR_CI_CD_IP/APP_NAME/backend:latest -docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest -``` +# 2. Check if certificate is in system CA store +ls -la /usr/local/share/ca-certificates/registry.crt -#### **Harbor Web UI Access** -Modern web interface for managing images: -``` -https://YOUR_CI_CD_IP -``` - -#### **Client Configuration** -For other machines to pull images from the APP_NAME project, they only need: -```bash -# Add to /etc/docker/daemon.json on client machines -{ - "insecure-registries": ["YOUR_CI_CD_IP"] -} -# No authentication needed for pulls from APP_NAME project -``` - -#### **CI/CD Pipeline Configuration** -For automated deployments, use the `ci-user` credentials: -```bash -# In CI/CD pipeline -echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin -docker push YOUR_CI_CD_IP/APP_NAME/backend:latest +# 3. Update CA certificates and restart Docker +sudo update-ca-certificates +sudo systemctl restart docker ``` ### Step 7: Set Up SSH for Production Communication