Update registry cert generation process

2025-06-29 13:35:57 -04:00 · 2025-06-29 13:35:57 -04:00 · 99008b4aa3
commit 99008b4aa3
parent e32e0bcfdd
1 changed files with 107 additions and 57 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -465,19 +465,68 @@ sudo mkdir -p /etc/ssl/registry
 YOUR_ACTUAL_IP=$(curl -4 -s ifconfig.me)
 echo "Your IP address is: $YOUR_ACTUAL_IP"
-# Generate self-signed certificate with actual IP in system directory
+# Create OpenSSL configuration file with proper SANs
-sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=$YOUR_ACTUAL_IP"
+sudo tee /etc/ssl/registry/openssl.conf << EOF
 [req]
 distinguished_name = req_distinguished_name
 req_extensions = v3_req
 prompt = no
 [req_distinguished_name]
 C = US
 ST = State
 L = City
 O = Organization
 CN = $YOUR_ACTUAL_IP
 [v3_req]
 keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 IP.1 = $YOUR_ACTUAL_IP
 DNS.1 = $YOUR_ACTUAL_IP
 DNS.2 = localhost
 EOF
 # Generate self-signed certificate with proper SANs
 sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf
 # Set proper permissions
 sudo chmod 600 /etc/ssl/registry/registry.key
 sudo chmod 644 /etc/ssl/registry/registry.crt
 sudo chmod 644 /etc/ssl/registry/openssl.conf
 ```
-**Important**: The certificate is now generated in the system SSL directory `/etc/ssl/registry/` with your actual CI/CD Linode IP address automatically.
+**Important**: The certificate is now generated with proper Subject Alternative Names (SANs) including your IP address, which is required for TLS certificate validation by Docker and other clients.
 **Note**: The permissions are set to:
 - `registry.key`: `600` (owner read/write only) - private key must be secure
 - `registry.crt`: `644` (owner read/write, group/others read) - certificate can be read by services
 - `openssl.conf`: `644` (owner read/write, group/others read) - configuration file for reference
 #### 5.1.1 Configure Docker to Trust Harbor Registry
 ```bash
 # Add the certificate to system CA certificates
 sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt
 sudo update-ca-certificates
 # Configure Docker to trust the Harbor registry
 sudo mkdir -p /etc/docker
 sudo tee /etc/docker/daemon.json << EOF
 {
  "insecure-registries": ["YOUR_CI_CD_IP"],
  "registry-mirrors": []
 }
 EOF
 # Restart Docker to apply the new configuration
 sudo systemctl restart docker
 ```
 **Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. This configuration tells Docker to trust your Harbor registry and allows Docker login to work properly.
 #### 5.2 Generate Secure Passwords and Secrets
@ -730,78 +779,79 @@ Your Harbor registry is now configured with the following access model:
 - ✅ **Role-based access control**: Different user roles (admin, developer, guest)
 - ✅ **Audit logs**: Complete trail of all operations
-### Step 6: Configure Docker for Harbor Access
+### Step 6: Test Harbor Setup
-#### 6.1 Configure Docker for Harbor Access
+#### 6.1 Verify Harbor Installation
 ```bash
-# Copy the certificate to Docker's trusted certificates
+# Check if all Harbor containers are running
-sudo cp /etc/ssl/registry/registry.crt /usr/local/share/ca-certificates/registry.crt
+cd /opt/APP_NAME/harbor
-sudo update-ca-certificates
+docker compose ps
-# Configure Docker to trust Harbor registry
+# Test Harbor API (HTTPS)
-sudo tee /etc/docker/daemon.json << EOF
+curl -k https://localhost/api/v2.0/health
-{
+
-  "insecure-registries": ["YOUR_CI_CD_IP"],
+# Test Harbor UI (HTTPS)
-  "registry-mirrors": []
+curl -k -I https://localhost
-}
+
-EOF
+# Expected output: HTTP/1.1 200 OK
 ```
-**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address.
+**Important**: All Harbor services should show as "Up" in the `docker compose ps` output. The health check should return a JSON response indicating all services are healthy.
-#### 6.2 Restart Docker
+#### 6.2 Test Docker Login
 ```bash
 # Test Docker login to Harbor
 docker login YOUR_CI_CD_IP
 # Enter: ci-user and your-secure-password
 ```
 **Expected output**: `Login Succeeded` message.
 **If you get certificate errors**: Make sure you've completed Step 5.1.1 (Configure Docker to Trust Harbor Registry) and restarted Docker.
 #### 6.3 Troubleshooting Common Issues
 **Certificate Issues**:
 ```bash
 # If you get "tls: failed to verify certificate" errors:
 # 1. Verify certificate has proper SANs
 openssl x509 -in /etc/ssl/registry/registry.crt -text -noout | grep -A 5 "Subject Alternative Name"
 # 2. Regenerate certificate if SANs are missing
 sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/registry/registry.key -out /etc/ssl/registry/registry.crt -days 365 -nodes -extensions v3_req -config /etc/ssl/registry/openssl.conf
 # 3. Restart Harbor and Docker
 cd /opt/APP_NAME/harbor && docker compose down && docker compose up -d
 sudo systemctl restart docker
 ```
-### Harbor Access Model
+**Connection Issues**:
 Your Harbor registry is now configured with the following access model:
 #### **Public Read Access**
 Anyone can pull images from the APP_NAME project without authentication:
 ```bash
-# From any machine (public access to APP_NAME project)
+# If you get "connection refused" errors:
-docker pull YOUR_CI_CD_IP/APP_NAME/backend:latest
+# 1. Check if Harbor is running
-docker pull YOUR_CI_CD_IP/APP_NAME/frontend:latest
+docker compose ps
 # 2. Check Harbor logs
 docker compose logs
 # 3. Verify ports are open
 netstat -tuln | grep -E ':(80|443)'
 ```
-#### **Authenticated Write Access**
+**Docker Configuration Issues**:
 Only authenticated users can push images:
 ```bash
-# Login to Harbor first
+# If Docker still can't connect after certificate fixes:
-docker login YOUR_CI_CD_IP
+# 1. Verify Docker daemon configuration
-# Enter: ci-user and your-secure-password
+cat /etc/docker/daemon.json
-# Then push to Harbor
+# 2. Check if certificate is in system CA store
-docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
+ls -la /usr/local/share/ca-certificates/registry.crt
 docker push YOUR_CI_CD_IP/APP_NAME/frontend:latest
 ```
-#### **Harbor Web UI Access**
+# 3. Update CA certificates and restart Docker
-Modern web interface for managing images:
+sudo update-ca-certificates
-```
+sudo systemctl restart docker
 https://YOUR_CI_CD_IP
 ```
 #### **Client Configuration**
 For other machines to pull images from the APP_NAME project, they only need:
 ```bash
 # Add to /etc/docker/daemon.json on client machines
 {
  "insecure-registries": ["YOUR_CI_CD_IP"]
 }
 # No authentication needed for pulls from APP_NAME project
 ```
 #### **CI/CD Pipeline Configuration**
 For automated deployments, use the `ci-user` credentials:
 ```bash
 # In CI/CD pipeline
 echo "ci-user:your-secure-password" | docker login YOUR_CI_CD_IP --username ci-user --password-stdin
 docker push YOUR_CI_CD_IP/APP_NAME/backend:latest
 ```
 ### Step 7: Set Up SSH for Production Communication