I ended up going all out for my local container registry. I don't recommend it. This definitely falls into the "I'll see what it takes in case I need to do it at work" category. A description of what "all out" means for me in this instance was to stand up a local Certificate Authority and then add the CA to each of the nodes in the docker swarm. All so that I could pull images from the internet and then push them to my local registry. Another terrible idea, since you can set an image to auto update or pull every time you start it. That means that you do not get updates without pulling them yourself, and you better know how to tag your local pushes.
I also did not want to use LetsEncrypt when I did this. The idea being that I might have to set this up in a sandbox with absolutely no network communication outside of a rack and a handful of dev consoles. A few of the best practices were thrown to the wind, considering what kind of environment I was designing. In the end, both RedHat and VMware came to the rescue with ready to deploy container infrastructure that come with self signed certificates. So, this will be rather short with a heavy reliance on documentation from other sources.
Aggregate 1
Build a CA
This guy covers multiple methods, and tends to analyze situations fairly well. As soon as he pointed out that he didn't need a full PKI implementation, I dug around and found what I needed. Some of the info on these things are like building a kerberos realm from scratch. You'll also need to review how to create a certificate in that documentation after you read the requirements and instructions on how to add it to the registry container.
Aggregate 2
Certificate on a Registry
This documentation holds the information of what is required, and how the files should be named. My lesson learned on that, I somehow ended up with a folder full of cert files after an attempt to put SSL on some old VMware product (vCenter 5?). Documentation was fixed in a later version, but the naming convention of the certificates wasn't really optional for that build. Be warned, sometimes you need to follow instructions to the letter.
The final piece of the lab was adding the CA to the nodes as a trusted source. This ended up being simple enough, it just sucked as far as moving things around in a small lab. I don't have anything like Puppet or Ansible set up, so I had to SSH in to every system like some kind of savage.
Aggregate 3
Adding trusted CA
I don't recommend this exercise, and I think it is a waste of time for anyone with high speed internet access. It is considerably easier and potentially safer to just use save and export commands if you don't want to push to an existing registry. For others that are building out a sandboxed lab, consider pre-packaged options.
Subscribe to:
Post Comments (Atom)
3d design for printing
I don't want to sound like an idiot. I really don't. I just lack the patience to learn Blender. It's not just because the nam...
-
One of the ideal outcomes of new technology is advancing automation. Setting a schedule for a device to follow and establishing triggers to... -
The fun stuff you can do with smart home devices is generally reliant on having a smart home hub. You can set up scripts in your devices, o... -
I don't want to sound like an idiot. I really don't. I just lack the patience to learn Blender. It's not just because the nam...
No comments:
Post a Comment