OpenShift 4 - 用 CA 证书访问 Internal Registry 中的镜像

原创已于 2025-02-09 08:03:25 修改 · 1.9k 阅读

3 ·

CC 4.0 BY-SA版权

文章标签：

#openshift

于 2020-07-10 23:06:43 首次发布

OpenShift 4 同时被 3 个专栏收录

272 篇文章

订阅专栏

安全

76 篇文章

订阅专栏

certificate

5 篇文章

订阅专栏

本文详细介绍了在OpenShift 4.7环境中如何通过多种方法获取访问内部Registry所需的CA证书或Token，包括使用openssl、keytool、podman等工具，并验证了使用这些凭证访问内部Registry的方法。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.18环境中验证

如果没有 OpenShift 认可的 CA证书，访问 OpenShift 内部 registry 的操作必须使用 “–insecurity=true” 或 “–tls-verify=false” 参数。如果有了合法证书，则可以通过 TLS 访问 OpenShift 内部 registry。

准备环境

安装软件

$ yum install -f podman skopeo java-1.8.0-openjdk openssl

开启 OpenShift 内部的 registry 的 Route。

$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
$ REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

使用证书查看 OpenShift 中的 openshift/nodejs 镜像信息。注意：这里直接使用 token 作为访问 OpenShift 内部 registry 的身份认证凭证；另外如果不加 --tls-verify=false 参数，将会提示 “failed to verify certificate: x509: certificate signed by unknown authority“ 错误。

$ TOKEN=$(oc whoami -t)
$ skopeo inspect --creds="-:${TOKEN}" --tls-verify=false docker://${REGISTRY}/openshift/nodejs
{
    "Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
    "Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
    "RepoTags": [
        "12",
        "latest",
        "10"
    ],
    "Created": "2020-07-22T06:35:50.433115Z",
    "DockerVersion": "1.13.1",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2020-07-22T06:34:32.929721",
        "com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
        "com.redhat.component": "rh-nodejs12-container",
        "com.redhat.deployments-dir": "/opt/app-root/src",
        "com.redhat.dev-mode": "DEV_MODE:false",
        "com.redhat.dev-mode.port": "DEBUG_PORT:5858",
        "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
        "description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。

获得访问 Internal Registry 的 CA 证书

方法1

进入到操作系统的 root 用户，执行以下命令获得 OpenShift 的 CA 证书。说明：由于是自签名，所以提示错误，可以忽略。

$ openssl s_client -showcerts -connect ${REGISTRY}:443 < /dev/null | awk '/BEGIN/ {c=1; print >"openshift-ca.crt"; next} /END/ {print >"openshift-ca.crt"; exit}; c{print >"openshift-ca.crt"}'
depth=1 CN = ingress-operator@1620998392
verify error:num=19:self signed certificate in certificate chain
DONE

查看获取的 CA 证书内容。

$ cat openshift-ca.crt
$ openssl x509 -noout -text -in openshift-ca.crt

将证书复制到 podman 的默认目录。说明：podman 缺省从 /etc/containers/certs.d 存放 CA 证书。

$ mkdir -p /etc/containers/certs.d/${REGISTRY}
$ cp openshift-ca.crt /etc/containers/certs.d/${REGISTRY}/

方法2

直接从 pod 中获取 CA 证书。

$ POD=$(oc get pod -n openshift-authentication | grep oauth-openshift | head -n 1 | cut -d " " -f 1)
$ oc exec $POD -n openshift-authentication -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > openshift_ca.crt

将证书复制到系统缺省存放目录。说明：使用系统缺省存放目录，需执行 update-ca-trust 通知系统。

$ cp openshift_ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust extract

方法3

使用 keytool 从内部 registry 获取证书。

$ keytool -printcert -sslserver $REGISTRY -rfc > /etc/pki/ca-trust/source/anchors/openshift_ca.crt
$ update-ca-trust

验证用 CA 证书访问 Internal Registry

先登录内部 registry，然后使用证书查看 OpenShift 中 openshift/nodejs 镜像的信息。注意：区别于前面，这里直接使用了 login 完成对内部 registry 的身份认证。

$ skopeo login -u $(oc whoami) -p $(oc whoami -t) ${REGISTRY}
$ skopeo inspect docker://${REGISTRY}/openshift/nodejs
{
    "Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
    "Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
    "RepoTags": [
        "12",
        "latest",
        "10"
    ],
    "Created": "2020-07-22T06:35:50.433115Z",
    "DockerVersion": "1.13.1",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2020-07-22T06:34:32.929721",
        "com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
        "com.redhat.component": "rh-nodejs12-container",
        "com.redhat.deployments-dir": "/opt/app-root/src",
        "com.redhat.dev-mode": "DEV_MODE:false",
        "com.redhat.dev-mode.port": "DEBUG_PORT:5858",
        "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
        "description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。

另外，skopeo inspect 命令还可以使用 --cert-dir 参数指定要使用的 CA 证书所在目录。

参考

https://github.com/liuxiaoyu-git/OpenShift-Examples-1/blob/master/Using-Skopeo/README.md
https://blog.csdn.net/haohzhang/article/details/86580119
https://blog.csdn.net/weixin_43902588/article/details/117745995
https://blog.csdn.net/weixin_43902588/article/details/107085753