Skip to content

Commit

Permalink
Adding a secure local registry
Browse files Browse the repository at this point in the history 
Signed-off-by: ytimocin <[email protected]>
  • Loading branch information
@ytimocin
ytimocin committed Jul 18, 2024
1 parent d5437ee commit 1f29568
Show file tree
Hide file tree
Showing 9 changed files with 248 additions and 85 deletions.
94 changes: 94 additions & 0 deletions .github/actions/create-local-registry/insecure/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: "Create a secure local registry"
description: |
This action creates a local registry for the images to be pushed to.
It uses the `docker` CLI to create a registry container and then starts it.
The registry is then available at `localhost:5000` by default.
inputs:
registry-name:
description: "The name of the local registry"
required: true
default: "radius-registry"
registry-server:
description: "The server name for the local registry"
required: true
default: "localhost"
registry-port:
description: "The port for the local registry"
required: true
default: "5000"
runs:
using: "composite"
steps:
- name: Create certificates for local registry
shell: bash
run: |
create_openssl_cfg() {
CFG=$(
cat <<'EOF'
[req]
distinguished_name = subject
x509_extensions = x509_ext
prompt = no
[subject]
CN = localhost
[x509_ext]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
nsComment = "OpenSSL Generated Certificate"
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${{ inputs.registry-name }}
DNS.2 = ${{ inputs.registry-server }}
EOF
)
echo "$CFG"
}
# Create a temporary directory to store the certificates
temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')
echo "TEMP_CERT_DIR=$temp_cert_dir" >> $GITHUB_ENV
pushd $temp_cert_dir
# Create the directory for the certificates
mkdir -p certs/${{ inputs.registry-server }}
echo "==== Generate the openssl config"
create_openssl_cfg >req.cnf
echo "==== Create the self signed certificate certificate and client key files"
openssl req -x509 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-keyout certs/${{ inputs.registry-server }}/client.key \
-out certs/${{ inputs.registry-server }}/client.crt \
-config req.cnf \
-sha256
- name: Add the certificate to the system trust store
shell: bash
run: |
sudo apt install ca-certificates
sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-server }}.crt
sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-name }}.crt
sudo update-ca-certificates
- name: Create local Docker registry
shell: bash
run: |
if [ "$(docker inspect -f '{{.State.Running}}' "${{ inputs.registry-name }}" 2>/dev/null || true)" != 'true' ]; then
echo "==== Creating a docker registry"
docker run -d \
-p ${{ inputs.registry-port }}:5000 \
--restart=always \
--name ${{ inputs.registry-name }} \
-v $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
registry:2
94 changes: 94 additions & 0 deletions .github/actions/create-local-registry/secure/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
name: "Create a secure local registry"
description: |
This action creates a local registry for the images to be pushed to.
It uses the `docker` CLI to create a registry container and then starts it.
The registry is then available at `localhost:5000` by default.
inputs:
registry-name:
description: "The name of the local registry"
required: true
default: "radius-registry"
registry-server:
description: "The server name for the local registry"
required: true
default: "localhost"
registry-port:
description: "The port for the local registry"
required: true
default: "5000"
runs:
using: "composite"
steps:
- name: Create certificates for local registry
shell: bash
run: |
create_openssl_cfg() {
CFG=$(
cat <<'EOF'
[req]
distinguished_name = subject
x509_extensions = x509_ext
prompt = no
[subject]
CN = localhost
[x509_ext]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
nsComment = "OpenSSL Generated Certificate"
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${{ inputs.registry-name }}
DNS.2 = ${{ inputs.registry-server }}
EOF
)
echo "$CFG"
}
# Create a temporary directory to store the certificates
temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')
echo "TEMP_CERT_DIR=$temp_cert_dir" >> $GITHUB_ENV
pushd $temp_cert_dir
# Create the directory for the certificates
mkdir -p certs/${{ inputs.registry-server }}
echo "==== Generate the openssl config"
create_openssl_cfg >req.cnf
echo "==== Create the self signed certificate certificate and client key files"
openssl req -x509 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-keyout certs/${{ inputs.registry-server }}/client.key \
-out certs/${{ inputs.registry-server }}/client.crt \
-config req.cnf \
-sha256
- name: Add the certificate to the system trust store
shell: bash
run: |
sudo apt install ca-certificates
sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-server }}.crt
sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-name }}.crt
sudo update-ca-certificates
- name: Create local Docker registry
shell: bash
run: |
if [ "$(docker inspect -f '{{.State.Running}}' "${{ inputs.registry-name }}" 2>/dev/null || true)" != 'true' ]; then
echo "==== Creating a docker registry"
docker run -d \
-p ${{ inputs.registry-port }}:5000 \
--restart=always \
--name ${{ inputs.registry-name }} \
-v $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
registry:2
5 changes: 2 additions & 3 deletions .github/actions/save-pr-as-artifact/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,9 @@ runs:
env:
PR_NUMBER: ${{ github.event.number }}
run: |
mkdir -p ./pr
echo $PR_NUMBER > ./pr/pr_number
mkdir -p ./pr
echo $PR_NUMBER > ./pr/pr_number
- uses: actions/upload-artifact@v4
with:
name: pr_number
path: pr/

1 change: 0 additions & 1 deletion .github/actions/setup-rad-cli/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,3 @@ runs:
shell: bash
run: chmod +x rad
working-directory: dist

10 changes: 1 addition & 9 deletions .github/scripts/publish-recipes.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,5 @@ for RECIPE in $(find "$DIRECTORY" -type f -name "*.bicep"); do

echo "Publishing $RECIPE to $PUBLISH_REF"
echo "- $PUBLISH_REF" >>$GITHUB_STEP_SUMMARY

# Check if INSECURE_REGISTRY is set. If it is, we'll use the --plain-http flag when
# publishing the recipe.
if [[ -n "$INSECURE_REGISTRY" ]]; then
echo "INSECURE_REGISTRY is set. Using --plain-http flag."
rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF" --plain-http
else
rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF"
fi
rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF"
done
Loading

0 comments on commit 1f29568

Please sign in to comment.