Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not

[tiborvass]

If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via a TLS endpoint instead of plain HTTP.

This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present:

• /ssl/ca.crt
• /ssl/registry.cert
• /ssl/registry.key

Signed-off-by: Tibor Vass [email protected]

[tiborvass]

Ping @dmp42 @dmcgowan @proppy

[tianon]

lol indentation

[proppy]

wondering if @dmp42 would have preferred a python impl and keep the ENTRYPOINT intact.

[tianon]

$ROOTFS? Someone copy-pasta'd too much. 😉

[tianon]

You mean:

ENTRYPOINT ["/docker-registry/run.sh"]
CMD ["docker-registry"]

[tianon]

So it might be good to rename run.sh now to be less misleading. 😉

[tianon]

It's not a script; it's a compiled Go binary.

[tiborvass]

@dmp42 we can rewrite it in bash if you want with openssl, will take some time though.

[proppy]

wonder if we should keep the ENTRYPOINT in python and push the extra logic about in-place cert generation to generate_certs

[proppy]

I wonder if we should assume that it's named registry.* or just assumed they get passed as their own bind mount?

[tiborvass]

@dmp42 @proppy @ewindisch
Generation of certs are done outside the registry and should be provided under /ssl via --volumes-from or a bind mount. The actual process for users will be documented (in a separate PR + PR to docker/docker/docs ?) from cert generation to including it in the registry container. An additional quick hack could be suggested with something like $(docker run tiborvass/registry:autotls) that would work for the basic needs.

[dmp42]

@wking @stevvooe @bacongobbler what do you think?

[wking]

On Mon, Nov 10, 2014 at 04:01:55PM -0800, Olivier Gambier wrote:

@wking @stevvooe @bacongobbler what do you think?

I'd just add this to the docs for:

GUNICORN_OPTS='[--ssl-version, 3, --certfile, /ssl/registry.cert, --keyfile, /ssl/registry.keys, --ca-certs, /ssl/ca.crt]'

but if folks want a shortcut environment variable for that, I'll go
along with it ;).

[bacongobbler]

LGTM and +1 on separation of concerns, though users would probably like to have /ssl configurable in case their certs are in another container or are located somewhere else on the local filesystem (--volumes-from doesn't allow you to choose the src and dest directories IIRC). Maybe $REGISTRY_KEYFILE, $REGISTRY_CERTFILE AND $REGISTRY_CA_CERTFILE?

e.g. I usually like to have my certs located at /etc/ssl/certs/..., keys in /etc/ssl/private/... and the CA cert chain at /etc/ssl/root.ca

[wking]

On Mon, Nov 10, 2014 at 04:32:28PM -0800, Matthew Fisher wrote:

… though users would probably like to have /ssl configurable…

In this case I'd really rather they just used GUNICORN_OPTS directly.
You don't save much by replacing --certfile with REGISTRY_CERTFILE ;).

[tiborvass]

@bacongobbler @wking thanks for chiming in!

This is a PR to facilitate TLS for registry users. I agree that we should document GUNICORN_OPTS, but mounting certs to /ssl seems to me a more user-friendly API. If people want to customize anything, they can do so with GUNICORN_OPTS.

We could debate having REGISTRY_TLS_VERIFY. It's explicit, but can also be redundant with just checking the existence of an /ssl directory.

Usage: docker run -d -p 5000:5000 -v /my/ssl:/ssl registry

[wking]

On Mon, Nov 10, 2014 at 05:33:17PM -0800, Tibor Vass wrote:

We could debate having REGISTRY_TLS_VERIFY. It's explicit, but can
also be redundant with just checking the existence of an /ssl
directory.

That works for me too, as does encouraging folks to terminate their
SSL/TLS in a reverse-proxy in front of the registry. I think that all
of these options (or whichever ones get implemented or are external)
should get documented in the SSL/TLS section of ADVANCED.md, or in a
document linked from there. I think the main problem is informing the
sysadmin, not saving them keystrokes while they write up their
configuration ;).

[tiborvass]

@wking The goal is to have simple TLS instructions on README.md. We could add a link saying for production configuration, the recommended way is to use a reverse-proxy as described in ADVANCED.md. What do you think?

[wking]

On Mon, Nov 10, 2014 at 06:48:44PM -0800, Tibor Vass wrote:

The goal is to have simple TLS instructions on README.md.

I'd just say:

The registry uses Gunicorn to manage workers. If you want to setup
SSL/TLS, you can use any of the usual Gunicorn
options via GUNICORN_OPTS. For example:

GUNICORN_OPTS='[--ssl-version, 3, --certfile, /ssl/registry.cert, --keyfile, /ssl/registry.keys, --ca-certs, /ssl/ca.crt]' 

That should be enough of a sketch for folks who are already familiar
with SSL/TLS, and it offloads the detailed docs to Gunicorn (which is
appropriate, since it's a Gunicorn feature).

for production configuration, the recommended way is to use a reverse-proxy as described in ADVANCED.md

I'm not sure its the recommended way, but it's certainly one way you
could do this. It sounds like we also want a mini-tutorial in
maintaining client-side root CAs 1, so I'd just stick a more
in-depth SSL/TLS dive somewhere outside the README where we could go
over this in a bit more detail.

[stevvooe]

I don't see the benefit of enforcing these non-standard, default directory paths when simply adding them to GUNICORN_OPTS would suffice and actually provides more flexibility. Otherwise, I'd say make an environment variable for each path.

[bacongobbler]

the same discussion was posted above: #693 (comment)

[stevvooe]

Apologies for the repetition. Let's figure out whether or not we want to break these out so this PR can get merged.