OpenShift 4 - 用CA证书或Token访问Internal Registry中的容器

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.7环境中验证

通常我们是使用username/password登录OpenShift，不过还可以使用以下方法获得访问CA证书或Token，然后利用它们作为访问OpenShift的凭证。

1. X.509 Certificates：Requires a HTTPS connection to the API server.
2. OAuth Access Tokens：Sent as an Authorization: Bearer…​ header or an access_token=…​ query parameter

获得OpenShift Internal Registry的访问证书

准备环境

1. 安装软件

$ yum install -f podman skopeo java-1.8.0-openjdk

2. 开启OpenShift内部的registry的Route。

$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
$ REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

方法1

1. 进入到操作系统的root用户，执行以下命令获得OpenShift的CA证书。说明：由于是自签名，所以提示错误，可以忽略。

$ openssl s_client -showcerts -connect ${REGISTRY}:443 < /dev/null | awk '/BEGIN/ {c=1; print >"openshift-ca.crt"; next} /END/ {print >"openshift-ca.crt"; exit}; c{print >"openshift-ca.crt"}'
depth=1 CN = ingress-operator@1620998392
verify error:num=19:self signed certificate in certificate chain
DONE

2. 查看证书内容。

$ cat openshift-ca.crt
$ openssl x509 -noout -text -in openshift-ca.crt

3. 将证书复制到podman的默认目录。说明：podman缺省从/etc/containers/certs.d存放CA证书。

$ mkdir -p /etc/containers/certs.d/${REGISTRY}
$ cp openshift-ca.crt /etc/containers/certs.d/${REGISTRY}

方法2

1. 首先开启OpenShift内部的registry的Route。

$ POD=$(oc get pod -n openshift-authentication | grep oauth-openshift | head -n 1 | cut -d " " -f 1)
$ oc exec $POD -n openshift-authentication -- cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > openshift_ca.crt

2. 将证书复制到系统缺省存放目录。说明：使用系统缺省存放目录，需执行update-ca-trust通知系统。

$ cp openshift_ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust extract

方法3

$ keytool -printcert -sslserver $REGISTRY -rfc > /etc/pki/ca-trust/source/anchors/myregistry.crt
$ update-ca-trust

验证用CA证书访问

1. 使用证书查看OpenShift中的openshift/nodejs镜像信息。

$ TOKEN=$(oc whoami -t)
$ skopeo inspect docker://${REGISTRY}/openshift/nodejs
{
    "Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
    "Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
    "RepoTags": [
        "12",
        "latest",
        "10"
    ],
    "Created": "2020-07-22T06:35:50.433115Z",
    "DockerVersion": "1.13.1",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2020-07-22T06:34:32.929721",
        "com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
        "com.redhat.component": "rh-nodejs12-container",
        "com.redhat.deployments-dir": "/opt/app-root/src",
        "com.redhat.dev-mode": "DEV_MODE:false",
        "com.redhat.dev-mode.port": "DEBUG_PORT:5858",
        "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
        "description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。

用Token访问Internal Registry

获取Token

OpenShift4 - 获取能访问API服务的用户认证Token

验证用Token访问

如果没有OpenShift认可的CA证书，访问OpenShift的内部资源的操作必须使用“–insecurity=true”或“–tls-verify=false”。如果有了合法证书，则可以通过TLS访问OpenShift。

1. 使用证书查看OpenShift中的openshift/nodejs镜像信息。

$ TOKEN=$(oc whoami -t)
$ skopeo inspect --creds="-:${TOKEN}" --tls-verify=false docker://${REGISTRY}/openshift/nodejs
{
    "Name": "default-route-openshift-image-registry.apps.cluster-beijing-f5b3.beijing-f5b3.sandbox1120.opentlc.com/openshift/nodejs",
    "Digest": "sha256:b77bb2f8d35ae3f30998135387c73a3943222dd0948ef9be3eb87207b3fba99a",
    "RepoTags": [
        "12",
        "latest",
        "10"
    ],
    "Created": "2020-07-22T06:35:50.433115Z",
    "DockerVersion": "1.13.1",
    "Labels": {
        "architecture": "x86_64",
        "build-date": "2020-07-22T06:34:32.929721",
        "com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
        "com.redhat.component": "rh-nodejs12-container",
        "com.redhat.deployments-dir": "/opt/app-root/src",
        "com.redhat.dev-mode": "DEV_MODE:false",
        "com.redhat.dev-mode.port": "DEBUG_PORT:5858",
        "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
        "description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。

其他还可参见：容器入门（4） - skopeo

参考

1. https://www.ibm.com/support/knowledgecenter/SS8QRN_1.1.0/ocp-prepare-internal-registry.html
2. https://github.com/liuxiaoyu-git/OpenShift-Examples-1/blob/master/Using-Skopeo/README.md
3. https://blog.csdn.net/haohzhang/article/details/86580119