Update documentation on Wildcard Certificates

[CreepDth]

Hi,

We are setting up a trow registry and its working great.
Its using the default self signed certificate incl. the default URL trow.kube-public. All is working fine, but we rather use our own domain. We have the certificate available and I tried to understand the scripts how to push the certificate, but I am simply stuck.

Is this even possible?
I hope above makes sense, if not feel free to respond and I will do my best to give more understanding to my question.
Greetz and thanks,Remco

[amouat]

Hi Remco,

It does make sense and it is possible, but maybe not as easy as it should be. There are three install methods, the quick installer, the kustomize install and the Helm installer. I think you used the quick install, which sets a self-signed certificate up for Trow, opens a NodePort in Kubernetes to pass through traffic and adds a route to /etc/hosts. By contrast the other install methods use Kubernetes ingress and terminate TLS at ingress - so the certificate is configured with ingress and not on Trow.

If you're happy using the Kutomize install, it should be fairly straightforward to modify the Kustomize YAML to configure an ingress point that uses your certificate (you'll need to refer the documentation for whatever ingress implementation you want to use). This is definitely the way to go if you're using Trow in a long-running environment. I've not used the Helm install much personally, so I'm not quite sure how to do it in Helm.

If you want to put the certificate on Trow and continue to use NodePort, that should be possible as well, but the quick install isn't set-up to support it as an option. You would need to replace the certificate that's used, changing the domain name that Trow uses and update your DNS to point to Trow. The majority of the quick install is spent dealing with certs and routing, which you don't actually need. So you could dump the YAML for your current trow configuration, put your cert into a secret, modify the YAML to point to it, update the domain name and redeploy Trow using the new YAML.

I'll leave this issue open, as we should add some more documentation on using your own certificate, although it might just refer you to ingress docs.

[CreepDth]

Thanks Adrian for your positive feedback and fast reply.
The part you've touched with replacing the cert and keeping the NodePort was a part I already started working on.
I was able to replace the domain name, I've configured the cert used to K8 under Config Maps, the only part I am a bit lost is to understand how I can push the changes to use this cert for the applicationr unning.

You explain that I can dump the current trow configuration, so I am going to dive into that one. I am still pretty new on this topic, so lots to learn.

Greetz,
Remco

[amouat]

Trow will automatically look for a certificate at certs/domain.crt and a key at certs/domain.key. This can be overriden with --cert and --key. You can set the config map to be loaded as a file inside the pod in the YAML.

Does that help? You will need to update the YAML and replace the current pod.

I'll look up how to dump the current config and update this comment later.

[CreepDth]

Hi Adrian,

Thanks for your feedback and it indeed helped.
I am also doing the same for the additional username/password to be set using a secret.

I am wrapping up what I all did and will then share how I did it in this thread. Maybe it will help you or others later on if a similar question pops up.

Will keep you posted.
Greetz,
Remco

[amouat]

Thanks, that would be appreciated.

[CreepDth]

Hi @amouat,

So I made the following adjustments based on your suggestions/help and I was able to put trow behind our proxy and install/use our own wildcard certificate.

I will do my best to describe the additional steps that I've taken to make this work, all based on the quick install you've provided in your package.

My goal was to use my own certificate, running trow behind our proxy server and protect it with a username and password.
The steps below describe how to achieve this:

BASIC INSTALL

• Install the package from /quick-install/install.sh and follow the instructions.
• I assume you've installed trow in the "kube-public" namespace.

CREATING A SERVICE AND EXPOSE NODEPORT

• Create a new yaml file called trow-service.yaml and add the following to it.

apiVersion: v1 kind: Service metadata: name: trow-service spec: type: NodePort selector: app: trow ports: - port: 443 targetPort: 8443 nodePort: 31000

• Apply this new service with the following command:
  kubectl apply -f trow-service.yaml -n kube-public

ADDING YOUR OWN CERTIFICATE IN KUBERNETES USING A SECRET

• Encode your private key + domain cert with https://www.base64encode.org/ or any other tool you might want to use.
• Create a new yaml file called yourdomain-certificate.yaml and add the following to it.

apiVersion: v1 kind: Secret metadata: name: emakina-cert type: Opaque data: cert.crt: <encoded domain cert output> cert.key: <encoded private key output>

• Add the newly created secret to kubernetes with the following command:
  kubectl apply -f -n kube-public.

ADDING USER + PASSWORD AUTHENTICATION TO TROW

• Make up a new username + password to be used to authenticate to trow.
• Encode the password the same way as you did with the domain certs.
• Create a new yaml file called "trowpassword.yaml" and add the following to it.

apiVersion: v1 kind: Secret metadata: name: trow-password data: password: <encodedpassword>

• Add the newly created secret to kubernetes with the following command:
  kubectl apply -f trowpassword.yaml -n kube-public

ADJUSTING THE RUNNING DEPLOYMENT

• Export the current deployment of trow to a new yaml file with the following command:
  kubectl get deployment trow-deploy -n kube-public -o yaml > trow-deployment.yaml
• Open the file trow-deployment.yaml.
• Add the following lines to it:
• Under VolumeMounts

- mountPath: /certs/<yourdomain> name: <yourdomain>-cert
- mountPath: /<yourpasswordpath> name: trow-auth

• Under volumes

- name: <yourdomain>-cert secret: defaultMode: 420 secretName: <yourdomain>-cert
- name: trow-auth secret: defaultMode: 420 secretName: trow-password

• Under args

    `- -n
    - trow:31000 <yourdomain>:31000
    - -c
    - /certs/<yourdomain>/cert.crt
    - -k
    - /certs/<yourdomain>/cert.key
    - -u
    - <yourusername>
    - --password-file
    - /<yourpasswordpath>/<yourpassfile>`
  

• Once done save the file and execute to following command to apply the changes.
  kubectl apply -f trow-deployment.yaml

• Point your proxy to your master node IP + NodePort that you have exposed. In this example its 31000.

• You can now authenticate and push images to trow using your own certificate.

I believe I've covered everything that i've touched, changed. I did my best to describe it as best as I could at this time, feel free to provide any feedback in case something is wrong/unclear.

Thanks again for all your help.
Greetz,
Remco