|
5 | 5 | :_content-type: PROCEDURE |
6 | 6 | [id="containers-signature-verify-enable_{context}"] |
7 | 7 | = Enabling signature verification for Red Hat Container Registries |
8 | | -Enabling container signature validation for Red Hat Container Registries requires writing a signature verification policy file specifying the keys to verify images from these registries. The registries are already defined in `/etc/containers/registries.d` by default. |
| 8 | +Enabling container signature validation for Red Hat Container Registries requires writing a signature verification policy file specifying the keys to verify images from these registries. For RHEL8 nodes, the registries are already defined in `/etc/containers/registries.d` by default. |
9 | 9 |
|
10 | 10 | .Procedure |
| 11 | + |
11 | 12 | . Create a Butane config file, `51-worker-rh-registry-trust.bu`, containing the necessary configuration for the worker nodes. |
12 | 13 | + |
13 | 14 | [NOTE] |
@@ -78,19 +79,90 @@ $ butane 51-worker-rh-registry-trust.bu -o 51-worker-rh-registry-trust.yaml |
78 | 79 | $ oc apply -f 51-worker-rh-registry-trust.yaml |
79 | 80 | ---- |
80 | 81 |
|
81 | | -. Create a Butane config and corresponding machine config which writes the configuration to disk on the control plane nodes: |
| 82 | +. Check that the worker machine config pool has rolled out with the new machine config: |
| 83 | + |
| 84 | +.. Check that the new machine config was created: |
| 85 | ++ |
| 86 | +[source,terminal] |
| 87 | +---- |
| 88 | +$ oc get mc |
| 89 | +---- |
| 90 | ++ |
| 91 | +.Sample output |
| 92 | +[source,terminal] |
| 93 | +---- |
| 94 | +NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE |
| 95 | +00-master a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 96 | +00-worker a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 97 | +01-master-container-runtime a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 98 | +01-master-kubelet a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 99 | +01-worker-container-runtime a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 100 | +01-worker-kubelet a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 101 | +51-master-rh-registry-trust 3.2.0 13s |
| 102 | +51-worker-rh-registry-trust 3.2.0 53s <1> |
| 103 | +99-master-generated-crio-seccomp-use-default 3.2.0 25m |
| 104 | +99-master-generated-registries a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 105 | +99-master-ssh 3.2.0 28m |
| 106 | +99-worker-generated-crio-seccomp-use-default 3.2.0 25m |
| 107 | +99-worker-generated-registries a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m |
| 108 | +99-worker-ssh 3.2.0 28m |
| 109 | +rendered-master-af1e7ff78da0a9c851bab4be2777773b a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 8s |
| 110 | +rendered-master-cd51fd0c47e91812bfef2765c52ec7e6 a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 24m |
| 111 | +rendered-worker-2b52f75684fbc711bd1652dd86fd0b82 a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 24m |
| 112 | +rendered-worker-be3b3bce4f4aa52a62902304bac9da3c a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 48s <2> |
| 113 | +---- |
| 114 | +<1> New machine config |
| 115 | +<2> New rendered machine config |
| 116 | + |
| 117 | +.. Check that the worker machine config pool is updating with the new machine config: |
82 | 118 | + |
83 | 119 | [source,terminal] |
84 | 120 | ---- |
85 | | -$ sed -e 's,\(machineconfiguration.openshift.io/role: \)worker,\1master,' \ |
86 | | - -e 's,\(name: 51-\)worker,\1master,' 51-worker-rh-registry-trust.bu \ |
87 | | - > 51-master-rh-registry-trust.bu |
88 | | -$ butane 51-master-rh-registry-trust.bu -o 51-master-rh-registry-trust.yaml |
| 121 | +$ oc get mcp |
| 122 | +---- |
| 123 | ++ |
| 124 | +.Sample output |
| 125 | +[source,terminal] |
| 126 | +---- |
| 127 | +NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE |
| 128 | +master rendered-master-af1e7ff78da0a9c851bab4be2777773b True False False 3 3 3 0 30m |
| 129 | +worker rendered-worker-be3b3bce4f4aa52a62902304bac9da3c False True False 3 0 0 0 30m <1> |
89 | 130 | ---- |
| 131 | +<1> When the `UPDATING` field is `True`, the machine config pool is updating with the new machine config. When the field becomes `False`, the worker machine config pool has rolled out to the new machine config. |
| 132 | + |
| 133 | +. If your cluster uses any RHEL7 worker nodes, when the worker machine config pool is updated, create YAML files on those nodes in the `/etc/containers/registries.d` directory, which specify the location of the detached signatures for a given registry server. The following example works only for images hosted in `registry.access.redhat.com` and `registry.redhat.io`. |
90 | 134 |
|
91 | | -. Apply the control plane machine config to the cluster: |
| 135 | +.. Start a debug session to each RHEL7 worker node: |
92 | 136 | + |
93 | 137 | [source,terminal] |
94 | 138 | ---- |
95 | | -$ oc apply -f 51-master-rh-registry-trust.yaml |
| 139 | +$ oc debug node/<node_name> |
96 | 140 | ---- |
| 141 | + |
| 142 | +.. Change your root directory to the host: |
| 143 | ++ |
| 144 | +[source,terminal] |
| 145 | +---- |
| 146 | +sh-4.2# chroot /host |
| 147 | +---- |
| 148 | + |
| 149 | +.. Create a `/etc/containers/registries.d/registry.redhat.io.yaml` file that contains the following: |
| 150 | ++ |
| 151 | +[source,terminal] |
| 152 | +---- |
| 153 | +docker: |
| 154 | + registry.redhat.io: |
| 155 | + sigstore: https://registry.redhat.io/containers/sigstore |
| 156 | +---- |
| 157 | + |
| 158 | +.. Create a `/etc/containers/registries.d/registry.access.redhat.com.yaml` file that contains the following: |
| 159 | ++ |
| 160 | +[source,terminal] |
| 161 | +---- |
| 162 | +docker: |
| 163 | + registry.access.redhat.com: |
| 164 | + sigstore: https://access.redhat.com/webassets/docker/content/sigstore |
| 165 | +---- |
| 166 | + |
| 167 | +.. Exit the debug session. |
| 168 | + |
0 commit comments