Use your own TLS certificates

By default, Mirantis Secure Registry (MSR) services are exposed using HTTPS. This ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, MSR will generate a self-signed certificate, which leads to an insecure site warning when accessing MSR through a browser. In addition, MSR includes an HSTS (HTTP Strict-Transport-Security) header in all API responses, which can cause your browser not to load the MSR web UI.

You can configure MSR to use your own TLS certificates, to ensure that MSR automatically trusts browsers and client tools. You can also enable user authentication through client certificates that your organization’s public key infrastructure (PKI) provides.

To upload your own TLS certificates and keys, you can use the Helm CLI options to either install or reconfigure your MSR instance.

Customize the WebTLS certificate

  1. Use mkecert to create a new trusted self-signed test certificate that is valid for the hostname:

    ./mkcert <hostname> *.<hostname> localhost 127.0.0.1 ::1
    secret/user-cert created
    

    Note

    If you prefer, you can use a previously-created trusted CA signed SSL certificate, rather than creating a new one.

  2. Add the secret to the cluster:

    kubectl create secret tls user-cert --key <hostname>+4-key.pem --cert
    <hostname>+4.pem
    

# Install the helm chart with the custom certificate:

helm install msr msr --repo https://registry.mirantis.com/charts/msr/msr
--version 1.0.0 --set-file license=path/to/file/license.lic --set
nginx.webtls.create=false  --set nginx.webtls.secretName="user-cert"
  1. Enable port forwarding:

    kubectl port-forward service/msr 8080 8443:443
    
  2. Go to https://localhost:8443/login in your browser and log in as an administrator.

  3. Verify the presence of a valid certificate by matching the information with that of the generated certificate.