build image

scripts/generate-registry-cert.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# generate-registry-cert.sh
+# Script per generare certificati self-signed corretti per Docker Registry
+# con Subject Alternative Names (SANs)
+
+set -e
+
+# Parametri
+REGISTRY_IP=${1:-"192.168.1.204"}
+REGISTRY_HOSTNAME=${2:-"registry.local"}
+CERT_DIR=${3:-"/opt/docker-registry/certs"}
+CERT_DAYS=${4:-365}
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+print_success() { echo -e "${GREEN}✓ $1${NC}"; }
+print_error() { echo -e "${RED}✗ $1${NC}"; }
+print_info() { echo -e "${BLUE}ℹ $1${NC}"; }
+
+if [ "$#" -eq 0 ]; then
+    echo "Uso: $0 [registry_ip] [registry_hostname] [cert_dir] [days]"
+    echo ""
+    echo "Parametri opzionali:"
+    echo "  registry_ip       - IP del registry (default: 192.168.1.204)"
+    echo "  registry_hostname - Hostname del registry (default: registry.local)"
+    echo "  cert_dir          - Directory certificati (default: /opt/docker-registry/certs)"
+    echo "  days              - Validità in giorni (default: 365)"
+    echo ""
+    echo "Esempio:"
+    echo "  $0 192.168.1.204 registry.local"
+    exit 0
+fi
+
+print_info "Generazione certificato self-signed per Docker Registry"
+echo ""
+print_info "Configurazione:"
+print_info "  IP: $REGISTRY_IP"
+print_info "  Hostname: $REGISTRY_HOSTNAME"
+print_info "  Directory: $CERT_DIR"
+print_info "  Validità: $CERT_DAYS giorni"
+echo ""
+
+# Crea directory se non esiste
+mkdir -p "$CERT_DIR"
+
+# File di output
+KEY_FILE="$CERT_DIR/domain.key"
+CERT_FILE="$CERT_DIR/domain.crt"
+CSR_FILE="$CERT_DIR/domain.csr"
+CNF_FILE="$CERT_DIR/openssl.cnf"
+
+# Crea file di configurazione OpenSSL con SANs
+cat > "$CNF_FILE" << EOF
+[req]
+default_bits       = 4096
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+x509_extensions    = v3_ca
+prompt             = no
+
+[req_distinguished_name]
+C  = IT
+ST = Italy
+L  = City
+O  = Docker Registry
+OU = IT Department
+CN = $REGISTRY_HOSTNAME
+
+[req_ext]
+subjectAltName = @alt_names
+
+[v3_ca]
+subjectAltName = @alt_names
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = $REGISTRY_HOSTNAME
+DNS.2 = localhost
+IP.1  = $REGISTRY_IP
+IP.2  = 127.0.0.1
+EOF
+
+print_info "File di configurazione creato: $CNF_FILE"
+
+# Genera chiave privata e certificato
+print_info "Generazione chiave privata e certificato..."
+
+openssl req -newkey rsa:4096 \
+    -nodes \
+    -sha256 \
+    -keyout "$KEY_FILE" \
+    -x509 \
+    -days "$CERT_DAYS" \
+    -config "$CNF_FILE" \
+    -out "$CERT_FILE"
+
+print_success "Certificato generato con successo!"
+echo ""
+
+# Verifica certificato
+print_info "Verifica certificato:"
+openssl x509 -in "$CERT_FILE" -text -noout | grep -A 3 "Subject Alternative Name"
+
+echo ""
+print_info "File generati:"
+print_info "  Chiave privata: $KEY_FILE"
+print_info "  Certificato:    $CERT_FILE"
+print_info "  Config OpenSSL: $CNF_FILE"
+echo ""
+
+print_info "Prossimi passi:"
+print_info ""
+print_info "1. Riavvia il registry Docker con i nuovi certificati:"
+echo "   docker stop registry && docker rm registry"
+echo "   docker run -d \\"
+echo "     -p 5000:5000 \\"
+echo "     --name registry \\"
+echo "     --restart=always \\"
+echo "     -v $CERT_DIR:/certs \\"
+echo "     -v /opt/docker-registry/data:/var/lib/registry \\"
+echo "     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\"
+echo "     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\"
+echo "     registry:2"
+echo ""
+
+print_info "2. Installa il certificato sui client Docker:"
+echo "   # Su ogni VM che deve accedere al registry:"
+echo "   sudo mkdir -p /etc/docker/certs.d/$REGISTRY_IP:5000"
+echo "   sudo scp root@$REGISTRY_IP:$CERT_FILE /etc/docker/certs.d/$REGISTRY_IP:5000/ca.crt"
+echo "   sudo systemctl restart docker"
+echo ""
+
+print_info "3. (Opzionale) Installa nel sistema per curl/wget:"
+echo "   sudo cp $CERT_FILE /usr/local/share/ca-certificates/registry.crt"
+echo "   sudo update-ca-certificates"
+echo ""
+
+print_success "Setup completato!"