proxmox-ha-setup/scripts/generate-registry-cert.sh

#!/bin/bash
# generate-registry-cert.sh
# Script per generare certificati self-signed corretti per Docker Registry
# con Subject Alternative Names (SANs)

set -e

# Parametri
REGISTRY_IP=${1:-"192.168.1.204"}
REGISTRY_HOSTNAME=${2:-"registry.local"}
CERT_DIR=${3:-"/opt/docker-registry/certs"}
CERT_DAYS=${4:-365}

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

print_success() { echo -e "${GREEN}✓ $1${NC}"; }
print_error() { echo -e "${RED}✗ $1${NC}"; }
print_info() { echo -e "${BLUE}ℹ $1${NC}"; }

if [ "$#" -eq 0 ]; then
    echo "Uso: $0 [registry_ip] [registry_hostname] [cert_dir] [days]"
    echo ""
    echo "Parametri opzionali:"
    echo "  registry_ip       - IP del registry (default: 192.168.1.204)"
    echo "  registry_hostname - Hostname del registry (default: registry.local)"
    echo "  cert_dir          - Directory certificati (default: /opt/docker-registry/certs)"
    echo "  days              - Validità in giorni (default: 365)"
    echo ""
    echo "Esempio:"
    echo "  $0 192.168.1.204 registry.local"
    exit 0
fi

print_info "Generazione certificato self-signed per Docker Registry"
echo ""
print_info "Configurazione:"
print_info "  IP: $REGISTRY_IP"
print_info "  Hostname: $REGISTRY_HOSTNAME"
print_info "  Directory: $CERT_DIR"
print_info "  Validità: $CERT_DAYS giorni"
echo ""

# Crea directory se non esiste
mkdir -p "$CERT_DIR"

# File di output
KEY_FILE="$CERT_DIR/domain.key"
CERT_FILE="$CERT_DIR/domain.crt"
CSR_FILE="$CERT_DIR/domain.csr"
CNF_FILE="$CERT_DIR/openssl.cnf"

# Crea file di configurazione OpenSSL con SANs
cat > "$CNF_FILE" << EOF
[req]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca
prompt             = no

[req_distinguished_name]
C  = IT
ST = Italy
L  = City
O  = Docker Registry
OU = IT Department
CN = $REGISTRY_HOSTNAME

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth

[alt_names]
DNS.1 = $REGISTRY_HOSTNAME
DNS.2 = localhost
IP.1  = $REGISTRY_IP
IP.2  = 127.0.0.1
EOF

print_info "File di configurazione creato: $CNF_FILE"

# Genera chiave privata e certificato
print_info "Generazione chiave privata e certificato..."

openssl req -newkey rsa:4096 \
    -nodes \
    -sha256 \
    -keyout "$KEY_FILE" \
    -x509 \
    -days "$CERT_DAYS" \
    -config "$CNF_FILE" \
    -out "$CERT_FILE"

print_success "Certificato generato con successo!"
echo ""

# Verifica certificato
print_info "Verifica certificato:"
openssl x509 -in "$CERT_FILE" -text -noout | grep -A 3 "Subject Alternative Name"

echo ""
print_info "File generati:"
print_info "  Chiave privata: $KEY_FILE"
print_info "  Certificato:    $CERT_FILE"
print_info "  Config OpenSSL: $CNF_FILE"
echo ""

print_info "Prossimi passi:"
print_info ""
print_info "1. Riavvia il registry Docker con i nuovi certificati:"
echo "   docker stop registry && docker rm registry"
echo "   docker run -d \\"
echo "     -p 5000:5000 \\"
echo "     --name registry \\"
echo "     --restart=always \\"
echo "     -v $CERT_DIR:/certs \\"
echo "     -v /opt/docker-registry/data:/var/lib/registry \\"
echo "     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\"
echo "     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\"
echo "     registry:2"
echo ""

print_info "2. Installa il certificato sui client Docker:"
echo "   # Su ogni VM che deve accedere al registry:"
echo "   sudo mkdir -p /etc/docker/certs.d/$REGISTRY_IP:5000"
echo "   sudo scp root@$REGISTRY_IP:$CERT_FILE /etc/docker/certs.d/$REGISTRY_IP:5000/ca.crt"
echo "   sudo systemctl restart docker"
echo ""

print_info "3. (Opzionale) Installa nel sistema per curl/wget:"
echo "   sudo cp $CERT_FILE /usr/local/share/ca-certificates/registry.crt"
echo "   sudo update-ca-certificates"
echo ""

print_success "Setup completato!"