generate certs if REGISTRY_TLS_VERIFY

Dockerfile

@@ -1,7 +1,7 @@
 FROM google/debian:wheezy
 
-RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl
-RUN pip install docker-registry==0.8.1
+RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl openssl
+RUN pip install docker-registry==0.9
 
 ADD requirements.txt /docker-registry-gcs-plugin/requirements.txt
 RUN pip install -r  /docker-registry-gcs-plugin/requirements.txt
@@ -16,6 +16,10 @@ ADD run.sh /docker-registry/
 # Credentials. Use --volumes-from gcloud-config (google/cloud-sdk).
 VOLUME ["/.config"]
 
+# ssl certs
+VOLUME ["/ssl"]
+VOLUME ["/certs.d"]
+
 # These should be set if credentials are obtained with google/cloud-sdk.
 ENV OAUTH2_CLIENT_ID 32555940559.apps.googleusercontent.com
 ENV OAUTH2_CLIENT_SECRET ZmssLNjJy2998hD4CTg2ejr2
@@ -25,4 +29,5 @@ EXPOSE 5000
 
 ENV SETTINGS_FLAVOR prod
 WORKDIR /docker-registry
+CMD ["docker-registry"]
 ENTRYPOINT ["./run.sh"]

README.md

@@ -62,6 +62,21 @@ There are three ways to specify the credentials:
         $ gcutil ssh my-docker-vm
         $ sudo docker run -d -e GCS_BUCKET=your-bucket -p 5000:5000 google/docker-registry
 
+### SSL
+
+    # generate credentials
+    # and copy CA to /etc/docker/certs.d/localhost:5000/ca.crt
+    docker run -e REGISTRY_TLS_VERIFY=1 \
+       -v /etc/docker/certs.d:/certs.d \
+       -p 127.0.0.1:5000:5000 ... google/docker-registry
+    # use custom credentials from /mycerts
+    # assuming CA is already in /etc/docker/certs.d
+    docker run -e REGISTRY_TLS_VERIFY=1 \
+        -v /mycerts:/ssl \
+        -e GUNICORN_OPTS="['--certfile','/ssl/myserver.cert','--keyfile','/ssl/myserver.key','--ca-certs','/ssl/myca.crt']" \
+        -p 127.0.0.1:5000:5000 ... google/docker-registry
+
+
 ### Using the registry
 
     docker tag myawesomeimage localhost:5000/myawesomeimage

requirements.txt

@@ -1,2 +1,2 @@
-docker-registry-core==2.0.2
+docker-registry-core==2.0.3
 gcs-oauth2-boto-plugin==1.8

run.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 USAGE="docker run -e GCS_BUCKET=<YOUR_GCS_BUCKET_NAME> \
 [-e GCP_ACCOUNT='<YOUR_EMAIL>' ] \
@@ -53,5 +54,39 @@ else
   fi
 fi
 
-export GCS_BUCKET BOTO_PATH
-exec docker-registry $*
+if [ -n "${REGISTRY_TLS_VERIFY}" ] && [ -z "${GUNICORN_OPTS}" ]; then
+  : ${REGISTRY_ADDR:="localhost:5000"}
+  : ${BOOT2DOCKER_HOST:="boot2docker.local"}
+  : ${BOOT2DOCKER_IP:="192.168.59.103"}
+  cat <<EOF > /ssl/ssl.conf
+[req]
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[v3_ca]
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, keyCertSign
+subjectAltName = @alt_names
+[v3_req]
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, serverAuth
+nsCertType = server
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+DNS.2 = ${BOOT2DOCKER_HOST}
+IP.1 = 127.0.0.1
+IP.2 = ${BOOT2DOCKER_IP}
+EOF
+  echo 01 > /ssl/ca.srl
+  openssl req -subj "/CN=Local CA" -config /ssl/ssl.conf -extensions v3_ca -new -x509 -days 365 -newkey rsa:2048 -nodes -keyout /ssl/ca.key -out /ssl/ca.crt && chmod 600 /ssl/ca.key
+  openssl req -subj "/CN=Local Docker registry" -config /ssl/ssl.conf -reqexts v3_req -new -newkey rsa:2048 -nodes -keyout /ssl/registry.key -out /ssl/registry.csr  && chmod 600 /ssl/registry.key
+  openssl x509 -req -extfile /ssl/ssl.conf -extensions v3_req -days 365 -in /ssl/registry.csr -CA /ssl/ca.crt -CAkey /ssl/ca.key -out /ssl/registry.cert
+  mkdir -p /certs.d/${REGISTRY_ADDR}
+  cp /ssl/ca.crt /certs.d/${REGISTRY_ADDR}/
+  SSL_VERSION=$(python -c 'import ssl; print ssl.PROTOCOL_TLSv1')
+  : ${GUNICORN_OPTS:="['--certfile','/ssl/registry.cert','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.crt','--ssl-version','$SSL_VERSION','--log-level','debug']"}
+fi
+
+export GCS_BUCKET BOTO_PATH GUNICORN_OPTS
+exec "$@"