[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using external SSL termination with docker-registry/registry-console



Hi,

Our infra nodes are fronted by external load balancers that terminate client-side SSL and then re-encrypt before sending to the haproxy routers on TCP/443.

This works great, but also requires the routes to be set for 'edge' TLS termination.

I can't seem to get this working for the registry-console and/or docker-registry.  The registry is deployed via the Ansible playbooks in our installation and gets configured with 'passthrough' TLS termination.  After changing this to 'edge,' I can open the registry-console in a web browser, but it displays "Disconnected" on the screen.  Hitting the "Reconnect" button doesn't help.

I enabled debug logging on the registry pod and see this in the logs:

===
INFO: cockpit-ws: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
DEBUG: cockpit-ws: received unknown/invalid credential cookie
DEBUG: cockpit-ws: received unknown/invalid credential cookie
DEBUG: cockpit-ws: received unknown/invalid credential cookie
DEBUG: cockpit-ws: /usr/libexec/cockpit-kube-auth: setting up auth pipe 11 12
DEBUG: cockpit-ws: spawning /usr/libexec/cockpit-kube-auth
DEBUG: cockpit-ws: /usr/libexec/cockpit-kube-auth: reporting message
DEBUG: cockpit-ws: /usr/libexec/cockpit-kube-auth: Auth pipe closed
DEBUG: cockpit-ws: /usr/libexec/cockpit-kube-auth says: {"login-data":{"apiVersion":"v1","clusters":[{"cluster":{"certificate-authority-data":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2akNDQWRLZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFtTVNRd0lnWURWUVFEREJ0dmNHVnUKYzJocFpuUXRjMmxuYm1WeVFERTBPRFV6TURNek5EUXdIaGNOTVRjd01USTFNREF4TlRReldoY05Nakl3TVRJMApNREF4TlRRMFdqQW1NU1F3SWdZRFZRUUREQnR2Y0dWdWMyaHBablF0YzJsbmJtVnlRREUwT0RVek1ETXpORFF3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN6OG1RZlFnV1NzTVRZeHRZSDhUVEQKQlQ2REcxcmdPdHhyOFIwbUtRdUErcGxMaitnRzdwUDg5ZUZtZWQydW9nMEJRcnZvaFB0TCswamdMSFM4OTlCZwpYZmQwanpwY1J4MWN0MXhKMVNQQmFOWml5MVZKYmlCZzJmKzJFbnpjMzlZVDZ2UWZLdklselhtamwwV1RvUHVRCjk2YUFlVlRzUjBYOVNBU1pZS0NvZ1JYdmdEdlRIUjlLemNFcFFnOVk2SlhpNU15T2hWSC9YS0VVakcyQkxwNzAKVFhTUDg5djMxTytmMXdpUDhoZmR6bHpzQ3N4UnZSSjNCaWtmaEZjYlA5YmdFVnVHL0lpN1VBeENoSXBubTNPNApGUW1YMkpLcXY5S1d0K0ViR2RZcytIaEVBY0wxVDBkNUdXUUxycHRua1RIRTg5NWFrbjcwekZVRmFncHEzTWZMCkFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDcERBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQ3gwTHRYdWM1NUJrU3NRYXNPMm84VnYrK0Jnb2loZXF0UDNkZEhzMDUrNDYvWApRVnEzRVNVM3Rjby9STlpxRXZFaUVUb1pCYWtzS2RqVzUzQkRwWVhLdjJ5T2pHLzBBbS9idWQ1S3JYUy90NkV1CjBZZ3E3YnRtVDZuYTlnSnFlTG1yVndHb2JoYnZSQThmWDUvV2dmdURCTWRpOE1PRjN4V0thOStjeUkrZ1p2NmUKUEZva3JBQlc5TCs4a25TbnAvY2dMTFM4NmpnOGFBb1k0RFZEdjkxWXJZTTRXRjJBM2o4cFQ3OVVCaHJMZlNyQgpOTlJpdUxKbjloM3RHUlFteG10YzFmVnJzaEwybVJpTlJ5UDZaZUlSVW9CRzRQWnhWUnJrU0o4czNvazB1WmF3CldwQXdlVjliVHhRcG5ERWY3UmVDRjRhTmxiSHRRaklzT2p4bnpRK2kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","insecure-skip-tls-verify":false,"server":"https://172.20.16.1:443"},"name":"container-cluster"}],"contexts":[{"context":{"cluster":"container-cluster","user":"jbaird"},"name":"container-context"}],"current-context":"container-context","displayName":"Baird, Josh","users":[{"name":"jbaird","user":{"token":"AkYDVf7990CGgJ0-sLTPd1TqcSHoOAkcID9lahinOnc"}}]},"user":"jbaird"}
DEBUG: cockpit-ws: localhost: new session
DEBUG: cockpit-ws: jbaird: login is idle
DEBUG: cockpit-ws: sending 26f308eb2383e4a43c2748bf8185a354088914d5a864c44e72c0b3b56d506ac1 credential id 'cockpit' for user 'jbaird'
INFO: cockpit-ws: logged in user: jbaird
DEBUG: cockpit-ws: received cockpit credential cookie for user 'jbaird'
DEBUG: cockpit-ws: received cockpit credential cookie for user 'jbaird'
DEBUG: cockpit-ws: localhost: received init message
DEBUG: cockpit-ws: /shell/simple.html: completed serving external channel
DEBUG: cockpit-ws: /shell/simple.html: completed serving external channel
MESSAGE: cockpit-protocol: couldn't read from connection: Error receiving data: Connection reset by peer
===

If I switch the TLS termination back to 'passthrough' and then re-configure our external load balancers to use SSL passthru (and not terminate client-side/re-encrypt), the registry console does work as expected.

Is there anyway to get the registry-console/docker-registry to work with SSL termination configured on our load balancers (and 'edge' TLS termination on the routes)?

Thanks,

Josh

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]