Add self-signed registry

.gitignore

@@ -1 +1,2 @@
-.idea/
+.idea/
+*/certs/

README.md

@@ -1,16 +1,8 @@
 Handle LAN Docker-registry with various setups
 
-Docker image `dolphm/network-tools` can be used to check 
+Docker image `dolphm/network-tools` is used to check 
 connectivity from other containers 
 
-## API calls
-
-Check that the insecure HTTP server is up and running :
-
-```sh
-curl <host-machine-name>:5000/v2/ 
-```
-
 ## Useful stuff
 
 * Stuff handled by docker-compose (networks, volumes, ..) is by default named 

self-signed/README.md

@@ -0,0 +1,12 @@
+## Self-signed registry
+
+### Setup
+
+On the machine hosting the registry, edit `docker-compose.yml` with the name of 
+the machine and then run :
+
+```sh
+cd self-signed
+./generate-certs.sh <machine-name>
+docker-compose up -d
+```

self-signed/docker-compose.yml

@@ -0,0 +1,19 @@
+version: '3'
+
+services:
+  local-registry:
+    image: registry:2
+    container_name: self-signed-registry
+    volumes:
+      - local-registry-data:/var/lib/registry
+      - ./certs/time.home:/certs
+    ports:
+      - 5000:5000
+      - 443:443
+    environment:
+      - REGISTRY_HTTP_ADDR=0.0.0.0:443
+      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
+      - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
+
+volumes:
+  local-registry-data:

self-signed/generate-certs.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -eux
+
+if [ "$#" -ne 1 ] ; then
+  echo "Wrong number of arguments" >&2
+  exit 1
+fi
+
+DOMAIN=$1
+
+mkdir -p certs/ certs/$1
+openssl req \
+  -newkey rsa:4096 \
+  -nodes \
+  -sha256 \
+  -x509 \
+  -days 365 \
+  -keyout certs/$DOMAIN/domain.key \
+  -out certs/$DOMAIN/domain.crt \
+  -subj "/CN=$DOMAIN"

test/common/get_args.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -eux
+
+if [ "$#" -ne 1 ] ; then
+  echo "Wrong number of arguments" >&2
+  exit 1
+fi
+
+export REGISTRY_HOSTNAME=$1
+
+export HOST_NAME=`echo ${REGISTRY_HOSTNAME} | cut -d ':' -f 1`
+export PORT=`echo ${REGISTRY_HOSTNAME} | grep ':' | cut -d ':' -f 2`
+
+export HUB_IMAGE=alpine
+export HOSTNAME_IMAGE=${REGISTRY_HOSTNAME}/${HUB_IMAGE}
+
+if [ -z ${PORT} ]
+then
+    export LOCALHOST_IMAGE=localhost/${HUB_IMAGE}
+else
+    export LOCALHOST_IMAGE=localhost:${PORT}/${HUB_IMAGE}
+fi

test/test-concourse-registry.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+. ./common/get_args.sh $*
+
+CONCOURSE_REGISTRY_IMAGE=concourse/registry-image-resource
+IMAGE_TARBALL=/tmp/${HUB_IMAGE}.tar
+
+docker save -o ${IMAGE_TARBALL} ${HUB_IMAGE}:latest
+
+jo source=$(jo repository=${HOSTNAME_IMAGE} tag=latest) \
+    | docker run \
+    -i \
+    -v ${IMAGE_TARBALL}:/tmp/image.tar \
+    ${CONCOURSE_REGISTRY_IMAGE} /opt/resource/out /tmp/image.tar

test/test-container-in.sh

@@ -0,0 +1,18 @@
+#!/bin/ash
+# Script that must be run inside the container
+
+. ./common/get_args.sh $*
+
+REGISTRY_CERT_FILE=/tmp/registry_cert.crt
+
+echo "*** API"
+if [ -z ${PORT} ]
+then
+    echo "*** non-signed"
+    curl -k https://${REGISTRY_HOSTNAME}/v2/
+    echo "*** signed"
+    curl --cacert /registry_cert.crt https://${REGISTRY_HOSTNAME}/v2/
+else
+    echo "*** non-secure"
+    curl http://${REGISTRY_HOSTNAME}/v2/
+fi

test/test-container.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+. ./common/get_args.sh $*
+
+if [ -z ${PORT} ]
+then
+    REGISTRY_CERT_FILE=/tmp/registry_cert.crt
+
+    # Get the registry host certificate
+    echo -n \
+        | openssl s_client -connect ${REGISTRY_HOSTNAME}:443 \
+        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+        > ${REGISTRY_CERT_FILE}
+
+    docker run --rm \
+        -v $(pwd)/test-container-in.sh:/test-container-in.sh \
+        -v $(pwd)/common/get_args.sh:/common/get_args.sh \
+        -v ${REGISTRY_CERT_FILE}:/registry_cert.crt \
+        dolphm/network-tools \
+        /test-container-in.sh ${REGISTRY_HOSTNAME}
+else
+    docker run --rm \
+        -v $(pwd)/test-container-in.sh:/test-container-in.sh \
+        -v $(pwd)/common/get_args.sh:/common/get_args.sh \
+        dolphm/network-tools \
+        /test-container-in.sh ${REGISTRY_HOSTNAME}
+fi

test/test-lan.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+. ./common/get_args.sh $*
+
+docker pull ${HUB_IMAGE}
+docker tag ${HUB_IMAGE} ${HOSTNAME_IMAGE}
+
+echo "*** API"
+if [ -z ${PORT} ]
+then
+    REGISTRY_CERT_FILE=/tmp/registry_cert.crt
+
+    # Get the registry host certificate
+    echo -n \
+        | openssl s_client -connect ${REGISTRY_HOSTNAME}:443 \
+        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+        > ${REGISTRY_CERT_FILE}
+
+    echo "*** non-signed"
+    curl -k https://${REGISTRY_HOSTNAME}/v2/
+    echo "*** signed"
+    curl --cacert ${REGISTRY_CERT_FILE} https://${REGISTRY_HOSTNAME}/v2/
+else
+    echo "*** non-secure"
+    curl http://${REGISTRY_HOSTNAME}/v2/
+fi
+
+echo "*** as hostname"
+docker push ${HOSTNAME_IMAGE}
+docker pull ${HOSTNAME_IMAGE}

test/test-local.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+. ./common/get_args.sh $*
+
+docker pull ${HUB_IMAGE}
+docker tag ${HUB_IMAGE} ${LOCALHOST_IMAGE}
+docker tag ${HUB_IMAGE} ${HOSTNAME_IMAGE}
+
+echo "*** API"
+if [ -z ${PORT} ]
+then
+    REGISTRY_CERT_FILE=/tmp/registry_cert.crt
+
+    # Get the registry host certificate
+    echo -n \
+        | openssl s_client -connect ${REGISTRY_HOSTNAME}:443 \
+        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+        > ${REGISTRY_CERT_FILE}
+
+    echo "*** SSL non-signed"
+    curl -k https://${REGISTRY_HOSTNAME}/v2/
+    echo "*** SSL signed"
+    curl --cacert ${REGISTRY_CERT_FILE} https://${REGISTRY_HOSTNAME}/v2/
+else
+    echo "*** non-secure"
+    curl http://${REGISTRY_HOSTNAME}/v2/
+fi
+
+echo "*** as localhost"
+docker push ${LOCALHOST_IMAGE}
+docker pull ${LOCALHOST_IMAGE}
+
+echo "*** as hostname"
+docker push ${HOSTNAME_IMAGE}
+docker pull ${HOSTNAME_IMAGE}