在 Azure Stack 集线器中旋转容器注册表机密Rotate container registry secrets in Azure Stack Hub

Azure Stack 中心用户可以为容器注册表模板部署轮换 (证书、用户名和密码) 的机密。Your Azure Stack Hub users can rotate the secrets (certificates, username, and password) for a container registry template deployment. 您可以运行脚本,以 Microsoft Azure Key Vault 中填充新的机密值,并重新 部署 现有的容器注册表模板实例。You can run a script to populate new secret values in Microsoft Azure Key Vault and redeploy the existing Container registry template instance. 轮换机密不需要新的部署。Rotating secrets by themselves doesn't require a new deployment.

用户的先决条件Prerequisites for the user

  • 用户需要安装 Azure Stack 中心 Powershell 模块。The user will need to have the Azure Stack Hub Powershell modules installed. 有关详细信息,请参阅安装适用于 Azure Stack 的 PowerShellFor more information, see Install PowerShell for Azure Stack.

  • 获取容器注册表模板的更新密码。Get the update secrets for the container registry template. 可以使用新的 SSL 证书或新的用户名和密码组合来访问 Docker 注册表。You can use a new SSL certificate or a new username and password combination for accessing the Docker registry.

  • \registry\scriptsmsazurestackworkloads/test-azurestack-库GitHub 存储库下载 zip 文件后,获取中的脚本。Get the scripts found in \registry\scripts after downloading the zip file from the msazurestackworkloads/azurestack-gallery GitHub repository.

导入新的机密 Key VaultImport new secrets into Key Vault

按照以下说明在 Key Vault 中设置新机密。Follow the instructions below to set new secrets in Key Vault.

为现有用户名设置更新的注册表用户密码Set updated registry user password for existing username

  1. 打开提升权限的 PowerShell 提示符,然后 Import-Module .\\pre-reqs.ps1 从 "脚本" 文件夹运行。Open an elevated PowerShell prompt and then run Import-Module .\\pre-reqs.ps1 from the scripts folder.

  2. 若要更新现有注册表用户的值,请运行以下 cmdlet:To update the value of the existing registry user, run the cmdlet:

    Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName <username> `
        -RegistryUserPassword <newpassword> `
        -SkipExistCheck $true
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName admin `
        -RegistryUserPassword password1 `
        -SkipExistCheck $true 
    
    Check if key vault secret name (admin) exists.
    Creating key vault secret name (admin) as it does not exist.
    
  3. 若要验证是否已为此记录输入新值,请打开提升的 PowerShell 提示符并运行以下 cmdlet:To validate that a new value has been entered for this record, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions
    
    
    Vault Name   : newregkv
    Name         : admin
    Version      : 2a1495372c474cc890c888518f02b19f
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/
                   admin/2a1495372c474cc890c888518f02b19f
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 7:05:56 PM
    Updated      : 12/18/2019 7:05:56 PM
    Content Type : 
    Tags         : 
    
    Vault Name   : newregkv
    Name         : admin
    Version      : 3fd65c1719c74997984648de18a1fa0e
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/
                   admin/3fd65c1719c74997984648de18a1fa0e
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/17/2019 5:05:56 AM
    Updated      : 12/17/2019 5:05:56 AM
    Content Type : user credentials
    Tags         : 
    

设置新的注册表用户名和密码Set new Registry username and password

  1. Import-Module .\pre-reqs.ps1从 "脚本" 文件夹中打开提升的 PowerShell 提示符。Open an elevated PowerShell prompt and Import-Module .\pre-reqs.ps1 from the scripts folder.

  2. 若要为新的用户名和密码创建新的机密,请打开提升的 PowerShell 提示符并运行以下 cmdlet:To create a new secret for the new username and password, open an elevated PowerShell prompt and run the following cmdlet:

    Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName <newusername> `
        -RegistryUserPassword <newpassword> 
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName admin1 `
        -RegistryUserPassword password1
    
    Check if key vault secret name (admin1) exists.
    Creating key vault secret name (admin1) as it does not exist. 
    
  3. 若要验证是否已创建新机密,请打开提升的 PowerShell 提示符并运行以下 cmdlet:To validate that a new secret has been created, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName \<KeyVaultName> -Name \<username>
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin1
    
    
    Vault Name   : newregkv
    Name         : admin1
    Version      : 2ae9a7239f4044be82ca9d1e9b80e85a
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/admin1/2ae9a7239f4044be82ca9d1e9b80e85a
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 11:28:18 PM
    Updated      : 12/18/2019 11:28:18 PM
    Content Type : user credentials
    Tags         : 
    

重要

如果要创建新机密 (用户名/密码组合) 你将需要删除旧 Key Vault 机密。If you are creating a new secret (username/password combination) you will need to delete the old Key Vault secret. 如果在不删除旧密码的情况下重新部署现有容器注册表模板,则新旧的用户名和密码组合将对登录注册表有效。If you redeploy the existing container registry template without deleting the old secret both the old and new username and password combinations will be valid for logging into the registry.

更新现有 Key Vault 密钥的 SSL 证书Update the SSL certificate for existing Key Vault secret

  1. 打开提升权限的 PowerShell 提示符并运行以下 cmdlet:Open an elevated PowerShell prompt and run the following cmdlet:

    Set-CertificateSecret -KeyVaultName \<keyvaultname> `
     -CertificateSecretName \<originalsecretnameforcertificate> `
    Set-CertificateSecret -KeyVaultName <keyvaultname> `
        -CertificateSecretName <originalsecretnameforcertificate> `
        -CertificateFilePath <pathtonewcertificate> `
        -CertificatePassword <certificatepassword> `
        -SkipExistCheck $true
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-CertificateSecret -KeyVaultName newregkv `
        -CertificateSecretName containersecret `
        -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx `
        -CertificatePassword <certificatepassword> `
        -SkipExistCheck $true
    Check if key vault secret name (containersecret) exists.
    Creating key vault secret name (containersecret) as it does not exist.
    ----------------------------------------------------------------
    PFX KeyVaultResourceId       : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourceGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv
    PFX KeyVaultSecretUrl        : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9
    PFX Certificate Thumbprint   : 31810AA7FEF1173188691FB3F47208E5389FBA61
    ---------------------------------------------------------------- 
    
  2. 重新部署现有容器注册表模板时,你将使用此函数生成的值。You will use the values produced by this function when redeploying the existing container registry template.

  3. 若要验证是否已创建新版本的现有机密,请打开提升的 PowerShell 提示符并运行以下 cmdlet:To validate that a new version of the existing secret was created, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName <KeyVaultName> -Name <secretname>
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name containersecret -IncludeVersions
    
    
    Vault Name   : newregkv
    Name         : containersecret
    Version      : a07ece6b9914408e8f20c516e15b66c9
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 11:46:28 PM
    Updated      : 12/18/2019 11:46:28 PM
    Content Type : 
    Tags         : 
    
    Vault Name   : newregkv
    Name         : containersecret
    Version      : 0199c7ec1d8d41bb9ddff0f39dca9931
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/0199c7ec1d8d41bb9ddff0f39dca9931
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/17/2019 5:06:03 AM
    Updated      : 12/17/2019 5:06:03 AM
    Content Type : pfx
    Tags         : 
    

为容器注册表模板设置新的 SSL 证书Set a new SSL certificate for the container registry template

  1. 打开提升权限的 PowerShell 提示符,并运行以下 cmdlet:Open an elevated PowerShell prompt, and run the following cmdlet:

    Set-CertificateSecret -KeyVaultName <keyvaultname> `
        -CertificateSecretName <newsecretnameforcertificate> `
        -CertificateFilePath <pathtonewcertificate> `
        -CertificatePassword <certificatepassword>
    

    例如,该 cmdlet 将返回以下输出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts>    Set-CertificateSecret -KeyVaultName newregkv `
        -CertificateSecretName containersecret121719 `
        -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx `
        -CertificatePassword <certificatepassword> 
    Check if key vault secret name (containersecret121719) exists.
    Creating key vault secret name (containersecret121719) as it does not exist.
    ----------------------------------------------------------------
    PFX KeyVaultResourceId       : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourc
    eGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv
    PFX KeyVaultSecretUrl        : https://newregkv.vault.shanghai.azurestack.corp.microsoft.c
    om:443/secrets/containersecret121719/bb2cfe4df7bc4fbe854a00799afa8566
    PFX Certificate Thumbprint   : 31810AA7FEF1173188691FB3F47208E5389FBA61 
    

重新部署现有容器注册表模板Redeploy existing container registry template

  1. 打开 Azure Stack Hub 用户门户。Open the Azure Stack Hub user portal.

  2. 导航到容器注册表模板 VM 所部署到的资源组。Navigate to the resource group that the container registry template VM is deployed.

    显示容器注册表模板 VM 所部署到的资源组的屏幕截图。

  3. 选择 部署下的部署。Select the deployments under Deployments.

    显示在 "部署" 页上选择的部署的屏幕截图。

  4. 如果是第一次轮换密钥,请选择原始部署。If rotating secrets for the first time, select the original deployment. 如果这不是第一次轮换机密,请选择最新部署,然后选择 "重新 部署"。If this isn't the first time rotating secrets, select the most recent deployment and then select Redeploy.

    显示模板 "概述" 页面并突出显示 "重新部署" 操作的屏幕截图。

  5. 在 " 部署解决方案模板" 中,选择 " 使用现有资源组 ",并选择最初用于部署容器注册表模板的资源组。In Deploy Solution Template, select Use Existing Resource Group and select the resource group that was used to originally deploy the container registry template. 为了成功重新部署,必须使用相同的资源组。In order for a redeployment to be successful, it must use the same resource group.

    显示 "部署解决方案模板" 和 "参数" 页的屏幕截图。

  6. In 参数 检查参数是否与原始部署匹配。In Parameters check that the parameters match the original deployment. 将需要添加服务主体客户端 ID 和服务主体机密。The service principal client ID and service principal secret will need to be added.

    • 如果只是轮换注册表服务的用户名和密码,只需添加服务主体参数。If you're only rotating the username and password for the registry service, you just need to add the service principal parameters.

    • 如果要轮换此证书,则需要输入 PFXKeyVaultSecretURL 和 PFXThumbprint 的新值,这些值是通过设置新机密输出的。If you're rotating the certificate, you'll need to input the new values for the PFXKeyVaultSecretURL and PFXThumbprint that were output from setting the new secrets.

    容器注册表模板

  7. 选择“确定”,然后选择“创建”。Select OK and then Create. 重新部署将继续。The redeployment will proceed. 在重新部署过程中,注册表功能将继续工作。Registry functionality will continue to function during redeployment.

    • 如果要轮换用户名和密码,重新部署完成后,将需要再次向注册表进行身份验证。If you are rotating username and password, you will need to authenticate to the registry again once the redeployment is complete.

    • 如果要旋转证书,则不会遇到对注册表的任何访问权限。If you are rotating the certificate, you shouldn't experience any loss of access to the registry. 这假定你使用的是受信任的证书提供程序中的证书。This assumes you are using a certificate from a trusted cert provider. 如果使用私有证书,则需要在客户端上安装此证书,以防止访问丢失。If using a private certificate this certificate will need to be installed on clients to prevent loss of access.

后续步骤Next steps

Azure Stack 市场概述Azure Stack Marketplace overview