在 Azure Stack Hub 模組化資料中心 (MDC) 中旋轉容器登錄秘密Rotate container registry secrets in Azure Stack Hub - Modular Data Center (MDC)
您的 Azure Stack Hub 使用者可以為容器登錄範本部署 (憑證、使用者名稱和密碼) 輪替秘密。Your Azure Stack Hub users can rotate the secrets (certificates, username, and password) for a container registry template deployment. 您可以執行腳本,在 Microsoft Azure Key Vault 中填入新的秘密值,並重新 部署 現有的容器登錄範本實例。You can run a script to populate new secret values in Microsoft Azure Key Vault and redeploy the existing Container registry template instance. 自行輪替秘密不需要新的部署。Rotating secrets by themselves doesn't require a new deployment.
使用者的必要條件Prerequisites for the user
使用者必須安裝 Azure Stack Hub 的 PowerShell 模組。The user will need to have the Azure Stack Hub PowerShell modules installed. 如需詳細資訊,請參閱安裝適用於 Azure Stack 的 PowerShell。For more information, see Install PowerShell for Azure Stack.
取得 container registry 範本的更新秘密。Get the update secrets for the container registry template. 您可以使用新的 SSL 憑證或新的使用者名稱和密碼組合來存取 Docker 登錄。You can use a new SSL certificate or a new username and password combination for accessing the Docker registry.
\registry\scripts從msazurestackworkloads/azurestack-資源庫GitHub 存放庫下載 zip 檔案之後,取得中找到的腳本。Get the scripts found in\registry\scriptsafter downloading the zip file from the msazurestackworkloads/azurestack-gallery GitHub repository.
將新的秘密匯入 Key VaultImport new secrets into Key Vault
請遵循下列指示,在 Key Vault 中設定新的密碼。Follow the instructions below to set new secrets in Key Vault.
為現有的使用者名稱設定更新的登錄使用者密碼Set updated registry user password for existing username
開啟已提升許可權的 PowerShell 提示字元,然後
Import-Module .\\pre-reqs.ps1從 [腳本] 資料夾執行。Open an elevated PowerShell prompt and then runImport-Module .\\pre-reqs.ps1from the scripts folder.若要更新現有登錄使用者的值,請執行下列 Cmdlet:To update the value of the existing registry user, run the cmdlet:
Set-RegistryAccessSecret -KeyVaultName newregkv ` -RegistryUserName <username> ` -RegistryUserPassword <newpassword> ` -SkipExistCheck $true例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv ` -RegistryUserName admin ` -RegistryUserPassword password1 ` -SkipExistCheck $true Check if key vault secret name (admin) exists. Creating key vault secret name (admin) as it does not exist.若要驗證是否已為此記錄輸入新的值,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new value has been entered for this record, open an elevated PowerShell prompt and run the following cmdlet:
Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions Vault Name : newregkv Name : admin Version : 2a1495372c474cc890c888518f02b19f Id : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/ admin/2a1495372c474cc890c888518f02b19f Enabled : True Expires : Not Before : Created : 12/18/2019 7:05:56 PM Updated : 12/18/2019 7:05:56 PM Content Type : Tags : Vault Name : newregkv Name : admin Version : 3fd65c1719c74997984648de18a1fa0e Id : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/ admin/3fd65c1719c74997984648de18a1fa0e Enabled : True Expires : Not Before : Created : 12/17/2019 5:05:56 AM Updated : 12/17/2019 5:05:56 AM Content Type : user credentials Tags :
設定新的登錄使用者名稱和密碼Set new Registry username and password
開啟已提升許可權的 PowerShell 提示字元,並
Import-Module .\pre-reqs.ps1從 [腳本] 資料夾開啟。Open an elevated PowerShell prompt andImport-Module .\pre-reqs.ps1from the scripts folder.若要為新的使用者名稱和密碼建立新的密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To create a new secret for the new username and password, open an elevated PowerShell prompt and run the following cmdlet:
Set-RegistryAccessSecret -KeyVaultName newregkv ` -RegistryUserName <newusername> ` -RegistryUserPassword <newpassword>例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv ` -RegistryUserName admin1 ` -RegistryUserPassword password1 Check if key vault secret name (admin1) exists. Creating key vault secret name (admin1) as it does not exist.若要驗證是否已建立新的密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new secret has been created, open an elevated PowerShell prompt and run the following cmdlet:
Get-AzureKeyVaultSecret -VaultName \<KeyVaultName> -Name \<username>例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin1 Vault Name : newregkv Name : admin1 Version : 2ae9a7239f4044be82ca9d1e9b80e85a Id : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/admin1/2ae9a7239f4044be82ca9d1e9b80e85a Enabled : True Expires : Not Before : Created : 12/18/2019 11:28:18 PM Updated : 12/18/2019 11:28:18 PM Content Type : user credentials Tags :
重要
如果您要建立新的秘密 (使用者名稱/密碼組合) 您必須刪除舊的 Key Vault 秘密。If you are creating a new secret (username/password combination) you will need to delete the old Key Vault secret. 如果您在未刪除舊密碼的情況下重新部署現有的容器登錄範本,則舊的和新的使用者名稱和密碼組合都適用于登入登錄。If you redeploy the existing container registry template without deleting the old secret both the old and new username and password combinations will be valid for logging into the registry.
更新現有 Key Vault 秘密的 SSL 憑證Update the SSL certificate for existing Key Vault secret
開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:Open an elevated PowerShell prompt and run the following cmdlet:
Set-CertificateSecret -KeyVaultName \<keyvaultname> ` -CertificateSecretName \<originalsecretnameforcertificate> ` Set-CertificateSecret -KeyVaultName <keyvaultname> ` -CertificateSecretName <originalsecretnameforcertificate> ` -CertificateFilePath <pathtonewcertificate> ` -CertificatePassword <certificatepassword> ` -SkipExistCheck $true例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Set-CertificateSecret -KeyVaultName newregkv ` -CertificateSecretName containersecret ` -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx ` -CertificatePassword <certificatepassword> ` -SkipExistCheck $true Check if key vault secret name (containersecret) exists. Creating key vault secret name (containersecret) as it does not exist. ---------------------------------------------------------------- PFX KeyVaultResourceId : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourceGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv PFX KeyVaultSecretUrl : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9 PFX Certificate Thumbprint : 31810AA7FEF1173188691FB3F47208E5389FBA61 ----------------------------------------------------------------當您重新部署現有的容器登錄範本時,將會使用此函式所產生的值。You will use the values produced by this function when redeploying the existing container registry template.
若要驗證是否已建立新版本的現有密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new version of the existing secret was created, open an elevated PowerShell prompt and run the following cmdlet:
Get-AzureKeyVaultSecret -VaultName <KeyVaultName> -Name <secretname>例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name containersecret -IncludeVersions Vault Name : newregkv Name : containersecret Version : a07ece6b9914408e8f20c516e15b66c9 Id : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9 Enabled : True Expires : Not Before : Created : 12/18/2019 11:46:28 PM Updated : 12/18/2019 11:46:28 PM Content Type : Tags : Vault Name : newregkv Name : containersecret Version : 0199c7ec1d8d41bb9ddff0f39dca9931 Id : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/0199c7ec1d8d41bb9ddff0f39dca9931 Enabled : True Expires : Not Before : Created : 12/17/2019 5:06:03 AM Updated : 12/17/2019 5:06:03 AM Content Type : pfx Tags :
為 container registry 範本設定新的 SSL 憑證Set a new SSL certificate for the container registry template
開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:Open an elevated PowerShell prompt, and run the following cmdlet:
Set-CertificateSecret -KeyVaultName <keyvaultname> ` -CertificateSecretName <newsecretnameforcertificate> ` -CertificateFilePath <pathtonewcertificate> ` -CertificatePassword <certificatepassword>例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:
PS C:\azurestack-gallery-master\registry\Scripts> Set-CertificateSecret -KeyVaultName newregkv ` -CertificateSecretName containersecret121719 ` -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx ` -CertificatePassword <certificatepassword> Check if key vault secret name (containersecret121719) exists. Creating key vault secret name (containersecret121719) as it does not exist. ---------------------------------------------------------------- PFX KeyVaultResourceId : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourc eGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv PFX KeyVaultSecretUrl : https://newregkv.vault.shanghai.azurestack.corp.microsoft.c om:443/secrets/containersecret121719/bb2cfe4df7bc4fbe854a00799afa8566 PFX Certificate Thumbprint : 31810AA7FEF1173188691FB3F47208E5389FBA61
重新部署現有的容器登錄範本Redeploy existing container registry template
開啟 Azure Stack Hub 使用者入口網站。Open the Azure Stack Hub user portal.
流覽至已部署 container registry 範本 VM 的資源群組。Navigate to the resource group that the container registry template VM is deployed.
選取 部署 下的部署。Select the deployments under Deployments.
![顯示 [部署] 頁面的螢幕擷取畫面。](media/container-registry-template-rotating-secrets-tzl/deployments.png)
如果您是第一次輪替秘密,請選取原始部署。If rotating secrets for the first time, select the original deployment. 如果這不是第一次輪替秘密,請選取最新的部署,然後選取 [重新 部署]。If this isn't the first time rotating secrets, select the most recent deployment and then select Redeploy.
![顯示 [總覽] 頁面的螢幕擷取畫面,其中已選取 [重新部署] 動作。](media/container-registry-template-rotating-secrets-tzl/redeploy.png)
在 [ 部署解決方案範本] 中,選取 [ 使用現有的資源群組 ],然後選取用來最初部署容器登錄範本的資源群組。In Deploy Solution Template, select Use Existing Resource Group and select the resource group that was used to originally deploy the container registry template. 為了讓重新部署成功,必須使用相同的資源群組。In order for a redeployment to be successful, it must use the same resource group.
在 [ 參數 ] 中,檢查參數是否符合原始部署。In Parameters check that the parameters match the original deployment. 必須新增服務主體用戶端識別碼和服務主體秘密。The service principal client ID and service principal secret will need to be added.
如果您只是要輪替登錄服務的使用者名稱和密碼,您只需要新增服務主體參數。If you're only rotating the username and password for the registry service, you just need to add the service principal parameters.
如果您要輪替憑證,您必須為 PFXKeyVaultSecretURL 和 PFXThumbprint 輸入新的值,而這些值是來自設定新密碼的輸出。If you're rotating the certificate, you'll need to input the new values for the PFXKeyVaultSecretURL and PFXThumbprint that were output from setting the new secrets.
![顯示 [參數] 視窗的螢幕擷取畫面。](media/container-registry-template-rotating-secrets-tzl/parameters.png)
選取 [確定] ,然後 建立。Select OK and then Create. 重新部署將繼續進行。The redeployment will proceed. 在重新部署期間,登錄功能會繼續運作。Registry functionality will continue to function during redeployment.
如果您要輪替使用者名稱和密碼,重新部署完成之後,您必須再次驗證登錄。If you are rotating username and password, you will need to authenticate to the registry again once the redeployment is complete.
如果您要輪替憑證,您應該不會遇到登錄的任何存取權。If you are rotating the certificate, you shouldn't experience any loss of access to the registry. 這會假設您使用來自信任的憑證提供者的憑證。This assumes you are using a certificate from a trusted cert provider. 如果使用私用憑證,則必須在用戶端上安裝此憑證,以防止存取遺失。If using a private certificate this certificate will need to be installed on clients to prevent loss of access.