在 Azure Stack Hub 中旋轉 container registry 秘密Rotate container registry secrets in Azure Stack Hub

您的 Azure Stack Hub 使用者可以為容器登錄範本部署 (憑證、使用者名稱和密碼) 輪替秘密。Your Azure Stack Hub users can rotate the secrets (certificates, username, and password) for a container registry template deployment. 您可以執行腳本,在 Microsoft Azure Key Vault 中填入新的秘密值,並重新 部署 現有的容器登錄範本實例。You can run a script to populate new secret values in Microsoft Azure Key Vault and redeploy the existing Container registry template instance. 自行輪替秘密不需要新的部署。Rotating secrets by themselves doesn't require a new deployment.

使用者的必要條件Prerequisites for the user

  • 使用者必須安裝 Azure Stack Hub 的 Powershell 模組。The user will need to have the Azure Stack Hub Powershell modules installed. 如需詳細資訊,請參閱安裝適用於 Azure Stack 的 PowerShellFor more information, see Install PowerShell for Azure Stack.

  • 取得 container registry 範本的更新秘密。Get the update secrets for the container registry template. 您可以使用新的 SSL 憑證或新的使用者名稱和密碼組合來存取 Docker 登錄。You can use a new SSL certificate or a new username and password combination for accessing the Docker registry.

  • \registry\scriptsmsazurestackworkloads/azurestack-資源庫GitHub 存放庫下載 zip 檔案之後,取得中找到的腳本。Get the scripts found in \registry\scripts after downloading the zip file from the msazurestackworkloads/azurestack-gallery GitHub repository.

將新的秘密匯入 Key VaultImport new secrets into Key Vault

請遵循下列指示,在 Key Vault 中設定新的密碼。Follow the instructions below to set new secrets in Key Vault.

為現有的使用者名稱設定更新的登錄使用者密碼Set updated registry user password for existing username

  1. 開啟已提升許可權的 PowerShell 提示字元,然後 Import-Module .\\pre-reqs.ps1 從 [腳本] 資料夾執行。Open an elevated PowerShell prompt and then run Import-Module .\\pre-reqs.ps1 from the scripts folder.

  2. 若要更新現有登錄使用者的值,請執行下列 Cmdlet:To update the value of the existing registry user, run the cmdlet:

    Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName <username> `
        -RegistryUserPassword <newpassword> `
        -SkipExistCheck $true
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName admin `
        -RegistryUserPassword password1 `
        -SkipExistCheck $true 
    
    Check if key vault secret name (admin) exists.
    Creating key vault secret name (admin) as it does not exist.
    
  3. 若要驗證是否已為此記錄輸入新的值,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new value has been entered for this record, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin -IncludeVersions
    
    
    Vault Name   : newregkv
    Name         : admin
    Version      : 2a1495372c474cc890c888518f02b19f
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/
                   admin/2a1495372c474cc890c888518f02b19f
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 7:05:56 PM
    Updated      : 12/18/2019 7:05:56 PM
    Content Type : 
    Tags         : 
    
    Vault Name   : newregkv
    Name         : admin
    Version      : 3fd65c1719c74997984648de18a1fa0e
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/
                   admin/3fd65c1719c74997984648de18a1fa0e
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/17/2019 5:05:56 AM
    Updated      : 12/17/2019 5:05:56 AM
    Content Type : user credentials
    Tags         : 
    

設定新的登錄使用者名稱和密碼Set new Registry username and password

  1. 開啟已提升許可權的 PowerShell 提示字元,並 Import-Module .\pre-reqs.ps1 從 [腳本] 資料夾開啟。Open an elevated PowerShell prompt and Import-Module .\pre-reqs.ps1 from the scripts folder.

  2. 若要為新的使用者名稱和密碼建立新的密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To create a new secret for the new username and password, open an elevated PowerShell prompt and run the following cmdlet:

    Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName <newusername> `
        -RegistryUserPassword <newpassword> 
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-RegistryAccessSecret -KeyVaultName newregkv `
        -RegistryUserName admin1 `
        -RegistryUserPassword password1
    
    Check if key vault secret name (admin1) exists.
    Creating key vault secret name (admin1) as it does not exist. 
    
  3. 若要驗證是否已建立新的密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new secret has been created, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName \<KeyVaultName> -Name \<username>
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name admin1
    
    
    Vault Name   : newregkv
    Name         : admin1
    Version      : 2ae9a7239f4044be82ca9d1e9b80e85a
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/admin1/2ae9a7239f4044be82ca9d1e9b80e85a
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 11:28:18 PM
    Updated      : 12/18/2019 11:28:18 PM
    Content Type : user credentials
    Tags         : 
    

重要

如果您要建立新的秘密 (使用者名稱/密碼組合) 您必須刪除舊的 Key Vault 秘密。If you are creating a new secret (username/password combination) you will need to delete the old Key Vault secret. 如果您在未刪除舊密碼的情況下重新部署現有的容器登錄範本,則舊的和新的使用者名稱和密碼組合都適用于登入登錄。If you redeploy the existing container registry template without deleting the old secret both the old and new username and password combinations will be valid for logging into the registry.

更新現有 Key Vault 秘密的 SSL 憑證Update the SSL certificate for existing Key Vault secret

  1. 開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:Open an elevated PowerShell prompt and run the following cmdlet:

    Set-CertificateSecret -KeyVaultName \<keyvaultname> `
     -CertificateSecretName \<originalsecretnameforcertificate> `
    Set-CertificateSecret -KeyVaultName <keyvaultname> `
        -CertificateSecretName <originalsecretnameforcertificate> `
        -CertificateFilePath <pathtonewcertificate> `
        -CertificatePassword <certificatepassword> `
        -SkipExistCheck $true
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Set-CertificateSecret -KeyVaultName newregkv `
        -CertificateSecretName containersecret `
        -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx `
        -CertificatePassword <certificatepassword> `
        -SkipExistCheck $true
    Check if key vault secret name (containersecret) exists.
    Creating key vault secret name (containersecret) as it does not exist.
    ----------------------------------------------------------------
    PFX KeyVaultResourceId       : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourceGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv
    PFX KeyVaultSecretUrl        : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9
    PFX Certificate Thumbprint   : 31810AA7FEF1173188691FB3F47208E5389FBA61
    ---------------------------------------------------------------- 
    
  2. 當您重新部署現有的容器登錄範本時,將會使用此函式所產生的值。You will use the values produced by this function when redeploying the existing container registry template.

  3. 若要驗證是否已建立新版本的現有密碼,請開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:To validate that a new version of the existing secret was created, open an elevated PowerShell prompt and run the following cmdlet:

    Get-AzureKeyVaultSecret -VaultName <KeyVaultName> -Name <secretname>
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts> Get-AzureKeyVaultSecret -VaultName newregkv -Name containersecret -IncludeVersions
    
    
    Vault Name   : newregkv
    Name         : containersecret
    Version      : a07ece6b9914408e8f20c516e15b66c9
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/a07ece6b9914408e8f20c516e15b66c9
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/18/2019 11:46:28 PM
    Updated      : 12/18/2019 11:46:28 PM
    Content Type : 
    Tags         : 
    
    Vault Name   : newregkv
    Name         : containersecret
    Version      : 0199c7ec1d8d41bb9ddff0f39dca9931
    Id           : https://newregkv.vault.shanghai.azurestack.corp.microsoft.com:443/secrets/containersecret/0199c7ec1d8d41bb9ddff0f39dca9931
    Enabled      : True
    Expires      : 
    Not Before   : 
    Created      : 12/17/2019 5:06:03 AM
    Updated      : 12/17/2019 5:06:03 AM
    Content Type : pfx
    Tags         : 
    

為 container registry 範本設定新的 SSL 憑證Set a new SSL certificate for the container registry template

  1. 開啟已提升許可權的 PowerShell 提示字元,然後執行下列 Cmdlet:Open an elevated PowerShell prompt, and run the following cmdlet:

    Set-CertificateSecret -KeyVaultName <keyvaultname> `
        -CertificateSecretName <newsecretnameforcertificate> `
        -CertificateFilePath <pathtonewcertificate> `
        -CertificatePassword <certificatepassword>
    

    例如,此 Cmdlet 會傳回下列輸出:For example, the cmdlet returns the following output:

    PS C:\azurestack-gallery-master\registry\Scripts>    Set-CertificateSecret -KeyVaultName newregkv `
        -CertificateSecretName containersecret121719 `
        -CertificateFilePath C:\crinstall\shanghairegcertnew.pfx `
        -CertificatePassword <certificatepassword> 
    Check if key vault secret name (containersecret121719) exists.
    Creating key vault secret name (containersecret121719) as it does not exist.
    ----------------------------------------------------------------
    PFX KeyVaultResourceId       : /subscriptions/997da68a-xxxx-xxxx-ad3d-ffeac81b02dc/resourc
    eGroups/newregreg/providers/Microsoft.KeyVault/vaults/newregkv
    PFX KeyVaultSecretUrl        : https://newregkv.vault.shanghai.azurestack.corp.microsoft.c
    om:443/secrets/containersecret121719/bb2cfe4df7bc4fbe854a00799afa8566
    PFX Certificate Thumbprint   : 31810AA7FEF1173188691FB3F47208E5389FBA61 
    

重新部署現有的容器登錄範本Redeploy existing container registry template

  1. 開啟 Azure Stack Hub 使用者入口網站。Open the Azure Stack Hub user portal.

  2. 流覽至已部署 container registry 範本 VM 的資源群組。Navigate to the resource group that the container registry template VM is deployed.

    顯示部署容器登錄範本 VM 之資源群組的螢幕擷取畫面。

  3. 選取 部署 下的部署。Select the deployments under Deployments.

    顯示在 [部署] 頁面上選取之部署的螢幕擷取畫面。

  4. 如果您是第一次輪替秘密,請選取原始部署。If rotating secrets for the first time, select the original deployment. 如果這不是第一次輪替秘密,請選取最新的部署,然後選取 [重新 部署]。If this isn't the first time rotating secrets, select the most recent deployment and then select Redeploy.

    顯示範本 [總覽] 頁面的螢幕擷取畫面,其中反白顯示 [重新部署] 動作。

  5. 在 [ 部署解決方案範本] 中,選取 [ 使用現有的資源群組 ],然後選取用來最初部署容器登錄範本的資源群組。In Deploy Solution Template, select Use Existing Resource Group and select the resource group that was used to originally deploy the container registry template. 為了讓重新部署成功,必須使用相同的資源群組。In order for a redeployment to be successful, it must use the same resource group.

    顯示 [部署解決方案範本] 和 [參數] 頁面的螢幕擷取畫面。

  6. 在 [ 參數 ] 中,檢查參數是否符合原始部署。In Parameters check that the parameters match the original deployment. 必須新增服務主體用戶端識別碼和服務主體秘密。The service principal client ID and service principal secret will need to be added.

    • 如果您只是要輪替登錄服務的使用者名稱和密碼,您只需要新增服務主體參數。If you're only rotating the username and password for the registry service, you just need to add the service principal parameters.

    • 如果您要輪替憑證,您必須為 PFXKeyVaultSecretURL 和 PFXThumbprint 輸入新的值,而這些值是來自設定新密碼的輸出。If you're rotating the certificate, you'll need to input the new values for the PFXKeyVaultSecretURL and PFXThumbprint that were output from setting the new secrets.

    Container registry 範本

  7. 選取 [確定] ,然後 建立Select OK and then Create. 重新部署將繼續進行。The redeployment will proceed. 在重新部署期間,登錄功能會繼續運作。Registry functionality will continue to function during redeployment.

    • 如果您要輪替使用者名稱和密碼,重新部署完成之後,您必須再次驗證登錄。If you are rotating username and password, you will need to authenticate to the registry again once the redeployment is complete.

    • 如果您要輪替憑證,您應該不會遇到登錄的任何存取權。If you are rotating the certificate, you shouldn't experience any loss of access to the registry. 這會假設您使用來自信任的憑證提供者的憑證。This assumes you are using a certificate from a trusted cert provider. 如果使用私用憑證,則必須在用戶端上安裝此憑證,以防止存取遺失。If using a private certificate this certificate will need to be installed on clients to prevent loss of access.

後續步驟Next steps

Azure Stack Marketplace 概觀Azure Stack Marketplace overview