Configuring the registry for AWS user-provisioned infrastructure

Configuring a secret for the Image Registry Operator

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

For S3 on AWS storage, the secret is expected to contain two keys:

  • REGISTRY_STORAGE_S3_ACCESSKEY

  • REGISTRY_STORAGE_S3_SECRETKEY

Procedure

  • Create an OKD secret that contains the required keys.

    1. $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=myaccesskey --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=mysecretkey --namespace openshift-image-registry

Configuring registry storage for AWS with user-provisioned infrastructure

During installation, your cloud credentials are sufficient to create an Amazon S3 bucket and the Registry Operator will automatically configure storage.

If the Registry Operator cannot create an S3 bucket and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.

Prerequisites

  • You have a cluster on AWS with user-provisioned infrastructure.

  • For Amazon S3 storage, the secret is expected to contain two keys:

    • REGISTRY_STORAGE_S3_ACCESSKEY

    • REGISTRY_STORAGE_S3_SECRETKEY

Procedure

Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.

  1. Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.

  2. Fill in the storage configuration in configs.imageregistry.operator.openshift.io/cluster:

    1. $ oc edit configs.imageregistry.operator.openshift.io/cluster

    Example configuration

    1. storage:
    2. s3:
    3. bucket: <bucket-name>
    4. region: <region-name>

To secure your registry images in AWS, block public access to the S3 bucket.

Image Registry Operator configuration parameters for AWS S3

The following configuration parameters are available for AWS S3 registry storage.

ImageRegistryConfigStorageS3 holds the information to configure the registry to use the AWS S3 service for back-end storage. See the S3 storage driver documentation for more information.

ParameterDescription

bucket

Bucket is the bucket name in which you want to store the registry’s data. It is optional and is generated if not provided.

region

Region is the AWS region in which your bucket exists. It is optional and is set based on the installed AWS Region.

regionEndpoint

RegionEndpoint is the endpoint for S3 compatible storage services. It is optional and defaults based on the Region that is provided.

virtualHostedStyle

VirtualHostedStyle enables using S3 virtual hosted style bucket paths with a custom RegionEndpoint. It is optional and defaults to false.

Set this parameter to deploy OKD to hidden regions.

encrypt

Encrypt specifies whether or not the registry stores the image in encrypted format. It is optional and defaults to false.

keyID

KeyID is the KMS key ID to use for encryption. It is optional. Encrypt must be true, or this parameter is ignored.

ImageRegistryConfigStorageS3CloudFront

CloudFront configures Amazon Cloudfront as the storage middleware in a registry. It is optional.

When the value of the regionEndpoint parameter is configured to a URL of a Rados Gateway, an explicit port must not be specified. For example: