- Image Registry Operator in OKD
- Image Registry on cloud platforms and OpenStack
- Image Registry on bare metal, Nutanix, and vSphere
- Image Registry Operator distribution across availability zones
- Additional resources
- Image Registry Operator configuration parameters
- Enable the Image Registry default route with the Custom Resource Definition
- Configuring additional trust stores for image registry access
- Configuring storage credentials for the Image Registry Operator
- Additional resources
Image Registry Operator in OKD
Image Registry on cloud platforms and OpenStack
The Image Registry Operator installs a single instance of the OpenShift image registry, and manages all registry configuration, including setting up registry storage.
Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, Azure, GCP, IBM, or OpenStack. When you install or upgrade an installer-provisioned infrastructure cluster on AWS, Azure, GCP, IBM, or OpenStack, the Image Registry Operator sets the |
After the control plane deploys, the Operator creates a default configs.imageregistry.operator.openshift.io
resource instance based on configuration detected in the cluster.
If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io
resource, the incomplete resource is defined and the Operator updates the resource status with information about what is missing.
The Image Registry Operator runs in the openshift-image-registry
namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.
The Image Registry Operator’s behavior for managing the pruner is orthogonal to the However, the
|
Image Registry on bare metal, Nutanix, and vSphere
Image registry removed during installation
On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed
. This allows openshift-installer
to complete installations on these platform types.
After installation, you must edit the Image Registry Operator configuration to switch the managementState
from Removed
to Managed
.
Image Registry Operator distribution across availability zones
The default configuration of the Image Registry Operator spreads image registry pods across topology zones to prevent delayed recovery times in case of a complete zone failure where all pods are impacted.
The Image Registry Operator defaults to the following when deployed with a zone-related topology constraint:
Image Registry Operator deployed with a zone related topology constraint
topologySpreadConstraints:
- labelSelector:
matchLabels:
docker-registry: default
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
- labelSelector:
matchLabels:
docker-registry: default
maxSkew: 1
topologyKey: node-role.kubernetes.io/worker
whenUnsatisfiable: DoNotSchedule
- labelSelector:
matchLabels:
docker-registry: default
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
The Image Registry Operator defaults to the following when deployed without a zone-related topology constraint, which applies to bare metal and vSphere instances:
Image Registry Operator deployed without a zone related topology constraint
topologySpreadConstraints:
- labelSelector:
matchLabels:
docker-registry: default
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
- labelSelector:
matchLabels:
docker-registry: default
maxSkew: 1
topologyKey: node-role.kubernetes.io/worker
whenUnsatisfiable: DoNotSchedule
A cluster administrator can override the default topologySpreadConstraints
by configuring the configs.imageregistry.operator.openshift.io/cluster
spec file. In that case, only the constraints you provide apply.
Additional resources
Image Registry Operator configuration parameters
The configs.imageregistry.operator.openshift.io
resource offers the following configuration parameters.
Parameter | Description |
---|---|
|
|
| Sets The following values for
|
| Value needed by the registry to secure uploads, generated by default. |
| The The following values for
|
| Defines the Proxy to be used when calling master API and upstream registries. |
|
|
| Indicates whether the registry instance should reject attempts to push new images or delete existing ones. |
| API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. |
| Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to |
| Array of additional routes to create. You provide the hostname and certificate for the route. |
| Defines rollout strategy for the image registry deployment. Defaults to |
| Replica count for the registry. |
| Controls whether to route all data through the registry, rather than redirecting to the back end. Defaults to |
| The Image Registry Operator sets the
|
Enable the Image Registry default route with the Custom Resource Definition
In OKD, the Registry
Operator controls the OpenShift image registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io
Custom Resource Definition (CRD).
If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.
Procedure
Patch the Image Registry Operator CRD:
$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
Configuring additional trust stores for image registry access
The image.config.openshift.io/cluster
custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.
Prerequisites
- The certificate authorities (CA) must be PEM-encoded.
Procedure
You can create a config map in the openshift-config
namespace and use its name in AdditionalTrustedCA
in the image.config.openshift.io
custom resource to provide additional CAs that should be trusted when contacting external registries.
The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the PEM certificate content is the value, for each additional registry CA to trust.
Image registry CA config map example
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
registry.example.com: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | (1)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 | If the registry has the port, such as registry-with-port.example.com:5000 , : should be replaced with .. . |
You can configure additional CAs with the following procedure.
To configure an additional CA:
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
$ oc edit image.config.openshift.io cluster
spec:
additionalTrustedCA:
name: registry-config
Configuring storage credentials for the Image Registry Operator
In addition to the configs.imageregistry.operator.openshift.io
and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry
namespace.
The image-registry-private-configuration-user
secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.
Procedure
Create an OKD secret that contains the required keys.
$ oc create secret generic image-registry-private-configuration-user --from-literal=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry