Configuring the registry for Nutanix

By following the steps outlined in this documentation, users can optimize container image distribution, security, and access controls, enabling a robust foundation for Nutanix applications on OKD

Image registry removed during installation

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

Changing the image registry’s management state

To start the image registry, you must change the Image Registry Operator configuration’s managementState from Removed to Managed.

Procedure

  • Change managementState Image Registry Operator configuration from Removed to Managed. For example:

    1. $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}'

Image registry storage configuration

The Image Registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so that the Registry Operator is made available.

Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.

Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.

Configuring registry storage for Nutanix

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have a cluster on Nutanix.

  • You have provisioned persistent storage for your cluster, such as Red Hat OpenShift Data Foundation.

    OKD supports ReadWriteOnce access for image registry storage when you have only one replica. ReadWriteOnce access also requires that the registry uses the Recreate rollout strategy. To deploy an image registry that supports high availability with two or more replicas, ReadWriteMany access is required.

  • You must have 100 Gi capacity.

Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

    When you use shared storage, review your security settings to prevent outside access.

  2. Verify that you do not have a registry pod:

    1. $ oc get pod -n openshift-image-registry -l docker-registry=default

    Example output

    1. No resourses found in openshift-image-registry namespace

    If you do have a registry pod in your output, you do not need to continue with this procedure.

  3. Check the registry configuration:

    1. $ oc edit configs.imageregistry.operator.openshift.io

    Example output

    1. storage:
    2. pvc:
    3. claim: (1)
    1Leave the claim field blank to allow the automatic creation of an image-registry-storage persistent volume claim (PVC). The PVC is generated based on the default storage class. However, be aware that the default storage class might provide ReadWriteOnce (RWO) volumes, such as a RADOS Block Device (RBD), which can cause issues when you replicate to more than one replica.
  4. Check the clusteroperator status:

    1. $ oc get clusteroperator image-registry

    Example output

    1. NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
    2. image-registry 4.13 True False False 6h50m

Configuring storage for the image registry in non-production clusters

You must configure storage for the Image Registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

Procedure

  • To set the image registry storage to an empty directory:

    1. $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'

    Configure this option for only non-production clusters.

    If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error:

    1. Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found

    Wait a few minutes and run the command again.

Configuring block registry storage for Nutanix volumes

To allow the image registry to use block storage types such as Nutanix volumes during upgrades as a cluster administrator, you can use the Recreate rollout strategy.

Block storage volumes, or block persistent volumes, are supported but not recommended for use with the image registry on production clusters. An installation where the registry is configured on block storage is not highly available because the registry cannot have more than one replica.

If you choose to use a block storage volume with the image registry, you must use a filesystem persistent volume claim (PVC).

Procedure

  1. Enter the following command to set the image registry storage as a block storage type, patch the registry so that it uses the Recreate rollout strategy, and runs with only one (1) replica:

    1. $ oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"rolloutStrategy":"Recreate","replicas":1}}'
  2. Provision the PV for the block storage device, and create a PVC for that volume. The requested block volume uses the ReadWriteOnce (RWO) access mode.

    1. Create a pvc.yaml file with the following contents to define a Nutanix PersistentVolumeClaim object:

      1. kind: PersistentVolumeClaim
      2. apiVersion: v1
      3. metadata:
      4. name: image-registry-storage (1)
      5. namespace: openshift-image-registry (2)
      6. spec:
      7. accessModes:
      8. - ReadWriteOnce (3)
      9. resources:
      10. requests:
      11. storage: 100Gi (4)
      1A unique name that represents the PersistentVolumeClaim object.
      2The namespace for the PersistentVolumeClaim object, which is openshift-image-registry.
      3The access mode of the persistent volume claim. With ReadWriteOnce, the volume can be mounted with read and write permissions by a single node.
      4The size of the persistent volume claim.
    2. Enter the following command to create the PersistentVolumeClaim object from the file:

      1. $ oc create -f pvc.yaml -n openshift-image-registry
  3. Enter the following command to edit the registry configuration so that it references the correct PVC:

    1. $ oc edit config.imageregistry.operator.openshift.io -o yaml

    Example output

    1. storage:
    2. pvc:
    3. claim: (1)
    1By creating a custom PVC, you can leave the claim field blank for the default automatic creation of an image-registry-storage PVC.

Configuring the Image Registry Operator to use Ceph RGW storage with Red Hat OpenShift Data Foundation

Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

  • Ceph, a shared and distributed file system and on-premises object storage

  • NooBaa, providing a Multicloud Object Gateway

This document outlines the procedure to configure the image registry to use Ceph RGW storage.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have access to the OKD web console.

  • You installed the oc CLI.

  • You installed the OpenShift Data Foundation Operator to provide object storage and Ceph RGW object storage.

Procedure

  1. Create the object bucket claim using the ocs-storagecluster-ceph-rgw storage class. For example:

    1. cat <<EOF | oc apply -f -
    2. apiVersion: objectbucket.io/v1alpha1
    3. kind: ObjectBucketClaim
    4. metadata:
    5. name: rgwbucket
    6. namespace: openshift-storage (1)
    7. spec:
    8. storageClassName: ocs-storagecluster-ceph-rgw
    9. generateBucketName: rgwbucket
    10. EOF
    1Alternatively, you can use the openshift-image-registry namespace.
  2. Get the bucket name by entering the following command:

    1. $ bucket_name=$(oc get obc -n openshift-storage rgwbucket -o jsonpath='{.spec.bucketName}')
  3. Get the AWS credentials by entering the following commands:

    1. $ AWS_ACCESS_KEY_ID=$(oc get secret -n openshift-storage rgwbucket -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode)
    1. $ AWS_SECRET_ACCESS_KEY=$(oc get secret -n openshift-storage rgwbucket -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode)
  4. Create the secret image-registry-private-configuration-user with the AWS credentials for the new bucket under openshift-image-registry project by entering the following command:

    1. $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=${AWS_ACCESS_KEY_ID} --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=${AWS_SECRET_ACCESS_KEY} --namespace openshift-image-registry
  5. Get the buckethost value by entering the following command:

    1. $ route_host=$(oc get objectbucket $bucket_name -n openshift-storage -o=jsonpath='{.spec.endpoint.bucketHost}')
  6. Create a config map that uses an ingress certificate by entering the following commands:

    1. $ oc extract secret/router-certs-default -n openshift-ingress --confirm
    1. $ oc create configmap image-registry-s3-bundle --from-file=ca-bundle.crt=./tls.crt -n openshift-config
  7. Configure the image registry to use the Ceph RGW object storage by entering the following command:

    1. $ oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${bucket_name}\"',"region":"us-east-1","regionEndpoint":'\"https://${route_host}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"image-registry-s3-bundle"}}}}}' --type=merge

Configuring the Image Registry Operator to use Noobaa storage with Red Hat OpenShift Data Foundation

Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

  • Ceph, a shared and distributed file system and on-premises object storage

  • NooBaa, providing a Multicloud Object Gateway

This document outlines the procedure to configure the image registry to use Noobaa storage.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have access to the OKD web console.

  • You installed the oc CLI.

  • You installed the OpenShift Data Foundation Operator to provide object storage and Noobaa object storage.

Procedure

  1. Create the object bucket claim using the openshift-storage.noobaa.io storage class. For example:

    1. cat <<EOF | oc apply -f -
    2. apiVersion: objectbucket.io/v1alpha1
    3. kind: ObjectBucketClaim
    4. metadata:
    5. name: noobaatest
    6. namespace: openshift-storage (1)
    7. spec:
    8. storageClassName: openshift-storage.noobaa.io
    9. generateBucketName: noobaatest
    10. EOF
    1Alternatively, you can use the openshift-image-registry namespace.
  2. Get the bucket name by entering the following command:

    1. $ bucket_name=$(oc get obc -n openshift-storage noobaatest -o jsonpath='{.spec.bucketName}')
  3. Get the AWS credentials by entering the following commands:

    1. $ AWS_ACCESS_KEY_ID=$(oc get secret -n openshift-storage noobaatest -o yaml | grep -w "AWS_ACCESS_KEY_ID:" | head -n1 | awk '{print $2}' | base64 --decode)
    1. $ AWS_SECRET_ACCESS_KEY=$(oc get secret -n openshift-storage noobaatest -o yaml | grep -w "AWS_SECRET_ACCESS_KEY:" | head -n1 | awk '{print $2}' | base64 --decode)
  4. Create the secret image-registry-private-configuration-user with the AWS credentials for the new bucket under openshift-image-registry project by entering the following command:

    1. $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=${AWS_ACCESS_KEY_ID} --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=${AWS_SECRET_ACCESS_KEY} --namespace openshift-image-registry
  5. Get the route host by entering the following command:

    1. $ route_host=$(oc get route s3 -n openshift-storage -o=jsonpath='{.spec.host}')
  6. Create a config map that uses an ingress certificate by entering the following commands:

    1. $ oc extract secret/router-certs-default -n openshift-ingress --confirm
    1. $ oc create configmap image-registry-s3-bundle --from-file=ca-bundle.crt=./tls.crt -n openshift-config
  7. Configure the image registry to use the Nooba object storage by entering the following command:

    1. $ oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${bucket_name}\"',"region":"us-east-1","regionEndpoint":'\"https://${route_host}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"image-registry-s3-bundle"}}}}}' --type=merge

Configuring the Image Registry Operator to use CephFS storage with Red Hat OpenShift Data Foundation

Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

  • Ceph, a shared and distributed file system and on-premises object storage

  • NooBaa, providing a Multicloud Object Gateway

This document outlines the procedure to configure the image registry to use CephFS storage.

CephFS uses persistent volume claim (PVC) storage. It is not recommended to use PVCs for image registry storage if there are other options are available, such as Ceph RGW or Noobaa.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have access to the OKD web console.

  • You installed the oc CLI.

  • You installed the OpenShift Data Foundation Operator to provide object storage and CephFS file storage.

Procedure

  1. Create a PVC to use the cephfs storage class. For example:

    1. cat <<EOF | oc apply -f -
    2. apiVersion: v1
    3. kind: PersistentVolumeClaim
    4. metadata:
    5. name: registry-storage-pvc
    6. namespace: openshift-image-registry
    7. spec:
    8. accessModes:
    9. - ReadWriteMany
    10. resources:
    11. requests:
    12. storage: 100Gi
    13. storageClassName: ocs-storagecluster-cephfs
    14. EOF
  2. Configure the image registry to use the CephFS file system storage by entering the following command:

    1. $ oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","pvc":{"claim":"registry-storage-pvc"}}}}' --type=merge

Additional resources