- Image Registry Operator in OKD
- Image Registry on cloud platforms and OpenStack
- Image Registry on bare metal and vSphere
- Image Registry Operator configuration parameters
- Enable the Image Registry default route with the Custom Resource Definition
- Configuring additional trust stores for image registry access
- Configuring storage credentials for the Image Registry Operator
- Additional resources
Image Registry Operator in OKD
Image Registry on cloud platforms and OpenStack
The Image Registry Operator installs a single instance of the OKD registry, and manages all registry configuration, including setting up registry storage.
Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, GCP, Azure, or OpenStack. When you install or upgrade an installer-provisioned infrastructure cluster on AWS or Azure, the Image Registry Operator sets the |
After the control plane deploys, the Operator will create a default configs.imageregistry.operator.openshift.io
resource instance based on configuration detected in the cluster.
If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io
resource, the incomplete resource will be defined and the Operator will update the resource status with information about what is missing.
The Image Registry Operator runs in the openshift-image-registry
namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.
The Image Registry Operator’s behavior for managing the pruner is orthogonal to the However, the
|
Image Registry on bare metal and vSphere
Image registry removed during installation
On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed
. This allows openshift-installer
to complete installations on these platform types.
After installation, you must edit the Image Registry Operator configuration to switch the managementState
from Removed
to Managed
.
The Prometheus console provides an “Image Registry has been removed. |
Image Registry Operator configuration parameters
The configs.imageregistry.operator.openshift.io
resource offers the following configuration parameters.
Parameter | Description |
---|---|
|
|
| Sets The supported values for
|
| Value needed by the registry to secure uploads, generated by default. |
| Defines the Proxy to be used when calling master API and upstream registries. |
|
|
| Indicates whether the registry instance should reject attempts to push new images or delete existing ones. |
| API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. |
| Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false. |
| Array of additional routes to create. You provide the hostname and certificate for the route. |
| Replica count for the registry. |
| The Image Registry Operator sets the
|
Enable the Image Registry default route with the Custom Resource Definition
In OKD, the Registry
Operator controls the registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io
Custom Resource Definition (CRD).
If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.
Procedure
Patch the Image Registry Operator CRD:
$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
Configuring additional trust stores for image registry access
The image.config.openshift.io/cluster
custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.
Prerequisites
- The certificate authorities (CA) must be PEM-encoded.
Procedure
You can create a config map in the openshift-config
namespace and use its name in AdditionalTrustedCA
in the image.config.openshift.io
custom resource to provide additional CAs that should be trusted when contacting external registries.
The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust.
Image registry CA config map example
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
registry.example.com: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | (1)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 | If the registry has the port, such as registry-with-port.example.com:5000 , : should be replaced with .. . |
You can configure additional CAs with the following procedure.
To configure an additional CA:
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
$ oc edit image.config.openshift.io cluster
spec:
additionalTrustedCA:
name: registry-config
Configuring storage credentials for the Image Registry Operator
In addition to the configs.imageregistry.operator.openshift.io
and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry
namespace.
The image-registry-private-configuration-user
secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.
Procedure
Create an OKD secret that contains the required keys.
$ oc create secret generic image-registry-private-configuration-user --from-file=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry