Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 2. Image Registry Operator in OpenShift Container Platform

2.1. Image Registry on cloud platforms and OpenStack
Link kopieren

The Image Registry Operator installs a single instance of the OpenShift image registry, and manages all registry configuration, including setting up registry storage.

Note

Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, Azure, Google Cloud, IBM®, or OpenStack.

When you install or upgrade an installer-provisioned infrastructure cluster on AWS, Azure, Google Cloud, IBM®, or OpenStack, the Image Registry Operator sets the 

spec.storage.managementState
parameter to 
Managed
. If the 
spec.storage.managementState
parameter is set to 
Unmanaged
, the Image Registry Operator takes no action related to storage.

After the control plane deploys, the Operator creates a default 

configs.imageregistry.operator.openshift.io
resource instance based on configuration detected in the cluster.

If insufficient information is available to define a complete 

configs.imageregistry.operator.openshift.io
resource, the incomplete resource is defined and the Operator updates the resource status with information about what is missing.

The Image Registry Operator runs in the 

openshift-image-registry
namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.

Important

The Image Registry Operator’s behavior for managing the pruner is orthogonal to the 

managementState
specified on the 
ClusterOperator
object for the Image Registry Operator. If the Image Registry Operator is not in the 
Managed
state, the image pruner can still be configured and managed by the 
Pruning
custom resource.

However, the 

managementState
of the Image Registry Operator alters the behavior of the deployed image pruner job: 

  • Managed
    : the 
    --prune-registry
    flag for the image pruner is set to 
    true
    . 
  • Removed
    : the 
    --prune-registry
    flag for the image pruner is set to 
    false
    , meaning it only prunes image metadata in etcd.

2.2. Image Registry on bare metal, Nutanix, and vSphere
Link kopieren

2.2.1. Image registry removed during installation
Link kopieren

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as 

Removed
. This allows 
openshift-installer
to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the 

managementState
from 
Removed
to 
Managed
. When this has completed, you must configure storage.

2.3. Image Registry Operator distribution across availability zones
Link kopieren

The default configuration of the Image Registry Operator spreads image registry pods across topology zones to prevent delayed recovery times in case of a complete zone failure where all pods are impacted.

The Image Registry Operator defaults to the following when deployed with a zone-related topology constraint:

Image Registry Operator deployed with a zone related topology constraint

  topologySpreadConstraints:
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: node-role.kubernetes.io/worker
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: DoNotSchedule

The Image Registry Operator defaults to the following when deployed without a zone-related topology constraint, which applies to bare metal and vSphere instances:

Image Registry Operator deployed without a zone related topology constraint

 topologySpreadConstraints:
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: node-role.kubernetes.io/worker
    whenUnsatisfiable: DoNotSchedule

A cluster administrator can override the default 

topologySpreadConstraints
by configuring the 
configs.imageregistry.operator.openshift.io/cluster
spec file. In that case, only the constraints you provide apply.

2.5. Image Registry Operator configuration parameters
Link kopieren

The 

configs.imageregistry.operator.openshift.io
resource offers the following configuration parameters.

Expand
ParameterDescription

managementState
 

Managed
: The Operator updates the registry as configuration resources are updated. 

Unmanaged
: The Operator ignores changes to the configuration resources. 

Removed
: The Operator removes the registry instance and tear down any storage that the Operator provisioned. 

logLevel

Sets 

logLevel
of the registry instance. Defaults to 
Normal
.

The following values for 

logLevel
are supported: 

  • Normal
     
  • Debug
     
  • Trace
     
  • TraceAll
     

httpSecret

Value needed by the registry to secure uploads, generated by default. 

operatorLogLevel

The 

operatorLogLevel
configuration parameter provides intent-based logging for the Operator itself and a simple way to manage coarse-grained logging choices that Operators must interpret for themselves. This configuration parameter defaults to 
Normal
. It does not provide fine-grained control.

The following values for 

operatorLogLevel
are supported: 

  • Normal
     
  • Debug
     
  • Trace
     
  • TraceAll
     

proxy

Defines the Proxy to be used when calling master API and upstream registries. 

affinity

You can use the 

affinity
parameter to configure pod scheduling preferences and constraints for Image Registry Operator pods.

Affinity settings can use the 

podAffinity
or 
podAntiAffinity
spec. Both options can use either 
preferredDuringSchedulingIgnoredDuringExecution
rules or 
requiredDuringSchedulingIgnoredDuringExecution
rules. 

storage
 

Storagetype
: Details for configuring registry storage, for example S3 bucket coordinates. Normally configured by default. 

readOnly

Indicates whether the registry instance should reject attempts to push new images or delete existing ones. 

requests

API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. 

defaultRoute

Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to 

false
. 

routes

Array of additional routes to create. You provide the hostname and certificate for the route. 

rolloutStrategy

Defines rollout strategy for the image registry deployment. Defaults to 

RollingUpdate
. 

replicas

Replica count for the registry. 

disableRedirect

Controls whether to route all data through the registry, rather than redirecting to the back end. Defaults to 

false
. 

spec.storage.managementState

The Image Registry Operator sets the 

spec.storage.managementState
parameter to 
Managed
on new installations or upgrades of clusters using installer-provisioned infrastructure on AWS or Azure. 

  • Managed
    : Determines that the Image Registry Operator manages underlying storage. If the Image Registry Operator’s 
    managementState
    is set to 
    Removed
    , then the storage is deleted.

    • If the 
      managementState
      is set to 
      Managed
      , the Image Registry Operator attempts to apply some default configuration on the underlying storage unit. For example, if set to 
      Managed
      , the Operator tries to enable encryption on the S3 bucket before making it available to the registry. If you do not want the default settings to be applied on the storage you are providing, make sure the 
      managementState
      is set to 
      Unmanaged
      . 
  • Unmanaged
    : Determines that the Image Registry Operator ignores the storage settings. If the Image Registry Operator’s 
    managementState
    is set to 
    Removed
    , then the storage is not deleted. If you provided an underlying storage unit configuration, such as a bucket or container name, and the 
    spec.storage.managementState
    is not yet set to any value, then the Image Registry Operator configures it to 
    Unmanaged
    .

In OpenShift Container Platform, the 

Registry
Operator controls the OpenShift image registry feature. The Operator is defined by the 
configs.imageregistry.operator.openshift.io
Custom Resource Definition (CRD).

If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

Procedure

  • Patch the Image Registry Operator CRD: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'

2.7. Configuring additional trust stores for image registry access
Link kopieren

The 

image.config.openshift.io/cluster
custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.

Prerequisites

  • The certificate authorities (CA) must be PEM-encoded.

Procedure

You can create a config map in the 

openshift-config
namespace and use its name in 
AdditionalTrustedCA
in the 
image.config.openshift.io
custom resource to provide additional CAs that should be trusted when contacting external registries.

The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the PEM certificate content is the value, for each additional registry CA to trust.

Image registry CA config map example

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-registry-ca
data:
  registry.example.com: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  registry-with-port.example.com..5000: |
1 

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

1
If the registry has the port, such as registry-with-port.example.com:5000, : should be replaced with ...

You can configure additional CAs with the following procedure.

  • To configure an additional CA: 

    $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
     
    $ oc edit image.config.openshift.io cluster
     
    spec:
  additionalTrustedCA:
    name: registry-config

2.8. Configuring storage credentials for the Image Registry Operator
Link kopieren

In addition to the 

configs.imageregistry.operator.openshift.io
and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the 
openshift-image-registry
namespace.

The 

image-registry-private-configuration-user
secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys. 

    $ oc create secret generic image-registry-private-configuration-user --from-literal=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben