Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Exposing the registry

By default, the OpenShift image registry is secured during cluster installation so that it serves traffic through TLS. Unlike previous versions of OpenShift Container Platform, the registry is not exposed outside of the cluster at the time of installation.

5.1. Exposing a default registry manually
Link kopieren

Instead of logging in to the default OpenShift image registry from within the cluster, you can gain external access to it by exposing it with a route. This external access enables you to log in to the registry from outside the cluster using the route address and to tag and push images to an existing project by using the route host.

Prerequisites

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.
  • You have access to the cluster as a user with the 
    cluster-admin
    role.

Procedure

You can expose the route by using the 

defaultRoute
parameter in the 
configs.imageregistry.operator.openshift.io
resource.

To expose the registry using the 

defaultRoute
:

  1. Set 

    defaultRoute
    to 
    true
    by running the following command: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

  2. Get the default registry route by running the following command: 

    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

  3. Get the certificate of the Ingress Operator by running the following command: 

    $ oc extract secret/$(oc get ingresscontroller -n openshift-ingress-operator default -o json | jq '.spec.defaultCertificate.name // "router-certs-default"' -r) -n openshift-ingress --confirm

  4. Move the extracted certificate to the system’s trusted CA directory by running the following command: 

    $ sudo mv tls.crt /etc/pki/ca-trust/source/anchors/

  5. Enable the cluster’s default certificate to trust the route by running the following command: 

    $ sudo update-ca-trust enable

  6. Log in with podman using the default route by running the following command: 

    $ sudo podman login -u kubeadmin -p $(oc whoami -t) $HOST

5.2. Exposing a secure registry manually
Link kopieren

Instead of logging in to the OpenShift image registry from within the cluster, you can gain external access to it by exposing it with a route. This allows you to log in to the registry from outside the cluster using the route address, and to tag and push images to an existing project by using the route host.

Prerequisites

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.
  • You have access to the cluster as a user with the 
    cluster-admin
    role.

Procedure

You can expose the route by using 

DefaultRoute
parameter in the 
configs.imageregistry.operator.openshift.io
resource or by using custom routes.

To expose the registry using 

DefaultRoute
:

  1. Set 

    DefaultRoute
    to 
    True
    : 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

  2. Log in with 

    podman
    : 

    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
     
    $ podman login -u kubeadmin -p $(oc whoami -t) --tls-verify=false $HOST
    1
    1
    --tls-verify=false is needed if the cluster’s default certificate for routes is untrusted. You can set a custom, trusted certificate as the default certificate with the Ingress Operator.

To expose the registry using custom routes:

  1. Create a secret with your route’s TLS keys: 

    $ oc create secret tls public-route-tls \
    -n openshift-image-registry \
    --cert=</path/to/tls.crt> \
    --key=</path/to/tls.key>

    This step is optional. If you do not create a secret, the route uses the default TLS configuration from the Ingress Operator.

  2. On the Registry Operator: 

    $ oc edit configs.imageregistry.operator.openshift.io/cluster
     
    spec:
  routes:
    - name: public-routes
      hostname: myregistry.mycorp.organization
      secretName: public-route-tls
...
    Note

    Only set 

    secretName
    if you are providing a custom TLS configuration for the registry’s route.

Troubleshooting

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben