Chapter 2. Image Registry Operator in OpenShift Container Platform
The Image Registry Operator installs a single instance of the OpenShift Container Platform registry, and it manages all configuration of the registry, including setting up registry storage.
Storage is only automatically configured when you install on Amazon Web Services.
After the control plane deploys, the Operator will create a default configs.imageregistry.operator.openshift.io resource instance based on configuration detected in the cluster.
If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io resource, the incomplete resource will be defined and the operator will update the resource status with information about what is missing.
The Image Registry Operator runs in the openshift-image-registry namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
2.1. Image Registry Operator configuration parameters
The configs.imageregistry.operator.openshift.io resource offers the following configuration parameters.
| Parameter | Description |
|---|---|
|
|
|
|
|
Sets |
|
| Value needed by the registry to secure uploads, generated by default. |
|
| Defines the Proxy to be used when calling master API and upstream registries. |
|
|
|
|
| API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. |
|
| Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false. |
|
| Array of additional routes to create. You provide the hostname and certificate for the route. |
|
| Replica count for the registry. |
2.2. Image Registry Operator configuration resources
In addition to the configs.imageregistry.operator.openshift.io resource, additional configuration is provided to the Operator by separate ConfigMap and Secret resources located within the openshift-image-registry namespace.
Prerequisites
- The CAs must be PEM-encoded.
Procedure
You can create a ConfigMap in the openshift-config namespace and use its name in AdditionalTrustedCA in the image.config.openshift.io resource to provide additional CAs that should be trusted when contacting external registries. The key is the host name of a registry with the port for which this CA is to be trusted. The image-registry-private-configuration(Secret) provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.
Image registry CA example
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
registry.example.com: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | 1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- 1
- If the registry has the port, such as
registry-with-port.example.com:5000. : should be replaced with...
For S3 storage the ConfigMap is expected to contain two keys:
- REGISTRY_STORAGE_S3_ACCESSKEY
- REGISTRY_STORAGE_S3_SECRETKEY
You can configure additional CAs with the following procedure.
To configure an additional CA:
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config $ oc edit image.config.openshift.io cluster spec: additionalTrustedCA: name: registry-configCheck your image inside the
image-registrypod:$ oc rsh image-registry-xxxxx sh-4.2 $ ls /etc/pki/ca-trust/source/anchors <external_registry_address> image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000
2.3. Enable the Image Registry default route with the Custom Resource Definition
In OpenShift Container Platform, the Registry Operator controls the registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io Custom Resource Definition (CRD).
If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.
Procedure
Patch the Image Registry Operator CRD:
$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
2.4. Configuring Image Registry Storage
2.4.1. Configuring registry storage for AWS with user-provisioned infrastructure
During installation, your cloud credentials are sufficient to create an S3 bucket and the Registry Operator will automatically configure storage.
If the Registry Operator cannot create an S3 bucket, and automatically configure storage, you can create a S3 bucket and configure storage with the following procedure.
Prerequisites
- A cluster on AWS with user-provisioned infrastructure.
Procedure
Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.
- Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.
Fill in the storage configuration in
configs.imageregistry.operator.openshift.io/cluster:$ oc edit configs.imageregistry.operator.openshift.io/cluster storage: s3: bucket: <bucket-name> region: <region-name>
To secure your registry images in AWS, block public access to the S3 bucket.
2.4.2. Configuring registry storage for bare metal
As a cluster administrator, following installation you must configure your registry to use storage.
Prerequisites
- Cluster administrator permissions.
- A cluster on bare metal.
-
A provisioned persistent volume (PV) with
ReadWriteManyaccess mode, such asNFS. - Must have "100Gi" capacity.
Procedure
-
To configure your registry to use storage, change the
spec.storage.pvcin theconfigs.imageregistry/clusterresource. Verify you do not have a registry pod:
$ oc get pod -n openshift-image-registry
If the storage type is emptyDIR, the replica number can not be greater than 1. If the storage type is NFS, and you want to scale up the registry Pod by setting replica>1 you must enable the no_wdelay mount option. For example:
# cat /etc/exports /mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0) sh-4.3# exportfs -rv exporting *:/mnt/data
Check the registry configuration:
$ oc edit configs.imageregistry.operator.openshift.io storage: pvc: claim:Leave the
claimfield blank to allow the automatic creation of animage-registry-storagePVC.Check the
clusteroperatorstatus:$ oc get clusteroperator image-registry
2.4.3. Configuring registry storage for VMware vSphere
As a cluster administrator, following installation you must configure your registry to use storage.
Prerequisites
- Cluster administrator permissions.
- A cluster on VMware vSphere.
A provisioned persistent volume (PV) with
ReadWriteManyaccess mode, such asNFS.ImportantvSphere volumes do not support the
ReadWriteManyaccess mode. You must use a different storage backend, such asNFS, to configure the registry storage.- Must have "100Gi" capacity.
Procedure
-
To configure your registry to use storage, change the
spec.storage.pvcin theconfigs.imageregistry/clusterresource. Verify you do not have a registry pod:
$ oc get pod -n openshift-image-registry
If the storage type is emptyDIR, the replica number can not be greater than 1. If the storage type is NFS, and you want to scale up the registry Pod by setting replica>1 you must enable the no_wdelay mount option. For example:
# cat /etc/exports /mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0) sh-4.3# exportfs -rv exporting *:/mnt/data
Check the registry configuration:
$ oc edit configs.imageregistry.operator.openshift.io storage: pvc: claim:Leave the
claimfield blank to allow the automatic creation of animage-registry-storagePVC.Check the
clusteroperatorstatus:$ oc get clusteroperator image-registry
