Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Exposing the registry

By default, the OpenShift image registry is secured during cluster installation so that it serves traffic through the Transport Layer Security (TLS) protocol. Unlike previous versions of OpenShift Container Platform, the registry is not exposed outside of the cluster at the time of installation.

5.1. Exposing a default registry manually
Copy link

Instead of logging in to the default OpenShift image registry from within the cluster, you can gain external access to the OpenShift image registry by exposing the registry with a route. With this external access, you can log in to the registry from outside the cluster by using the route address. You can then tag and push images to an existing project by using the route host.

Prerequisites

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. To expose the registry by using the defaultRoute parameter that exists in the configs.imageregistry.operator.openshift.io resource, set defaultRoute` to true by running the following command: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
    Copy to Clipboard Toggle word wrap

  2. Get the default registry route by running the following command: 

    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
    Copy to Clipboard Toggle word wrap

  3. Get the certificate of the Ingress Operator by running the following command: 

    $ oc extract secret/$(oc get ingresscontroller -n openshift-ingress-operator default -o json | jq '.spec.defaultCertificate.name // "router-certs-default"' -r) -n openshift-ingress --confirm
    Copy to Clipboard Toggle word wrap

  4. Move the extracted certificate to the trusted CA directory of the system by running the following command: 

    $ sudo mv tls.crt /etc/pki/ca-trust/source/anchors/
    Copy to Clipboard Toggle word wrap

  5. Enable the default certificate of the cluster to trust the route by running the following command: 

    $ sudo update-ca-trust enable
    Copy to Clipboard Toggle word wrap

  6. Log in with podman with the default route by running the following command: 

    $ sudo podman login -u kubeadmin -p $(oc whoami -t) $HOST
    Copy to Clipboard Toggle word wrap

5.2. Exposing a secure registry manually
Copy link

Instead of logging in to the OpenShift image registry from within the cluster, you can gain external access to the OpenShift image registry by exposing the registry with a route. With this external access, you can log in to the registry from outside the cluster by using the route address. You can then tag and push images to an existing project by using the route host.

You can expose the route by using DefaultRoute parameter in the configs.imageregistry.operator.openshift.io resource or by using custom routes.

Prerequisites

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.
  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. To expose the registry using DefaultRoute parameter, set DefaultRoute to True: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
    Copy to Clipboard Toggle word wrap

  2. Log in with podman by entering the following command: 

    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
    Copy to Clipboard Toggle word wrap 
    $ podman login -u kubeadmin -p $(oc whoami -t) --tls-verify=false $HOST
    Copy to Clipboard Toggle word wrap
    • --tls-verify=false: Set this parameter to false if the default certificate of the cluster for routes is untrusted. You can set a custom, trusted certificate as the default certificate with the Ingress Operator.

  3. To expose the registry using custom routes, create a secret with your route’s TLS keys. This step is optional. If you do not create a secret, the route uses the default TLS configuration from the Ingress Operator. 

    $ oc create secret tls public-route-tls \
    -n openshift-image-registry \
    --cert=</path/to/tls.crt> \
    --key=</path/to/tls.key>
    Copy to Clipboard Toggle word wrap

  4. On the Registry Operator, enter the following command: 

    $ oc edit configs.imageregistry.operator.openshift.io/cluster
    Copy to Clipboard Toggle word wrap 
    spec:
  routes:
    - name: public-routes
      hostname: myregistry.mycorp.organization
      secretName: public-route-tls
...
    Copy to Clipboard Toggle word wrap
    Note

    Only set secretName if you are providing a custom TLS configuration for the route of the registry.

Troubleshooting

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat