Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Setting up and configuring the registry

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

For S3 on AWS storage the secret is expected to contain two keys:

  • REGISTRY_STORAGE_S3_ACCESSKEY
  • REGISTRY_STORAGE_S3_SECRETKEY

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys. 

    $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=myaccesskey --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=mysecretkey --namespace openshift-image-registry
    Copy to Clipboard Toggle word wrap

During installation, your cloud credentials are sufficient to create an S3 bucket and the Registry Operator will automatically configure storage.

If the Registry Operator cannot create an S3 bucket, and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.

Prerequisites

  • A cluster on AWS with user-provisioned infrastructure.

  • For S3 on AWS storage the secret is expected to contain two keys:

    • REGISTRY_STORAGE_S3_ACCESSKEY
    • REGISTRY_STORAGE_S3_SECRETKEY

Procedure

Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.

  1. Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.

  2. Fill in the storage configuration in configs.imageregistry.operator.openshift.io/cluster: 

    $ oc edit configs.imageregistry.operator.openshift.io/cluster

storage:
  s3:
    bucket: <bucket-name>
    region: <region-name>
    Copy to Clipboard Toggle word wrap
Warning

To secure your registry images in AWS, block public access to the S3 bucket.

The following configuration parameters are available for AWS S3 registry storage.

Expand
ParameterDescription

bucket

Bucket is the bucket name in which you want to store the registry’s data. It is optional and is generated if not provided.

region

Region is the AWS region in which your bucket exists. It is optional and is set based on the installed AWS Region.

regionEndpoint

RegionEndpoint is the endpoint for S3 compatible storage services. It is optional and defaults based on the Region that is provided.

encrypt

Encrypt specifies whether or not the registry stores the image in encrypted format. It is optional and defaults to false.

keyID

KeyID is the KMS key ID to use for encryption. It is optional. Encrypt must be true, or this parameter is ignored.

ImageRegistryConfigStorageS3CloudFront

CloudFront configures Amazon Cloudfront as the storage middleware in a registry. It is optional.

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

For GCS on GCP storage the secret is expected to contain one key whose value is the contents of a credentials file provided by GCP:

  • REGISTRY_STORAGE_GCS_KEYFILE

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys. 

    $ oc create secret generic image-registry-private-configuration-user --from-file=REGISTRY_STORAGE_GCS_KEYFILE=<path_to_keyfile> --namespace openshift-image-registry
    Copy to Clipboard Toggle word wrap

You must set up the storage medium manually and configure the settings in the registry CRD.

Prerequisites

  • A cluster on GCP with user-provisioned infrastructure.
  • To configure registry storage for GCP, you need to provide Registry Operator cloud credentials.

  • For GCS on GCP storage the secret is expected to contain one key whose value is the contents of a credentials file provided by GCP:

    • REGISTRY_STORAGE_GCS_KEYFILE

Procedure

The following configuration parameters are available for GCP GCS registry storage.

Expand
ParameterDescription

bucket

Bucket is the bucket name in which you want to store the registry’s data. It is optional and is generated if not provided.

region

Region is the GCS location in which your bucket exists. It is optional and is set based on the installed GCS Region.

projectID

ProjectID is the Project ID of the GCP project that this bucket should be associated with. It is optional.

keyID

KeyID is the KMS key ID to use for encryption. It is optional because buckets are encrypted by default on GCP. This allows for the use of a custom encryption key.

3.3. Configuring the registry for bare metal
Copy link

3.3.1. Image registry removed during installation
Copy link

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

Note

The Prometheus console provides an ImageRegistryRemoved alert, for example:

"Image Registry has been removed. ImageStreamTags, BuildConfigs and DeploymentConfigs which reference ImageStreamTags may not work as expected. Please configure storage and update the config to Managed state by editing configs.imageregistry.operator.openshift.io."

To start the image registry, you must change the Image Registry Operator configuration’s managementState from Removed to Managed.

Procedure

  • Change managementState Image Registry Operator configuration from Removed to Managed. For example: 

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}'
    Copy to Clipboard Toggle word wrap

3.3.3. Image registry storage configuration
Copy link

The image-registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so the Registry Operator is made available.

Instructions for both configuring a PersistentVolume, which is required for production clusters, and for configuring an empty directory as the storage location, which is available for only non-production clusters, are shown.

3.3.4. Configuring registry storage for bare metal
Copy link

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • Cluster administrator permissions.
  • A cluster on bare metal.
  • Provision persistent storage for your cluster, such as Red Hat OpenShift Container Storage. To deploy a private image registry, your storage must provide ReadWriteMany access mode.
  • Must have "100Gi" capacity.

Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

    Note

    When using shared storage such as NFS, it is strongly recommended to use the supplementalGroups strategy, which dictates the allowable supplemental groups for the Security Context, rather than the fsGroup ID. Refer to the NFS Group IDs documentation for details.

  2. Verify you do not have a registry Pod: 

    $ oc get pod -n openshift-image-registry
    Copy to Clipboard Toggle word wrap
    Note
    • If the storage type is emptyDIR, the replica number cannot be greater than 1.

    • If the storage type is NFS, you must enable the no_wdelay and root_squash mount options. For example: 

      # cat /etc/exports
/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0)
sh-4.3# exportfs -rv
exporting *:/mnt/data
      Copy to Clipboard Toggle word wrap

  3. Check the registry configuration: 

    $ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:
    Copy to Clipboard Toggle word wrap

    Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

  4. Check the clusteroperator status: 

    $ oc get clusteroperator image-registry
    Copy to Clipboard Toggle word wrap

See Group IDs for additional details about using supplemental groups to handle NFS access.

You must configure storage for the image registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

Procedure

  • To set the image registry storage to an empty directory: 

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'
    Copy to Clipboard Toggle word wrap
    Warning

    Configure this option for only non-production clusters.

    If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error: 

    Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found
    Copy to Clipboard Toggle word wrap

    Wait a few minutes and run the command again.

3.3.6. Additional resources
Copy link

For more details about configuring registry storage for bare metal, see Recommended configurable storage technology.

3.4. Configuring the registry for vSphere
Copy link

3.4.1. Image registry removed during installation
Copy link

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

Note

The Prometheus console provides an ImageRegistryRemoved alert, for example:

"Image Registry has been removed. ImageStreamTags, BuildConfigs and DeploymentConfigs which reference ImageStreamTags may not work as expected. Please configure storage and update the config to Managed state by editing configs.imageregistry.operator.openshift.io."

To start the image registry, you must change the Image Registry Operator configuration’s managementState from Removed to Managed.

Procedure

  • Change managementState Image Registry Operator configuration from Removed to Managed. For example: 

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}'
    Copy to Clipboard Toggle word wrap

3.4.2.1. Image registry storage configuration
Copy link

The image-registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so the Registry Operator is made available.

Instructions for both configuring a PersistentVolume, which is required for production clusters, and for configuring an empty directory as the storage location, which is available for only non-production clusters, are shown.

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • Cluster administrator permissions.
  • A cluster on VMware vSphere.

  • Provision persistent storage for your cluster. To deploy a private image registry, your storage must provide ReadWriteMany access mode.

    Important

    vSphere volumes do not support the ReadWriteMany access mode. You must use a different storage backend, such as NFS, to configure the registry storage.

  • Must have "100Gi" capacity.
Important

Testing shows issues with using the NFS server on RHEL as storage backend for core services. This includes the OpenShift Container Registry and Quay, Prometheus for monitoring storage, and Elasticsearch for logging storage. Therefore, using RHEL NFS to back PVs used by core services is not recommended.

Other NFS implementations on the marketplace might not have these issues. Contact the individual NFS implementation vendor for more information on any testing that was possibly completed against these OpenShift Container Platform core components.

Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

    Note

    When using shared storage such as NFS, it is strongly recommended to use the supplementalGroups strategy, which dictates the allowable supplemental groups for the Security Context, rather than the fsGroup ID. Refer to the NFS Group IDs documentation for details.

  2. Verify you do not have a registry Pod: 

    $ oc get pod -n openshift-image-registry
    Copy to Clipboard Toggle word wrap
    Note
    • If the storage type is emptyDIR, the replica number cannot be greater than 1.

    • If the storage type is NFS, you must enable the no_wdelay and root_squash mount options. For example: 

      # cat /etc/exports
/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0)
sh-4.3# exportfs -rv
exporting *:/mnt/data
      Copy to Clipboard Toggle word wrap

  3. Check the registry configuration: 

    $ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:
    Copy to Clipboard Toggle word wrap

    Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

  4. Optional: Add a new storage class to a PV:

    1. Create the PV: 

      $ oc create -f -
      Copy to Clipboard Toggle word wrap 
      apiVersion: v1
kind: PersistentVolume
metadata:
  name: image-registry-pv
spec:
  accessModes:
    - ReadWriteMany
  capacity:
      storage: 100Gi
  nfs:
    path: /registry
    server: 172.16.231.181
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs01
      Copy to Clipboard Toggle word wrap 
      $ oc get pv
      Copy to Clipboard Toggle word wrap

    2. Create the PVC: 

      $ oc create -n openshift-image-registry -f -
      Copy to Clipboard Toggle word wrap 
      apiVersion: "v1"
kind: "PersistentVolumeClaim"
metadata:
  name: "image-registry-pvc"
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Gi
  storageClassName: nfs01
  volumeMode: Filesystem
      Copy to Clipboard Toggle word wrap 
      $ oc get pvc -n openshift-image-registry
      Copy to Clipboard Toggle word wrap

      Finally, add the name of your PVC: 

      $ oc edit configs.imageregistry.operator.openshift.io -o yaml
      Copy to Clipboard Toggle word wrap 
      storage:
  pvc:
    claim: image-registry-pvc
      1
      Copy to Clipboard Toggle word wrap
      1
      Creating a custom PVC allows you to leave the claim field blank for default automatic creation of an image-registry-storage PVC.

  5. Check the clusteroperator status: 

    $ oc get clusteroperator image-registry
    Copy to Clipboard Toggle word wrap

See Group IDs for additional details about using supplemental groups to handle NFS access.

You must configure storage for the image registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

Procedure

  • To set the image registry storage to an empty directory: 

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'
    Copy to Clipboard Toggle word wrap
    Warning

    Configure this option for only non-production clusters.

    If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error: 

    Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found
    Copy to Clipboard Toggle word wrap

    Wait a few minutes and run the command again.

3.4.5. Additional resources
Copy link

For more details about configuring registry storage for vSphere, see Recommended configurable storage technology.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat