Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Exposing the registry

By default, the OpenShift Container Platform registry is secured during cluster installation so that it serves traffic through TLS. Unlike previous versions of OpenShift Container Platform, the registry is not exposed outside of the cluster at the time of installation.

5.1. Exposing a default registry manually

Instead of logging in to the default OpenShift Container Platform registry from within the cluster, you can gain external access to it by exposing it with a route. This external access enables you to log in to the registry from outside the cluster using the route address and to tag and push images to an existing project by using the route host.

Prerequisites:

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.

Procedure

You can expose the route by using the defaultRoute parameter in the configs.imageregistry.operator.openshift.io resource.

To expose the registry using the defaultRoute:

  1. Set defaultRoute to true:

    Copy to Clipboard Toggle word wrap 
    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

  2. Get the default registry route:

    Copy to Clipboard Toggle word wrap 
    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

  3. Get the certificate of the Ingress Operator:

    Copy to Clipboard Toggle word wrap 
    $ oc get secret -n openshift-ingress  router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee /etc/pki/ca-trust/source/anchors/${HOST}.crt  > /dev/null

  4. Enable the cluster’s default certificate to trust the route using the following commands:

    Copy to Clipboard Toggle word wrap 
    $ sudo update-ca-trust enable

  5. Log in with podman using the default route:

    Copy to Clipboard Toggle word wrap 
    $ sudo podman login -u kubeadmin -p $(oc whoami -t) $HOST

5.2. Exposing a secure registry manually

Instead of logging in to the OpenShift Container Platform registry from within the cluster, you can gain external access to it by exposing it with a route. This allows you to log in to the registry from outside the cluster using the route address, and to tag and push images to an existing project by using the route host.

Prerequisites:

  • The following prerequisites are automatically performed:

    • Deploy the Registry Operator.
    • Deploy the Ingress Operator.

Procedure

You can expose the route by using DefaultRoute parameter in the configs.imageregistry.operator.openshift.io resource or by using custom routes.

To expose the registry using DefaultRoute:

  1. Set DefaultRoute to True:

    Copy to Clipboard Toggle word wrap 
    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

  2. Log in with podman:

    Copy to Clipboard Toggle word wrap 
    $ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
     Copy to Clipboard Toggle word wrap 
    $ podman login -u kubeadmin -p $(oc whoami -t) --tls-verify=false $HOST
    1
    1
    --tls-verify=false is needed if the cluster’s default certificate for routes is untrusted. You can set a custom, trusted certificate as the default certificate with the Ingress Operator.

To expose the registry using custom routes:

  1. Create a secret with your route’s TLS keys:

    Copy to Clipboard Toggle word wrap 
    $ oc create secret tls public-route-tls \
    -n openshift-image-registry \
    --cert=</path/to/tls.crt> \
    --key=</path/to/tls.key>

    This step is optional. If you do not create a secret, the route uses the default TLS configuration from the Ingress Operator.

  2. On the Registry Operator:

    Copy to Clipboard Toggle word wrap 
    spec:
  routes:
    - name: public-routes
      hostname: myregistry.mycorp.organization
      secretName: public-route-tls
...
    Note

    Only set secretName if you are providing a custom TLS configuration for the registry’s route.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.