Chapter 1. Registry service accounts for 3scale
To use container images from registry.redhat.io
in a shared environment with 3scale 2.12, you must use a Registry Service Account instead of an individual user’s Customer Portal credentials.
It is a requirement of deploying 3scale that you follow the steps outlined in this chapter before deploying either on OpenShift using a template or via the operator, as both options use registry authentication.
To create and modify a registry service account, perform the steps outlined in the following sections:
1.1. Creating a registry service account
To create a registry service account, follow the procedure below.
Procedure
- Navigate to the Registry Service Accounts page and log in.
- Click New Service Account.
Fill in the form on the Create a New Registry Service Account page.
Add a name for the service account.
Note: You will see a fixed-length, randomly generated numerical string before the form field.
- Enter a Description.
- Click Create.
- Navigate back to your Service Accounts.
- Click the Service Account you created.
-
Make a note of the username, including the prefix string, for example 12345678|username, and your password. This username and password will be used to log in to
registry.redhat.io
.
There are tabs available on the Token Information page that show you how to use the authentication token. For example, the Token Information tab shows the username in the format 12345678|username and the password string below it.
1.2. Configuring container registry authentication
As a 3scale administrator, configure authentication with registry.redhat.io
before you deploy 3scale on OpenShift.
Prerequisites
- A Red Hat OpenShift Container Platform (OCP) account with administrator credentials.
-
OpenShift
oc
client tool is installed. For more details, see the OpenShift CLI documentation.
Procedure
Log into your OpenShift cluster as administrator:
$ oc login -u system:admin
Open the project in which you want to deploy 3scale:
oc project your-openshift-project
Create a
docker-registry
secret using your Red Hat Customer Portal account, replacingthreescale-registry-auth
with the secret to create:$ oc create secret docker-registry threescale-registry-auth \ --docker-server=registry.redhat.io \ --docker-username="customer_portal_username" \ --docker-password="customer_portal_password" \ --docker-email="email_address"
You will see the following output:
secret/threescale-registry-auth created
Link the secret to your service account to use the secret for pulling images. The service account name must match the name that the OpenShift pod uses. This example uses the
default
service account:$ oc secrets link default threescale-registry-auth --for=pull
Link the secret to the
builder
service account to use the secret for pushing and pulling build images:$ oc secrets link builder threescale-registry-auth
Additional resources
For more details on authenticating with Red Hat for container images:
1.3. Modifying a registry service account
You can edit or delete service accounts from the Registry Service Account page, by using the pop-up menu to the right of each authentication token in the table.
The regeneration or removal of service accounts will impact systems that are using the token to authenticate and retrieve content from registry.redhat.io
.
A description for each function is as follows:
Regenerate token: Allows an authorized user to reset the password associated with the Service Account.
Note: You cannot modify the username for the Service Account.
- Update Description: Allows an authorized user to update the description for the Service Account.
- Delete Account: Allows an authorized user to remove the Service Account.