Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Image Registry Operator in OpenShift Container Platform

2.1. Image Registry on cloud platforms and OpenStack
Copiar enlace

The Image Registry Operator installs a single instance of the OpenShift Container Platform registry, and manages all registry configuration, including setting up registry storage.

Note

Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, GCP, Azure, or OpenStack.

When you install or upgrade an installer-provisioned infrastructure cluster on AWS or Azure, the Image Registry Operator sets the 

spec.storage.managementState
parameter to 
Managed
. If the 
spec.storage.managementState
parameter is set to 
Unmanaged
, the Image Registry Operator takes no action related to storage.

After the control plane deploys, the Operator will create a default 

configs.imageregistry.operator.openshift.io
resource instance based on configuration detected in the cluster.

If insufficient information is available to define a complete 

configs.imageregistry.operator.openshift.io
resource, the incomplete resource will be defined and the Operator will update the resource status with information about what is missing.

The Image Registry Operator runs in the 

openshift-image-registry
namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.

Important

The Image Registry Operator’s behavior for managing the pruner is orthogonal to the 

managementState
specified on the 
ClusterOperator
object for the Image Registry Operator. If the Image Registry Operator is not in the 
Managed
state, the image pruner can still be configured and managed by the 
Pruning
custom resource.

However, the 

managementState
of the Image Registry Operator alters the behavior of the deployed image pruner job: 

  • Managed
    : the 
    --prune-registry
    flag for the image pruner is set to 
    true
    . 
  • Removed
    : the 
    --prune-registry
    flag for the image pruner is set to 
    false
    , meaning it only prunes image metatdata in etcd. 
  • Unmanaged
    : the 
    --prune-registry
    flag for the image pruner is set to 
    false
    .

2.2. Image Registry on bare metal and vSphere
Copiar enlace

2.2.1. Image registry removed during installation
Copiar enlace

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as 

Removed
. This allows 
openshift-installer
to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the 

managementState
from 
Removed
to 
Managed
.

Note

The Prometheus console provides an 

ImageRegistryRemoved
alert, for example:

"Image Registry has been removed. 

ImageStreamTags
, 
BuildConfigs
and 
DeploymentConfigs
which reference 
ImageStreamTags
may not work as expected. Please configure storage and update the config to 
Managed
state by editing configs.imageregistry.operator.openshift.io."

2.3. Image Registry Operator configuration parameters
Copiar enlace

The 

configs.imageregistry.operator.openshift.io
resource offers the following configuration parameters.

Expand
ParameterDescription

managementState
 

Managed
: The Operator updates the registry as configuration resources are updated. 

Unmanaged
: The Operator ignores changes to the configuration resources. 

Removed
: The Operator removes the registry instance and tear down any storage that the Operator provisioned. 

logLevel

Sets 

logLevel
of the registry instance. Defaults to 
Normal
.

The supported values for 

logLevel
are: 

  • Normal
     
  • Debug
     
  • Trace
     
  • TraceAll
     

httpSecret

Value needed by the registry to secure uploads, generated by default. 

proxy

Defines the Proxy to be used when calling master API and upstream registries. 

storage
 

Storagetype
: Details for configuring registry storage, for example S3 bucket coordinates. Normally configured by default. 

readOnly

Indicates whether the registry instance should reject attempts to push new images or delete existing ones. 

requests

API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. 

defaultRoute

Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to 

false
. 

routes

Array of additional routes to create. You provide the hostname and certificate for the route. 

replicas

Replica count for the registry. 

disableRedirect

Controls whether to route all data through the registry, rather than redirecting to the back end. Defaults to 

false
. 

spec.storage.managementState

The Image Registry Operator sets the 

spec.storage.managementState
parameter to 
Managed
on new installations or upgrades of clusters using installer-provisioned infrastructure on AWS or Azure. 

  • Managed
    : Determines that the Image Registry Operator manages underlying storage. If the Image Registry Operator’s 
    managementState
    is set to 
    Removed
    , then the storage is deleted.

    • If the 
      managementState
      is set to 
      Managed
      , the Image Registry Operator attempts to apply some default configuration on the underlying storage unit. For example, if set to 
      Managed
      , the Operator tries to enable encryption on the S3 bucket before making it available to the registry. If you do not want the default settings to be applied on the storage you are providing, make sure the 
      managementState
      is set to 
      Unmanaged
      . 
  • Unmanaged
    : Determines that the Image Registry Operator ignores the storage settings. If the Image Registry Operator’s 
    managementState
    is set to 
    Removed
    , then the storage is not deleted. If you provided an underlying storage unit configuration, such as a bucket or container name, and the 
    spec.storage.managementState
    is not yet set to any value, then the Image Registry Operator configures it to 
    Unmanaged
    .

In OpenShift Container Platform, the 

Registry
Operator controls the registry feature. The Operator is defined by the 
configs.imageregistry.operator.openshift.io
Custom Resource Definition (CRD).

If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

Procedure

  • Patch the Image Registry Operator CRD: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'

2.5. Configuring additional trust stores for image registry access
Copiar enlace

The 

image.config.openshift.io/cluster
custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.

Prerequisites

  • The certificate authorities (CA) must be PEM-encoded.

Procedure

You can create a config map in the 

openshift-config
namespace and use its name in 
AdditionalTrustedCA
in the 
image.config.openshift.io
custom resource to provide additional CAs that should be trusted when contacting external registries.

The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust.

Image registry CA config map example

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-registry-ca
data:
  registry.example.com: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  registry-with-port.example.com..5000: |
1 

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

1
If the registry has the port, such as registry-with-port.example.com:5000, : should be replaced with ...

You can configure additional CAs with the following procedure.

  1. To configure an additional CA: 

    $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
     
    $ oc edit image.config.openshift.io cluster
     
    spec:
  additionalTrustedCA:
    name: registry-config

2.6. Configuring storage credentials for the Image Registry Operator
Copiar enlace

In addition to the 

configs.imageregistry.operator.openshift.io
and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the 
openshift-image-registry
namespace.

The 

image-registry-private-configuration-user
secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys. 

    $ oc create secret generic image-registry-private-configuration-user --from-literal=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba