Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Image Registry Operator in OpenShift Container Platform

2.1. Image Registry on cloud platforms and OpenStack
Copier lien

The Image Registry Operator installs a single instance of the OpenShift image registry and manages all registry configuration, including setting up registry storage.

Note

Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, Azure, Google Cloud, IBM®, or RHOSP.

When you install or upgrade an installer-provisioned infrastructure cluster on AWS, Azure, Google Cloud, IBM®, or RHOSP, the Image Registry Operator sets the spec.storage.managementState parameter to Managed. If the spec.storage.managementState parameter is set to Unmanaged, the Image Registry Operator takes no action related to storage.

After the control plane deploys in the management cluster, the Operator creates a default configs.imageregistry.operator.openshift.io custom resource (CR) instance based on configuration detected in the cluster.

If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io CR, the incomplete resource is defined and the Operator updates the resource status with information about what is missing.

Important

The Image Registry Operator’s behavior for managing the pruner is orthogonal to the managementState specified on the ClusterOperator object for the Image Registry Operator. If the Image Registry Operator is not in the Managed state, the image pruner can still be configured and managed by the Pruning custom resource.

However, the managementState of the Image Registry Operator alters the behavior of the deployed image pruner job:

  • Managed: the --prune-registry flag for the image pruner is set to true.
  • Removed: the --prune-registry flag for the image pruner is set to false, meaning the image pruner job only prunes image metadata in etcd.

2.2. Image Registry on bare metal, Nutanix, and vSphere
Copier lien

2.2.1. Image registry removed during installation
Copier lien

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types. After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed. After this task has completed, you must configure storage.

The default configuration of the Image Registry Operator spreads image registry pods across topology zones to prevent delayed recovery times in case of a complete zone failure where all pods are impacted. Reference the following YAML to understand the default parameter values that the Image Registry Operator uses when the Operator deploys with a zone-related topology constraint: 

  topologySpreadConstraints:
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: node-role.kubernetes.io/worker
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: DoNotSchedule
Copy to Clipboard Toggle word wrap

Reference the following YAML to understand the default parameter value that the Image Registry Operator uses when the Operator deploys with a zone-related topology constraint, which applies to bare metal and vSphere instances: 

 topologySpreadConstraints:
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: node-role.kubernetes.io/worker
    whenUnsatisfiable: DoNotSchedule
Copy to Clipboard Toggle word wrap

As a cluster administrator. you can override the default topologySpreadConstraints section values by configuring the configs.imageregistry.operator.openshift.io/cluster spec file.

2.5. Image Registry Operator configuration parameters
Copier lien

The configs.imageregistry.operator.openshift.io resource offers the following configuration parameters.

Expand
ParameterDescription

managementState

Managed: The Operator updates the registry as configuration resources are updated.

Unmanaged: The Operator ignores changes to the configuration resources.

Removed: The Operator removes the registry instance and tear down any storage that the Operator provisioned.

logLevel

Sets logLevel of the registry instance. Defaults to Normal.

The following values for logLevel are supported:

  • Normal
  • Debug
  • Trace
  • TraceAll

httpSecret

Value needed by the registry to secure uploads, generated by default.

operatorLogLevel

The operatorLogLevel configuration parameter provides intent-based logging for the Operator itself and a simple way to manage coarse-grained logging choices that Operators must interpret for themselves. This configuration parameter defaults to Normal. It does not provide fine-grained control.

The following values for operatorLogLevel are supported:

  • Normal
  • Debug
  • Trace
  • TraceAll

proxy

Defines the Proxy to be used when calling master API and upstream registries.

affinity

You can use the affinity parameter to configure pod scheduling preferences and constraints for Image Registry Operator pods.

Affinity settings can use the podAffinity or podAntiAffinity spec. Both options can use either preferredDuringSchedulingIgnoredDuringExecution rules or requiredDuringSchedulingIgnoredDuringExecution rules.

storage

Storagetype: Details for configuring registry storage, for example S3 bucket coordinates. Normally configured by default.

readOnly

Indicates whether the registry instance should reject attempts to push new images or delete existing ones.

requests

API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests.

defaultRoute

Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false.

routes

Array of additional routes to create. You provide the hostname and certificate for the route.

rolloutStrategy

Defines rollout strategy for the image registry deployment. Defaults to RollingUpdate.

replicas

Replica count for the registry.

disableRedirect

Controls whether to route all data through the registry, rather than redirecting to the back end. Defaults to false.

spec.storage.managementState

The Image Registry Operator sets the spec.storage.managementState parameter to Managed on new installations or upgrades of clusters using installer-provisioned infrastructure on AWS or Azure.

  • Managed: Determines that the Image Registry Operator manages underlying storage. If the Image Registry Operator’s managementState is set to Removed, then the storage is deleted.

    • If the managementState is set to Managed, the Image Registry Operator attempts to apply some default configuration on the underlying storage unit. For example, if set to Managed, the Operator tries to enable encryption on the S3 bucket before making it available to the registry. If you do not want the default settings to be applied on the storage you are providing, make sure the managementState is set to Unmanaged.
  • Unmanaged: Determines that the Image Registry Operator ignores the storage settings. If the Image Registry Operator’s managementState is set to Removed, then the storage is not deleted. If you provided an underlying storage unit configuration, such as a bucket or container name, and the spec.storage.managementState is not yet set to any value, then the Image Registry Operator configures it to Unmanaged.

2.6. Enabling the Image Registry default route by using a CRD
Copier lien

In OpenShift Container Platform, the Registry Operator controls the OpenShift image registry feature and you define this Operator in the configs.imageregistry.operator.openshift.io Custom Resource Definition (CRD). If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

Procedure

  • Patch the Image Registry Operator CRD: 

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
    Copy to Clipboard Toggle word wrap

You can update an image.config.openshift.io/cluster custom resource (CR) to include a reference to a config map that includes additional certificate authorities (CAs). You must ensure that these CAs are trusted during image registry access. The config map key is the hostname of a registry with the port for which this CA is to be trusted. The Privacy-Enhanced Mail (PEM) certificate content is the value, for each additional registry CA to trust.

Prerequisites

  • Ensure that a CA is PEM-encoded.

Procedure

  1. Create a config map in the openshift-config namespace. The following example configurations show defined image registry CA that exists in a config map: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: my-registry-ca
data:
  registry.example.com: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  registry-with-port.example.com..5000: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap

    where:

    registry-with-port.example.com..5000
    If the registry has the port, : should be replaced with ...

  2. Configure an additional CA. Ensure that you specify the name of the CA in the AdditionalTrustedCA` parameter of the image.config.openshift.io CR. You can then provide additional CAs that must be trusted when contacting external registries. 

    $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
    Copy to Clipboard Toggle word wrap 
    $ oc edit image.config.openshift.io cluster
    Copy to Clipboard Toggle word wrap 
    spec:
  additionalTrustedCA:
    name: registry-config
    Copy to Clipboard Toggle word wrap

In addition to the configs.imageregistry.operator.openshift.io Custom Resource (CR) and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource. This resource is located within the openshift-image-registry namespace.

You can create an image-registry-private-configuration-user secret that in turn creates custom credentials needed for storage access and management. If default credentials exist, the custom credentials override the default credentials used by the Operator.

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys. 

    $ oc create secret generic image-registry-private-configuration-user --from-literal=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat