Home
Prodotti
OpenShift Container Platform
4.21
Registry
Chapter 5. Exposing the registry

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Exposing the registry

By default, the OpenShift image registry is secured during cluster installation so that it serves traffic through the Transport Layer Security (TLS) protocol. Unlike previous versions of OpenShift Container Platform, the registry is not exposed outside of the cluster at the time of installation.

5.1. Exposing a default registry manually
Copia collegamento

Instead of logging in to the default OpenShift image registry from within the cluster, you can gain external access to the OpenShift image registry by exposing the registry with a route. With this external access, you can log in to the registry from outside the cluster by using the route address. You can then tag and push images to an existing project by using the route host.

Prerequisites

The following prerequisites are automatically performed:
- Deploy the Registry Operator.
- Deploy the Ingress Operator.
You have access to the cluster as a user with the cluster-admin role.

Procedure

To expose the registry by using the defaultRoute parameter that exists in the configs.imageregistry.operator.openshift.io resource, set defaultRoute to true by running the following command:
```
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
```

Get the default registry route by running the following command:

$ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

Get the certificate of the Ingress Operator by running the following command:

$ oc extract secret/$(oc get ingresscontroller -n openshift-ingress-operator default -o json | jq '.spec.defaultCertificate.name // "router-certs-default"' -r) -n openshift-ingress --confirm

Move the extracted certificate to the trusted CA directory of the system by running the following command:
```
$ sudo mv tls.crt /etc/pki/ca-trust/source/anchors/
```
Enable the default certificate of the cluster to trust the route by running the following command:
```
$ sudo update-ca-trust enable
```
Log in with podman with the default route by running the following command:
```
$ sudo podman login -u kubeadmin -p $(oc whoami -t) $HOST
```

5.2. Exposing a secure registry manually
Copia collegamento

Instead of logging in to the OpenShift image registry from within the cluster, you can gain external access to the OpenShift image registry by exposing the registry with a route. With this external access, you can log in to the registry from outside the cluster by using the route address. You can then tag and push images to an existing project by using the route host.

You can expose the route by using DefaultRoute parameter in the configs.imageregistry.operator.openshift.io resource or by using custom routes.

Prerequisites

The following prerequisites are automatically performed:
- Deploy the Registry Operator.
- Deploy the Ingress Operator.
You have access to the cluster as a user with the cluster-admin role.

Procedure

To expose the registry using DefaultRoute parameter, set DefaultRoute to True:

$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

Log in with podman by entering the following command:
```
$ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
```
```
$ podman login -u kubeadmin -p $(oc whoami -t) --tls-verify=false $HOST
```
- --tls-verify=false: Set this parameter to false if the default certificate of the cluster for routes is untrusted. You can set a custom, trusted certificate as the default certificate with the Ingress Operator.
To expose the registry using custom routes, create a secret with your route’s TLS keys. This step is optional. If you do not create a secret, the route uses the default TLS configuration from the Ingress Operator.
```
$ oc create secret tls public-route-tls \
    -n openshift-image-registry \
    --cert=</path/to/tls.crt> \
    --key=</path/to/tls.key>
```

On the Registry Operator, enter the following command:

$ oc edit configs.imageregistry.operator.openshift.io/cluster

spec:
  routes:
    - name: public-routes
      hostname: myregistry.mycorp.organization
      secretName: public-route-tls
...

Note

Only set secretName if you are providing a custom TLS configuration for the route of the registry.

Troubleshooting

Error creating TLS secret

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Exposing the registry

5.1. Exposing a default registry manually
Copia collegamento

5.2. Exposing a secure registry manually
Copia collegamento

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Exposing the registry

5.1. Exposing a default registry manuallyCopia collegamentoCollegamento copiato negli appunti!

5.2. Exposing a secure registry manuallyCopia collegamentoCollegamento copiato negli appunti!

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

5.1. Exposing a default registry manually
Copia collegamento

5.2. Exposing a secure registry manually
Copia collegamento