2.3. Configuring a ConfigMap for the Image Registry Operator
In addition to the configs.imageregistry.operator.openshift.io
and secret resources, configuration is provided to the Operator by a separate ConfigMap resource located within the openshift-image-registry
namespace.
Prerequisites
- The CAs must be PEM-encoded.
Procedure
You can create a ConfigMap in the openshift-config
namespace and use its name in AdditionalTrustedCA
in the image.config.openshift.io
resource to provide additional CAs that should be trusted when contacting external registries.
The key is the host name of a registry with the port for which this CA is to be trusted.
You can configure additional CAs with the following procedure.
To configure an additional CA:
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config $ oc edit image.config.openshift.io cluster spec: additionalTrustedCA: name: registry-config
Check your image inside the
image-registry
pod:$ oc rsh image-registry-xxxxx sh-4.2 $ ls /etc/pki/ca-trust/source/anchors <external_registry_address> image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000
Image registry CA example
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
registry.example.com: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | 1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- 1
- If the registry has the port, such as
registry-with-port.example.com:5000
,:
should be replaced with..
.