managementState
The Image Registry Operator installs a single instance of the OpenShift Container Platform registry, and manages all registry configuration, including setting up registry storage.
Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, GCP, Azure, or OpenStack. |
After the control plane deploys, the Operator will create a default
configs.imageregistry.operator.openshift.io
resource instance based on
configuration detected in the cluster.
If insufficient information is available to define a complete
configs.imageregistry.operator.openshift.io
resource, the incomplete resource
will be defined and the operator will update the resource status with
information about what is missing.
The Image Registry Operator runs in the openshift-image-registry
namespace,
and manages the registry instance in that location as well. All configuration
and workload resources for the registry reside in that namespace.
On platforms that do not provide shareable object storage, the OpenShift Image
Registry Operator bootstraps itself as Removed
. This allows
openshift-installer
to complete installations on these platform types.
After installation, you must edit the Image Registry Operator configuration to
switch the managementState
from Removed
to Managed
.
The Prometheus console provides an "Image Registry has been removed. |
The configs.imageregistry.operator.openshift.io
resource offers the following
configuration parameters.
Parameter | Description |
---|---|
|
|
|
Sets |
|
Value needed by the registry to secure uploads, generated by default. |
|
Defines the Proxy to be used when calling master API and upstream registries. |
|
|
|
Indicates whether the registry instance should reject attempts to push new images or delete existing ones. |
|
API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests. |
|
Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false. |
|
Array of additional routes to create. You provide the hostname and certificate for the route. |
|
Replica count for the registry. |
In OpenShift Container Platform, the Registry
Operator controls the registry feature. The
Operator is defined by the configs.imageregistry.operator.openshift.io
Custom
Resource Definition (CRD).
If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.
Patch the Image Registry Operator CRD:
$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
The image.config.openshift.io/cluster
resource can contain a reference
to a configmap that contains additional certificate authorities to be trusted
during image registry access.
The CAs must be PEM-encoded.
You can create a configmap in the openshift-config
namespace and use its name
in AdditionalTrustedCA
in the image.config.openshift.io
resource to provide
additional CAs that should be trusted when contacting external registries.
The configmap key is the host name of a registry with the port for which this CA is to be trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust.
apiVersion: v1
kind: configmap
metadata:
name: my-registry-ca
data:
registry.example.com: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | (1)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 | If the registry has the port, such as registry-with-port.example.com:5000 ,
: should be replaced with .. . |
You can configure additional CAs with the following procedure.
To configure an additional CA:
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config $ oc edit image.config.openshift.io cluster spec: additionalTrustedCA: name: registry-config
In addition to the configs.imageregistry.operator.openshift.io
and configmap
resources, storage credential configuration is provided to the Operator by a separate secret
resource located within the openshift-image-registry
namespace.
The image-registry-private-configuration-user
secret provides
credentials needed for storage access and management. It overrides the default
credentials used by the Operator, if default credentials were found.
Create an OpenShift Container Platform secret that contains the required keys.
$ oc create secret generic image-registry-private-configuration-user --from-file=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry