$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultroute":true}}' --type=merge
By default, the OKD registry is secured during cluster installation so that it serves traffic through TLS. Unlike previous versions of OKD, the registry is not exposed outside of the cluster at the time of installation.
Instead of logging in to the OKD registry from within the cluster, you can gain external access to it by exposing it with a route. This allows you to log in to the registry from outside the cluster using the route address, and to tag and push images to an existing project by using the route host.
The following prerequisites are automatically performed:
Deploy the Registry Operator.
Deploy the Ingress Operator.
You can expose the route by using Defaultroute
parameter in the
configs.imageregistry.operator.openshift.io
resource or by using custom routes.
To expose the registry using Defaultroute
:
Set Defaultroute
to True
:
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultroute":true}}' --type=merge
Log in with podman
:
$ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
$ podman login -u kubeadmin -p $(oc whoami -t) --tls-verify=false $HOST (1)
1 | --tls-verify=false is needed if the cluster’s default certificate for routes
is untrusted. You can set a custom, trusted certificate as the default
certificate with the Ingress Operator. |
To expose the registry using custom routes:
Create a secret with your route’s TLS keys:
$ oc create secret tls public-route-tls \
-n openshift-image-registry \
--cert=</path/to/tls.crt> \
--key=</path/to/tls.key>
This step is optional. If you do not create a secret, the route uses the default TLS configuration from the Ingress Operator.
On the Registry Operator:
spec:
routes:
- name: public-routes
hostname: myregistry.mycorp.organization
secretName: public-route-tls
...
Only set |