$ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=myaccesskey --from-literal=REGISTRY_STORAGE_S3_secretKEY=mysecretkey --namespace openshift-image-registry
In addition to the configs.imageregistry.operator.openshift.io
and ConfigMap
resources, configuration is provided to the Operator by a separate secret
resource located within the openshift-image-registry
namespace.
The image-registry-private-configuration-user
secret provides
credentials needed for storage access and management. It overrides the default
credentials used by the Operator, if default credentials were found.
For S3 on AWS storage, the secret is expected to contain two keys:
REGISTRY_STORAGE_S3_ACCESSKEY
REGISTRY_STORAGE_S3_secretKEY
Create an OKD secret that contains the required keys.
$ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=myaccesskey --from-literal=REGISTRY_STORAGE_S3_secretKEY=mysecretkey --namespace openshift-image-registry
During installation, your cloud credentials are sufficient to create an Amazon S3 bucket and the Registry Operator will automatically configure storage.
If the Registry Operator cannot create an S3 bucket and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.
You have a cluster on AWS with user-provisioned infrastructure.
For Amazon S3 storage, the secret is expected to contain two keys:
REGISTRY_STORAGE_S3_ACCESSKEY
REGISTRY_STORAGE_S3_secretKEY
Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.
Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.
Fill in the storage configuration in
configs.imageregistry.operator.openshift.io/cluster
:
$ oc edit configs.imageregistry.operator.openshift.io/cluster
storage:
s3:
bucket: <bucket-name>
region: <region-name>
To secure your registry images in AWS, block public access to the S3 bucket. |
The following configuration parameters are available for AWS S3 registry storage.
The image registry spec.storage.s3
configuration parameter holds the information to configure the registry to use the AWS S3 service for back-end storage. See the S3 storage driver documentation for more information.
Parameter | Description |
---|---|
|
Bucket is the bucket name in which you want to store the registry’s data. It is optional and is generated if not provided. |
|
Region is the AWS region in which your bucket exists. It is optional and is set based on the installed AWS Region. |
|
RegionEndpoint is the endpoint for S3 compatible storage services. It is optional and defaults based on the Region that is provided. |
|
VirtualHostedStyle enables using S3 virtual hosted style bucket paths with a custom RegionEndpoint. It is optional and defaults to false. Set this parameter to deploy OKD to hidden regions. |
|
Encrypt specifies whether or not the registry stores the image in encrypted format. It is optional and defaults to false. |
|
KeyID is the KMS key ID to use for encryption. It is optional. Encrypt must be true, or this parameter is ignored. |
|
CloudFront configures Amazon Cloudfront as the storage middleware in a registry. It is optional. |
|
The namespace for the config map referenced by |
When the value of the
|