$ oc create configmap registry-cas -n openshift-config \
--from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
Use the following sections to set up additional certificate authorities (CA) to be trusted by builds when pulling images from an image registry.
The procedure requires a cluster administrator to create a configmap
and add additional CAs as keys in the configmap
.
The configmap
must be created in the openshift-config
namespace.
domain
is the key in the configmap
and value
is the PEM-encoded certificate.
Each CA must be associated with a domain. The domain format is hostname[..port]
.
The configmap
name must be set in the image.config.openshift.io/cluster
cluster scoped configuration resource’s spec.additionalTrustedCA
field.
You can add certificate authorities (CA) to the cluster for use when pushing and pulling images with the following procedure.
You must have cluster administrator privileges.
You must have access to the public certificates of the registry, usually a hostname/ca.crt
file located in the /etc/docker/certs.d/
directory.
Create a configmap
in the openshift-config
namespace containing the trusted certificates for the registries that use self-signed certificates. For each CA file, ensure the key in the configmap
is the hostname of the registry in the hostname[..port]
format:
$ oc create configmap registry-cas -n openshift-config \
--from-file=myregistry.corp.com..5000=/etc/docker/certs.d/myregistry.corp.com:5000/ca.crt \
--from-file=otherregistry.com=/etc/docker/certs.d/otherregistry.com/ca.crt
Update the cluster image configuration:
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge