openshift_additional_registry_credentials=[{'host':'registry.example.com','user':'name','password':'pass1','test_login':'False'},{'host':'registry2.example.com','password':'token12345','tls_verify':'False','test_image':'mongodb/mongodb'}]
All container images available through the Red Hat Container Catalog are hosted
on an image registry, registry.access.redhat.com
. With OKD 3.11
Red Hat Container Catalog moved from registry.access.redhat.com
to
registry.redhat.io
.
The new registry, registry.redhat.io
, requires authentication for access to
images and hosted content on OKD. Following the move to the new
registry, the existing registry will be available for a period of time.
OKD pulls images from |
The new registry uses standard OAuth mechanisms for authentication, with the following methods:
Authentication token. Tokens, which are generated by administrators, are service accounts that give systems the ability to authenticate against the container image registry. Service accounts are not affected by changes in user accounts, so the token authentication method is reliable and resilient. This is the only supported authentication option for production clusters.
Web username and password. This is the standard set of credentials you use
to log in to resources such as access.redhat.com
.
While it is possible to use this authentication method with OKD, it is not supported for
production deployments. Restrict this authentication method to
stand-alone projects outside OKD.
You can use docker login
with your credentials, either username and password
or authentication token, to access content on the new registry.
All image streams point to the new registry. Because the new registry requires
authentication for access, there is a new secret in the OpenShift namespace
called imagestreamsecret
.
You must place your credentials in two places:
OpenShift namespace. Your credentials must exist in the OpenShift namespace so that the image streams in the OpenShift namespace can import.
Your host. Your credentials must exist on your host because Kubernetes uses the credentials from your host when it goes to pull images.
To access the new registry:
Verify image import secret, imagestreamsecret
, is in your OpenShift
namespace. That secret has credentials that allow you to access
the new registry.
Verify all of your cluster nodes have a /var/lib/origin/.docker/config.json
,
copied from master, that allows you to access the Red Hat registry.
If you are a Red Hat customer with entitlements to Red Hat products, you have an account with applicable user credentials. These are the username and password that you use to log in to the Red Hat Customer Portal.
If you do not have an account, you can acquire one for free by registering for one of the following options:
Red Hat Developer Program. This account gives you access to developer tools and programs.
30-day Trial Subscription. This account gives you a 30-day trial subscription with access to select Red Hat software products.
You must create tokens if your organization manages shared accounts. Administrators can create, view, and delete all tokens associated with an organization.
User credentials
To create a token in order complete a docker login
:
Navigate to registry.redhat.io
.
Log in with your Red Hat Network (RHN) username and password.
Accept terms when prompted.
If you are not immediately prompted to accept terms, you will be prompted when proceeding with the following steps.
From the Registry Service Accounts page, click Create Service Account
Provide a name for the service account. It will be prepended with a random string.
Enter a description.
Click create.
Navigate back to your Service Accounts.
Click the Service Account you created.
Copy the username, including the prepended string.
Copy the token.
You can also manage registry credentials during installation or upgrade using the Ansible installer.
This will set up the following:
imagestreamsecret
in your OpenShift namespace.
Credentials on all nodes.
User credentials
Service account
Service account token
To manage registry credentials during installation or upgrade using the Ansible installer:
During installation or upgrade, specify the oreg_auth_user
and oreg_auth_password
variables in your installer inventory.
If you have created a token, set |
Clusters that require access to additional authenticated registries can configure
a list of registries by setting openshift_additional_registry_credentials
.
Each registry requires a host and password value, you can specify a username by
setting user. By default the credentials specified are validated by attempting
to inspect the image openshift3/ose-pod
on the specified registry.
To specify an alternate image, either:
Set test_image
.
Disable credential validation by setting test_login
to False.
If the registry is insecure, set tls_verify
to False.
All credentials in this list will have an imagestreamsecret
created
in the OpenShift namespace and credentials deployed to all nodes.
For example:
openshift_additional_registry_credentials=[{'host':'registry.example.com','user':'name','password':'pass1','test_login':'False'},{'host':'registry2.example.com','password':'token12345','tls_verify':'False','test_image':'mongodb/mongodb'}]
Once you have created your service accounts and generated tokens for the Red Hat Registry, you can perform additional tasks.
This section provides the manual steps, which can be automatically performed during installation by providing the inventory variables outlined in the Managing Registry Credentials for Installation and Upgrade section. |
User credentials
Service account
Service account token
From your Registry Service Accounts page, click on your account name. From there, you can perform the following tasks:
From the Token Information tab, you can view your username (the name you provided prepended with a random string) and password (token). From this tab, you can regenerate your token.
From the OpenShift secret tab, you can:
Download the secret by clicking the link in the tab.
Submit the secret to the cluster:
# oc create -f <account-name>-secret.yml --namespace=openshift
Update your Kubernetes configuration by adding a reference to the secret to
your Kubernetes pod configuration with an imagePullsecrets
field, for example:
apiVersion: v1
kind: Pod
metadata:
name: somepod
namespace: all
spec:
containers:
- name: web
image: registry.redhat.io/REPONAME
imagePullsecrets:
- name: <numerical-string-account-name>-pull-secret
From the Docker Login tab, you can run docker login
. For example:
# docker login -u='<numerical-string|account-name>' -p=<token>
After you successfully log in, copy ~/.docker/config.json
to
/var/lib/origin/.docker/config.json
and restart the node.
# cp -r ~/.docker /var/lib/origin/ systemctl restart atomic-openshift-node
From the Docker Configuration tab, you can:
Download the credentials configuration by clicking the link in the tab.
Write the configuration to the disk by placing the file in the Docker configuration directory. This will overwrite existing credentials. For example:
# mv <account-name>-auth.json ~/.docker/config.json