This is a cache of https://docs.okd.io/4.13/registry/configuring_registry_storage/configuring-registry-storage-openstack-user-infrastructure.html. It is a snapshot of the page at 2024-11-20T00:20:45.129+0000.
Configuring the registry for OpenStack <strong>user</strong>-provisioned infrastructure - Setting up and configuring the registry | Registry | OKD 4.13
×

Configuring Image Registry Operator redirects

By disabling redirects, you can configure the Image Registry Operator to control whether clients such as OKD cluster builds or external systems like developer machines are redirected to pull images directly from OpenStack Swift storage. This configuration is optional and depends on whether the clients trust the storage’s SSL/TLS certificates.

In situations where clients to not trust the storage certificate, setting the disableRedirect option can be set to true proxies traffic through the image registry. Consequently, however, the image registry might require more resources, especially network bandwidth, to handle the increased load.

Alternatively, if clients trust the storage certificate, the registry can allow redirects. This reduces resource demand on the registry itself.

Some users might prefer to configure their clients to trust their self-signed certificate authorities (CAs) instead of disabling redirects. If you are using a self-signed CA, you must decide between trusting the custom CAs or disabling redirects.

Procedure
  • To ensures that the image registry proxies traffic instead of relying on Swift storage, change the value of the spec.disableRedirect field in the config.imageregistry object to true by running the following command:

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"disableRedirect":true}}'

Configuring a secret for the Image Registry Operator

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

For Swift on OpenStack storage, the secret is expected to contain the following two keys:

  • REGISTRY_STORAGE_SWIFT_userNAME

  • REGISTRY_STORAGE_SWIFT_PASSWORD

Procedure
  • Create an OKD secret that contains the required keys.

    $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_SWIFT_userNAME=<username> --from-literal=REGISTRY_STORAGE_SWIFT_PASSWORD=<password> -n openshift-image-registry

Registry storage for OpenStack with user-provisioned infrastructure

If the Registry Operator cannot create a Swift bucket, you must set up the storage medium manually and configure the settings in the registry custom resource (CR).

Prerequisites
  • A cluster on OpenStack with user-provisioned infrastructure.

  • To configure registry storage for OpenStack, you need to provide Registry Operator cloud credentials.

  • For Swift on OpenStack storage, the secret is expected to contain the following two keys:

    • REGISTRY_STORAGE_SWIFT_userNAME

    • REGISTRY_STORAGE_SWIFT_PASSWORD

Procedure
  • Fill in the storage configuration in configs.imageregistry.operator.openshift.io/cluster:

    $ oc edit configs.imageregistry.operator.openshift.io/cluster
    Example configuration
    # ...
    storage:
      swift:
        container: <container-id>
    # ...

Image Registry Operator configuration parameters for OpenStack Swift

The following configuration parameters are available for OpenStack Swift registry storage.

Parameter Description

authURL

Defines the URL for obtaining the authentication token. This value is optional.

authVersion

Specifies the Auth version of OpenStack, for example, authVersion: "3". This value is optional.

container

Defines the name of a Swift container for storing registry data. This value is optional.

domain

Specifies the OpenStack domain name for the Identity v3 API. This value is optional.

domainID

Specifies the OpenStack domain ID for the Identity v3 API. This value is optional.

tenant

Defines the OpenStack tenant name to be used by the registry. This value is optional.

tenantID

Defines the OpenStack tenant ID to be used by the registry. This value is optional.

regionName

Defines the OpenStack region in which the container exists. This value is optional.