This is a cache of https://docs.openshift.com/container-platform/4.1/registry/configuring-registry-operator.html. It is a snapshot of the page at 2024-11-05T02:36:48.199+0000.
Image Registry Operator in Openshift Container Platform | Registry | OpenShift Container Platform 4.1
  1. Documentation
    2. history
×

Image Registry Operator in OpenShift Container Platform

The Image Registry Operator installs a single instance of the OpenShift Container Platform registry, and it manages all configuration of the registry, including setting up registry storage.

Storage is only automatically configured when you install on Amazon Web Services.

After the control plane deploys, the Operator will create a default configs.imageregistry.operator.openshift.io resource instance based on configuration detected in the cluster.

If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io resource, the incomplete resource will be defined and the operator will update the resource status with information about what is missing.

The Image Registry Operator runs in the openshift-image-registry namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.

Image Registry Operator configuration parameters

The configs.imageregistry.operator.openshift.io resource offers the following configuration parameters.

Parameter Description

ManagementState

Managed: The Operator updates the registry as configuration resources are updated.

Unmanaged: The Operator ignores changes to the configuration resources.

Removed: The Operator removes the registry instance and tear down any storage that the Operator provisioned.

Logging

Sets loglevel of the registry instance.

HTTPSecret

Value needed by the registry to secure uploads, generated by default.

Proxy

Defines the Proxy to be used when calling master API and upstream registries.

Storage

Storagetype: Details for configuring registry storage, for example S3 bucket coordinates. Normally configured by default.

Requests

API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests.

Defaultroute

Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false.

routes

Array of additional routes to create. You provide the hostname and certificate for the route.

Replicas

Replica count for the registry.

Image Registry Operator configuration resources

In addition to the configs.imageregistry.operator.openshift.io resource, additional configuration is provided to the Operator by separate ConfigMap and Secret resources located within the openshift-image-registry namespace.

Prerequisites

  • The CAs must be PEM-encoded.

Procedure

You can create a ConfigMap in the openshift-config namespace and use its name in AdditionalTrustedCA in the image.config.openshift.io resource to provide additional CAs that should be trusted when contacting external registries. The key is the host name of a registry with the port for which this CA is to be trusted. The image-registry-private-configuration(Secret) provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

Image registry CA example
apiVersion: v1
kind: ConfigMap
metadata:
  name: my-registry-ca
data:
  registry.example.com: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  registry-with-port.example.com..5000: | (1)
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
1 If the registry has the port, such as registry-with-port.example.com:5000. : should be replaced with ...

For S3 storage the ConfigMap is expected to contain two keys:

  • REGISTRY_STORAGE_S3_ACCESSKEY

  • REGISTRY_STORAGE_S3_SECRETKEY

You can configure additional CAs with the following procedure.

  1. To configure an additional CA:

    $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
$ oc edit image.config.openshift.io cluster
spec:
  additionalTrustedCA:
    name: registry-config

  2. Check your image inside the image-registry pod:

    $ oc rsh image-registry-xxxxx
sh-4.2
$ ls /etc/pki/ca-trust/source/anchors
<external_registry_address> image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000

Enable the Image Registry default route with the Custom Resource Definition

In OpenShift Container Platform, the Registry Operator controls the registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io Custom Resource Definition (CRD).

If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

Procedure

  • Patch the Image Registry Operator CRD:

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultroute":true}}'

Configuring Image Registry Storage

Configuring registry storage for AWS with user-provisioned infrastructure

During installation, your cloud credentials are sufficient to create an S3 bucket and the Registry Operator will automatically configure storage.

If the Registry Operator cannot create an S3 bucket, and automatically configure storage, you can create a S3 bucket and configure storage with the following procedure.

Prerequisites

  • A cluster on AWS with user-provisioned infrastructure.

Procedure

Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.

  1. Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.

  2. Fill in the storage configuration in configs.imageregistry.operator.openshift.io/cluster:

    $ oc edit configs.imageregistry.operator.openshift.io/cluster

storage:
  s3:
    bucket: <bucket-name>
    region: <region-name>

To secure your registry images in AWS, block public access to the S3 bucket.

Configuring registry storage for bare metal

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • Cluster administrator permissions.

  • A cluster on bare metal.

  • A provisioned persistent volume (PV) with ReadWriteMany access mode, such as NFS.

  • Must have "100Gi" capacity.

Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

  2. Verify you do not have a registry pod:

    $ oc get pod -n openshift-image-registry

If the storage type is emptyDIR, the replica number can not be greater than 1. If the storage type is NFS, and you want to scale up the registry Pod by setting replica>1 you must enable the no_wdelay mount option. For example:

# cat /etc/exports
/mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0)
sh-4.3# exportfs -rv
exporting *:/mnt/data

  1. Check the registry configuration:

    $ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:

    Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

  2. Check the clusteroperator status:

    $ oc get clusteroperator image-registry

Configuring registry storage for VMware vSphere

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • Cluster administrator permissions.

  • A cluster on VMware vSphere.

  • A provisioned persistent volume (PV) with ReadWriteMany access mode, such as NFS.

    vSphere volumes do not support the ReadWriteMany access mode. You must use a different storage backend, such as NFS, to configure the registry storage.

  • Must have "100Gi" capacity.

Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

  2. Verify you do not have a registry pod:

    $ oc get pod -n openshift-image-registry

If the storage type is emptyDIR, the replica number can not be greater than 1. If the storage type is NFS, and you want to scale up the registry Pod by setting replica>1 you must enable the no_wdelay mount option. For example:

# cat /etc/exports
/mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0)
sh-4.3# exportfs -rv
exporting *:/mnt/data

  1. Check the registry configuration:

    $ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:

    Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

  2. Check the clusteroperator status:

    $ oc get clusteroperator image-registry