Unable to access openshift docker registry externally

My organization is currently evaluating OpenShift enterprise, using the AWS quickstart cloudformation templates that create a VPC. The version is:

$ oc version
oc v3.7.52
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

Although we understand there are build capabilities in the platform, our preferred CI/CD workflow is to build docker images outside of OpenShift using an external Jenkins. It seems like then pushing those images to the OpenShift docker registry would make sense, where we could then initiate deployment activity. The install documentation implies that the internal docker registry should already be secured and exposed during the installation process:

https://docs.openshift.com/container-platform/3.7/install_config/registry/securing_and_exposing_registry.html

"By default, the OpenShift Container Registry is secured during cluster installation so that it serves traffic via TLS. A passthrough route is also created by default to expose the service externally."

And indeed it does seem that a passthrough route exists for the docker-registry service, and it appears to be secured. However, attempting to access the docker-registry externally:

curl -kv https://docker-registry-default.<my domain>:443/v2/

I receive a 503:

The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

with the list of usual suspects (no running pod, etc.). I believe this means DNS, etc. is working properly enough for the router to get the request and send back a 503 response.

There is in fact a running pod, and I have verified that I can use curl to access the registry-service from each of the three router pods using the IP address on the haproxy.config on the router. Here is the relevant config from the router:

$ grep docker-registry *
haproxy.config:backend be_tcp:default:docker-registry
haproxy.config:  server pod:docker-registry-4-jpswr:docker-registry:10.129.0.13:5000 10.129.0.13:5000 weight 256
os_route_http_redirect.map:^docker-registry-default\.<my domain>(:[0-9]+)?(/.*)?$ default:docker-registry
os_sni_passthrough.map:^docker-registry-default\.<my domain>(:[0-9]+)?(/.*)?$ 1
os_tcp_be.map:^docker-registry-default\.<my domain>(:[0-9]+)?(/.*)?$ default:docker-registry

and the curl command that succeeds (in the sense that it requires authentication) is:

curl -kv https://10.129.0.13:5000/v2/

which returns:

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

I understand I will need to authenticate for full functionality, but the authentication required message I believe indicates that the routers can reach the docker-registry.

To me this implies an issue with the router for the docker-registry for the "out of the box" 3.7 AWS quickstart configuration. I am wondering if anyone else has seen this issue. I am new to openshift and we are just evaluating it, so we don't have a support contract in place.

Thanks,

Scott Hasse (on behalf of Dave Hannon)