Chapter 2. Image Registry Operator in OpenShift Container Platform

2.1. Image Registry on cloud platforms and OpenStack

The Image Registry Operator installs a single instance of the OpenShift Container Platform registry, and manages all registry configuration, including setting up registry storage.

Note

Storage is only automatically configured when you install an installer-provisioned infrastructure cluster on AWS, GCP, Azure, or OpenStack.

After the control plane deploys, the Operator will create a default configs.imageregistry.operator.openshift.io resource instance based on configuration detected in the cluster.

If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io resource, the incomplete resource will be defined and the operator will update the resource status with information about what is missing.

The Image Registry Operator runs in the openshift-image-registry namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.

Important

The Image Registry Operator’s behavior for managing the pruner is orthogonal to the ManagementState specified on the Image Registry Operator’s ClusterOperator object. If the image registry operator is not in the Managed state, the image pruner can still be configured and managed by the Pruning Custom Resource.

However, the ManagementState of the Image Registry Operator alters the behavior of the deployed image pruner job:

  • Managed: the --prune-registry flag for the image pruner is set to true.
  • Removed: the --prune-registry flag for the image pruner is set to false, meaning it only prunes image metatdata in etcd.
  • Unmanaged: the --prune-registry flag for the image pruner is set to false.

2.2. Image Registry on bare metal and vSphere

2.2.1. Image registry removed during installation

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

Note

The Prometheus console provides an ImageRegistryRemoved alert, for example:

"Image Registry has been removed. ImageStreamTags, BuildConfigs and DeploymentConfigs which reference ImageStreamTags may not work as expected. Please configure storage and update the config to Managed state by editing configs.imageregistry.operator.openshift.io."

2.3. Image Registry Operator configuration parameters

The configs.imageregistry.operator.openshift.io resource offers the following configuration parameters.

ParameterDescription

managementState

Managed: The Operator updates the registry as configuration resources are updated.

Unmanaged: The Operator ignores changes to the configuration resources.

Removed: The Operator removes the registry instance and tear down any storage that the Operator provisioned.

logging

Sets loglevel of the registry instance.

httpSecret

Value needed by the registry to secure uploads, generated by default.

proxy

Defines the Proxy to be used when calling master API and upstream registries.

storage

Storagetype: Details for configuring registry storage, for example S3 bucket coordinates. Normally configured by default.

readOnly

Indicates whether the registry instance should reject attempts to push new images or delete existing ones.

requests

API Request Limit details. Controls how many parallel requests a given registry instance will handle before queuing additional requests.

defaultRoute

Determines whether or not an external route is defined using the default hostname. If enabled, the route uses re-encrypt encryption. Defaults to false.

routes

Array of additional routes to create. You provide the hostname and certificate for the route.

replicas

Replica count for the registry.

2.4. Enable the Image Registry default route with the Custom Resource Definition

In OpenShift Container Platform, the Registry Operator controls the registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io Custom Resource Definition (CRD).

If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

Procedure

  • Patch the Image Registry Operator CRD:

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'

2.5. Configuring additional trust stores for image registry access

The image.config.openshift.io/cluster resource can contain a reference to a ConfigMap that contains additional certificate authorities to be trusted during image registry access.

Prerequisites

  • The CAs must be PEM-encoded.

Procedure

You can create a ConfigMap in the openshift-config namespace and use its name in AdditionalTrustedCA in the image.config.openshift.io resource to provide additional CAs that should be trusted when contacting external registries.

The ConfigMap key is the host name of a registry with the port for which this CA is to be trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust.

Image registry CA ConfigMap example

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-registry-ca
data:
  registry.example.com: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  registry-with-port.example.com..5000: | 1
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

1
If the registry has the port, such as registry-with-port.example.com:5000, : should be replaced with ...

You can configure additional CAs with the following procedure.

  1. To configure an additional CA:

    $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
    $ oc edit image.config.openshift.io cluster
    spec:
      additionalTrustedCA:
        name: registry-config

2.6. Configuring storage credentials for the Image Registry Operator

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

Procedure

  • Create an OpenShift Container Platform secret that contains the required keys.

    $ oc create secret generic image-registry-private-configuration-user --from-file=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry

2.7. Additional resources