Chapter 2. Authenticating with the Red Hat Container Catalog

The Red Hat Container Catalog, registry.redhat.io, requires authentication to access JBoss Data Grid for OpenShift images and resources.

You can use the following authentication mechanisms:

Credentials
The username and password for your Red Hat customer account. These credentials let you pull resources from registry.redhat.io from a single host with the docker login command. You can also use these credentials to create service accounts and generate authentication tokens.
Registry Service Account Token

A randomly generated string that you use to authenticate multiple systems.

From a high level, do the following to get an authentication token:

  1. Log in to registry.redhat.io.
  2. Create a new Registry Service Account if necessary.
  3. Generate tokens as required.

2.1. Setting Up Authentication with Service Account Tokens

After you generate a service account token, do the following to set up authentication:

  1. Navigate to your registry service account.
  2. Select the Docker Login tab and copy the command.
  3. Run the docker login command on each host system that pulls from registry.redhat.io.

  4. Verify the token is added to the Docker configuration file. 

    $ cat ~/.docker/config.json
...
"registry.redhat.io": {
			"auth": "MTEwMDkx..."
		}

2.1.1. Adding Tokens to Pull Secrets

To pull secured container images that are not available on the internal registry for OpenShift Container Platform, create a pull secret from your Docker configuration file and add it to your service account as follows:

  1. Log in to OpenShift. 

    $ oc login -u username -p password

  2. Select your working project. 

    $ oc project myproject

  3. Create the pull secret. 

    $ oc create secret generic pull-secret-name \
  --from-file=.dockerconfigjson=path/to/.docker/config.json \
  --type=kubernetes.io/dockerconfigjson

  4. Link the pull secret to your service account. This step lets you pull images from the secure registry to the pod. 

    $ oc secrets link default pull-secret-name --for=pull

  5. Mount the secret in the pod so that you can pull build images. 

    $ oc secrets link builder pull-secret-name

For more information, including troubleshooting procedures, see Red Hat Container Registry Authentication.