Image Registry
Use ReadWriteOnce volumes - new in 4.4!
Note
Only available since OpenShift version 4.4.0
Warning
By using a ReadWriteOnce volume you have to
That means, during a cluster or image-registry upgrade, your internal registry has downtime between stopping the old pod and starting the new pod!
Documentation bug for official documentation: https://bugzilla.redhat.com/show_bug.cgi?id=1826292
On vSphere with cloud provider integration:
Create PVC
| oc create -f - <<EOF
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: image-registry-pvc
namespace: openshift-image-registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: thin
EOF
|
Patch registry operator crd
| oc patch configs.imageregistry.operator.openshift.io/cluster \
--type='json' \
--patch='[
{"op": "replace", "path": "/spec/managementState", "value": "Managed"},
{"op": "replace", "path": "/spec/rolloutStrategy", "value": "Recreate"},
{"op": "replace", "path": "/spec/replicas", "value": 1},
{"op": "replace", "path": "/spec/storage", "value": {"pvc":{"claim": "image-registry-pvc" }}}
]'
|
Exposing the registry
Documentation: Exposing the registry
Discover exposed registry - Work in progress -
Note
This is work in progress
| export REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
export REGISTRY_TOKEN=$(oc whoami -t)
podman login -u $(oc whoami) -p $REGISTRY_TOKEN --tls-verify=false $HOST
# List all images
curl -s -H "Authorization: Bearer $REGISTRY_TOKEN" \
https://$REGISTRY/v2/_catalog
# List tages of an image
export IMAGE=openshift/python
curl -s -H "Authorization: Bearer $REGISTRY_TOKEN" \
https://$REGISTRY/v2/$IMAGE/tags/list
# Get sha/digest
export TAG=latest
curl -s -H "Authorization: Bearer $REGISTRY_TOKEN" \
https://$REGISTRY/v2/$IMAGE/manifests/$TAG
|
Setup non AWS S3 storage backend
Deploy min.io via helm3
| helm repo add stable https://kubernetes-charts.storage.googleapis.com
# https://github.com/helm/charts/tree/master/stable/minio#configuration
helm install minio stable/minio \
--set persistence.storageClass=managed-premium \
--set securityContext.runAsUser=$( oc get project $(oc project -q) -ojsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}' | cut -f1 -d '/' ) \
--set securityContext.fsGroup=$( oc get project $(oc project -q) -ojsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}' | cut -f1 -d '/' ) \
--set ingress.enabled=true \
--set ingress.hosts={minio-$(oc project -q).$( oc get ingresses.config.openshift.io/cluster -o jsonpath="{.spec.domain}" )}
# helm uninstall minio
|
| minio-service.minio.svc.cluster.local
oc create secret generic image-registry-private-configuration-user \
--from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=minio \
--from-literal=REGISTRY_STORAGE_S3_SECRETKEY=minio123 \
--namespace openshift-image-registry
oc patch configs.imageregistry.operator.openshift.io/cluster \
--type='json' \
--patch='[
{"op": "remove", "path": "/spec/storage" },
{"op": "add", "path": "/spec/storage", "value": {"s3":{"bucket": "minio-service", "regionEndpoint": "minio.svc.cluster.local:9000", "encrypt": false, "region": "dummyregion"}}}
]'
oc describe configs.imageregistry.operator.openshift.io/cluster
[...snipped...]
Name: cluster
API Version: imageregistry.operator.openshift.io/v1
Kind: Config
[...snipped...]
Spec:
[...snipped...
Storage:
s3:
Bucket: minio-service
Encrypt: false
Region: dummyregionf
Region Endpoint: minio.svc.cluster.local:9000
Status:
Conditions:
Last Transition Time: 2020-02-26T21:04:38Z
Message: The registry is ready
Reason: Ready
Status: True
Type: Available
Last Transition Time: 2020-02-29T20:21:55Z
Message: Unable to apply resources: unable to sync storage configuration: RequestError: send request failed
caused by: Head https://minio-service.minio.svc.cluster.local:9000/: dial tcp 172.30.202.88:9000: connect: connection refused
Reason: Error
Status: True
[...snipped...]
|
Last update:
April 9, 2023