Configuring the registry for bare metal

    After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

    To start the image registry, you must change the Image Registry Operator configuration’s managementState from Removed to Managed.

    Procedure

    • Change managementState Image Registry Operator configuration from Removed to Managed. For example:

    The Image Registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so that the Registry Operator is made available.

    Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.

    Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.

    As a cluster administrator, following installation you must configure your registry to use storage.

    Prerequisites

    • You have access to the cluster as a user with the cluster-admin role.

    • You have a cluster that uses manually-provisioned Fedora CoreOS (FCOS) nodes, such as bare metal.

    • You have provisioned persistent storage for your cluster, such as Red Hat OpenShift Data Foundation.

      OKD supports ReadWriteOnce access for image registry storage when you have only one replica. ReadWriteOnce access also requires that the registry uses the Recreate rollout strategy. To deploy an image registry that supports high availability with two or more replicas, ReadWriteMany access is required.

    • Must have 100Gi capacity.

    Procedure

    1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

    2. Verify that you do not have a registry pod:

      1. $ oc get pod -n openshift-image-registry -l docker-registry=default

      Example output

      1. No resources found in openshift-image-registry namespace

      If you do have a registry pod in your output, you do not need to continue with this procedure.

    3. Check the registry configuration:

      1. $ oc edit configs.imageregistry.operator.openshift.io

      Example output

      1. storage:
      2.   pvc:
      3.     claim:

      Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

    4. Check the clusteroperator status:

      1. $ oc get clusteroperator image-registry

      Example output

      1. NAME             VERSION              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE

    5. Ensure that your registry is set to managed to enable building and pushing of images.

      • Run:

        1. $ oc edit configs.imageregistry/cluster

        Then, change the line

        1. managementState: Removed
        1. managementState: Managed

    You must configure storage for the Image Registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

    Procedure

    • To set the image registry storage to an empty directory:

      1. $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'

      If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error:

      Wait a few minutes and run the command again.

    To allow the image registry to use block storage types during upgrades as a cluster administrator, you can use the Recreate rollout strategy.

    Block storage volumes, or block persistent volumes, are supported but not recommended for use with the image registry on production clusters. An installation where the registry is configured on block storage is not highly available because the registry cannot have more than one replica.

    If you choose to use a block storage volume with the image registry, you must use a filesystem Persistent Volume Claim (PVC).

    Procedure

    1. To set the image registry storage as a block storage type, patch the registry so that it uses the Recreate rollout strategy and runs with only one (1) replica:

      1. $ oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"rolloutStrategy":"Recreate","replicas":1}}'

    2. Provision the PV for the block storage device, and create a PVC for that volume. The requested block volume uses the ReadWriteOnce (RWO) access mode.

    3. Edit the registry configuration so that it references the correct PVC.

    Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

    • Ceph, a shared and distributed file system and on-premises object storage

    • NooBaa, providing a Multicloud Object Gateway

    This document outlines the procedure to configure the image registry to use Ceph RGW storage.

    Prerequisites

    • You have access to the OKD web console.

    • You installed the oc CLI.

    • You installed the to provide object storage and Ceph RGW object storage.

    Procedure

    1. Create the object bucket claim using the ocs-storagecluster-ceph-rgw storage class. For example:

      1. cat <<EOF | oc apply -f -
      2. apiVersion: objectbucket.io/v1alpha1
      3. kind: ObjectBucketClaim
      4. metadata:
      5.   name: rgwtest
      6.   namespace: openshift-storage
      7. spec:
      8.   storageClassName: ocs-storagecluster-ceph-rgw
      9.   generateBucketName: rgwtest
      10. EOF

    2. Get the bucket name by entering the following command:

      1. $ bucket_name=$(oc get obc -n openshift-storage rgwtest -o jsonpath='{.spec.bucketName}')

    3. Get the AWS credentials by entering the following commands:

      1. $ AWS_ACCESS_KEY_ID=$(oc get secret -n openshift-storage rgwtest -o yaml | grep -w "AWS_ACCESS_KEY_ID:" | head -n1 | awk '{print $2}' | base64 --decode)
      1. $ AWS_SECRET_ACCESS_KEY=$(oc get secret -n openshift-storage rgwtest -o yaml | grep -w "AWS_SECRET_ACCESS_KEY:" | head -n1 | awk '{print $2}' | base64 --decode)

    4. Create the secret image-registry-private-configuration-user with the AWS credentials for the new bucket under openshift-image-registry project by entering the following command:

      1. $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=${AWS_ACCESS_KEY_ID} --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=${AWS_SECRET_ACCESS_KEY} --namespace openshift-image-registry

    5. Create a encryption route for Ceph RGW by entering the following command:

      1. $ oc create route reencrypt <route_name> --service=rook-ceph-rgw-ocs-storagecluster-cephobjectstore --port=https -n openshift-storage

      1. Get the route host by entering the following command:

        1. $ route_host=$(oc get route <route_name> -n openshift-storage -o=jsonpath='{.spec.host}')

    6. Create a config map that uses an ingress certificate by entering the following commands:

      1. $ oc extract secret/router-certs-default  -n openshift-ingress  --confirm
      1. $ oc create configmap image-registry-s3-bundle --from-file=ca-bundle.crt=./tls.crt  -n openshift-config

    Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

    • Ceph, a shared and distributed file system and on-premises object storage

    • NooBaa, providing a Multicloud Object Gateway

    This document outlines the procedure to configure the image registry to use Noobaa storage.

    Prerequisites

    • You have access to the cluster as a user with the cluster-admin role.

    • You have access to the OKD web console.

    • You installed the oc CLI.

    • You installed the to provide object storage and Noobaa object storage.

    Procedure

    1. Create the object bucket claim using the openshift-storage.noobaa.io storage class. For example:

      2. apiVersion: objectbucket.io/v1alpha1
      3. kind: ObjectBucketClaim
      4. metadata:
      5.   name: noobaatest
      6. spec:
      7.   storageClassName: openshift-storage.noobaa.io
      8.   generateBucketName: noobaatest
      9. EOF

    2. Get the bucket name by entering the following command:

      1. $ bucket_name=$(oc get obc -n openshift-storage noobaatest -o jsonpath='{.spec.bucketName}')

    3. Get the AWS credentials by entering the following commands:

      1. $ AWS_ACCESS_KEY_ID=$(oc get secret -n openshift-storage noobaatest -o yaml | grep -w "AWS_ACCESS_KEY_ID:" | head -n1 | awk '{print $2}' | base64 --decode)
      1. $ AWS_SECRET_ACCESS_KEY=$(oc get secret -n openshift-storage noobaatest -o yaml | grep -w "AWS_SECRET_ACCESS_KEY:" | head -n1 | awk '{print $2}' | base64 --decode)

    4. Create the secret image-registry-private-configuration-user with the AWS credentials for the new bucket under openshift-image-registry project by entering the following command:

      1. $ oc create secret generic image-registry-private-configuration-user --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=${AWS_ACCESS_KEY_ID} --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=${AWS_SECRET_ACCESS_KEY} --namespace openshift-image-registry

    5. Get the route host by entering the following command:

      1. $ route_host=$(oc get route s3 -n openshift-storage -o=jsonpath='{.spec.host}')

    6. Create a config map that uses an ingress certificate by entering the following commands:

      1. $ oc extract secret/router-certs-default  -n openshift-ingress  --confirm
      1. $ oc create configmap image-registry-s3-bundle --from-file=ca-bundle.crt=./tls.crt  -n openshift-config

    7. Configure the image registry to use the Nooba object storage by entering the following command:

      1. $ oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${bucket_name}\"',"region":"us-east-1","regionEndpoint":'\"https://${route_host}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"image-registry-s3-bundle"}}}}}' --type=merge

    Red Hat OpenShift Data Foundation integrates multiple storage types that you can use with the OpenShift image registry:

    • Ceph, a shared and distributed file system and on-premises object storage

    • NooBaa, providing a Multicloud Object Gateway

    This document outlines the procedure to configure the image registry to use CephFS storage.

    Prerequisites

    • You have access to the cluster as a user with the cluster-admin role.

    • You have access to the OKD web console.

    • You installed the oc CLI.

    • You installed the to provide object storage and CephFS file storage.

    Procedure

    1. Create a PVC to use the cephfs storage class. For example:

      1. cat <<EOF | oc apply -f -
      2. apiVersion: v1
      3. kind: PersistentVolumeClaim
      4. metadata:
      5.  name: registry-storage-pvc
      6.  namespace: openshift-image-registry
      7. spec:
      8.  accessModes:
      9.  - ReadWriteMany
      10.  resources:
      11.    requests:
      12.      storage: 100Gi
      13.  storageClassName: ocs-storagecluster-cephfs

    2. Configure the image registry to use the CephFS file system storage by entering the following command: