Accessing and Using the Internal OpenShift Registry

Рет қаралды 7,394

Күн бұрын

If you'd like to experiment or evaluate the internal registry that is included with OCP, then follow along. For production use cases, I highly recommend a real external registry, like Docker (DTR), Nexus, Harbor or one provided by many cloud providers.
In this video I enable external access to the registry, provide a secured secondary route using my private certificate/key and push images into a project.
The string to enable the registry is "oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge"
I've updated "Minecraft" to run on OpenShift 4.x for fun, linked here : github.com/ocp...
A link to the documentation about using the internal registry may be found here: docs.openshift...

Пікірлер: 34

@joeschell3366 3 жыл бұрын

Thank you so much. This was so helpful in getting my image into openshift. really appreciate you taking the time to make these videos.

@elsabaa85 3 жыл бұрын

Really Good video ! I am getting real hands on information from your videos .. keep it up 👍

@JoseLausuch 2 жыл бұрын

Very helpful! Do you have an example how to deploy a simple application with oc CLI using that custom image in the internal registry?

@OCPdude 2 жыл бұрын

I launch the app at about 8:25

@JoseLausuch 2 жыл бұрын

@@OCPdude Sure, I meant using CLI and a yml file.

@OCPdude 2 жыл бұрын

@@JoseLausuch It'd be the same as normal, but you'd refer to the image based in the internal registry (registry.redcloud.land/$namespace/$image:$tag)

@JoseLausuch 2 жыл бұрын

@@OCPdude thanks!

@gayu12345 2 жыл бұрын

From where u got the certs for the Registry??? I don't see certs for my existing internal registry.

@OCPdude 2 жыл бұрын

When you expose the internal registry you can use that route and self-signed certificate - for my lab, I generated a cert from my internal CA. More details can be found on my GitHub link here: github.com/ocpdude/ocp-internal-registry

@gayu12345 2 жыл бұрын

@@OCPdude This environment was provisioned temporarily in my organization , so I am not sure where to get those very details... Suppose I don't want to create a smaller route name then the image which I create with the original internal registry name should also be accessible right ?

@OCPdude 2 жыл бұрын

@@gayu12345 It will still work with the exposed default route. It essentially works off of your wildcard *.apps.cluster.domain.com see the docs here: docs.openshift.com/container-platform/4.9/registry/securing-exposing-registry.html#registry-exposing-secure-registry-manually_securing-exposing-registry

@gayu12345 2 жыл бұрын

Actually I am using Tekton Task and Pipeline to push my Maven image into the internal registry but I am getting unauthorised : authentication required error when trying to pull image from the default registry. If any email ID of urs is available, I can email u my problem with screenshots so that u can help me out if possible.

@OCPdude 2 жыл бұрын

@@gayu12345 you need to make sure your user has the right privileges - please watch from here: kzbin.info/www/bejne/iZfJlmpsgZiZmtE

@salvadoralvarez2347 3 жыл бұрын

@ocpdude how do I log-in to the registry internal registry with the user name and the password. Pretty new at this. I have the image tagged the project ready and the role binding.

@OCPdude 3 жыл бұрын

Generate a token for your account and use it as your password. Then, oc login -u username “registry”; when prompted enter the token. See @7:28

@magesh4806 3 жыл бұрын

Does OCR provides any UI dashboard kind of thing to see the uploaded images ?

@OCPdude 3 жыл бұрын

The internal registry doesn't provide the full repository view you're likely thinking of. For this view, I would recommend other "external" registries like those provided by cloud services, Nexus, DTR, and others.

@magesh4806 3 жыл бұрын

@@OCPdude Is it possible so see in logs what images are pushed and pulled through logs or by any other mean in OCR. Currently using " oc logs deployments/image-registry -n openshift-image-registry " to see the registry logs. But they are not providing any image related details.

@OCPdude 3 жыл бұрын

@@magesh4806 If you monitor the image-registry-$podID (oc -n openshift-image-registry logs image-registry-59f995b7b4-ph9rf) you'll see the images being pulled into and from the registry.

@jaakkouusitalo1094 3 жыл бұрын

@@OCPdude Are you sure about that? Isnt this the same as Image Streams tab under Builds?

@OCPdude 3 жыл бұрын

@@jaakkouusitalo1094 Sorry, I'm not sure what question you are asking. Is this about viewing logs?

@piyumithanirman Жыл бұрын

how to generate docker loging password. can you give steps?

@OCPdude Жыл бұрын

The user accounts accessible are those OpenShift have access too... whether they're local, ldap, etc. My accounts are linked via ldap integration. 6:52

@davorinkocbek4779 3 жыл бұрын

Great video. But I have some problems with re-encryption of my certs. We have our RootCA in our company. I got Rejected status: spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority

@OCPdude 3 жыл бұрын

Is this with Chrome? Try another browser.

@davorinkocbek4779 3 жыл бұрын

@@OCPdude Firefox. I also tried in Chrome. When I create a route I get the error: spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority

@OCPdude 3 жыл бұрын

@@davorinkocbek4779 Sorry, are you getting this error on the using your docker/podman login? If you created a custom route for your internal registry, you should attach your CA to the cert as well. For example, my yaml looks like this... - sorry for some reason, KZbin prevents me from pasting basic text formatted in .yaml. I have "tls: termination: reencrypt, certificate:, key:, caCertificate:.... "