mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
cleanup registry configuration docs
This commit is contained in:
Ben Parees
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
3a721a6113
commit
8905fda8f0
55
modules/images-configuration-cas.adoc
Normal file
55
modules/images-configuration-cas.adoc
Normal file
@@ -0,0 +1,55 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * registry/configuring-registry-operator.adoc
|
||||
// * openshift_images/image-configuration.adoc
|
||||
|
||||
[id="images-configuration-cas_{context}"]
|
||||
= Configuring additional trust stores for image registry access
|
||||
|
||||
The `image.config.openshift.io/cluster` resource can contain a reference
|
||||
to a ConfigMap that contains additional certificate authorities to be trusted
|
||||
during image registry access.
|
||||
|
||||
.Prerequisites
|
||||
* The CAs must be PEM-encoded.
|
||||
|
||||
.Procedure
|
||||
|
||||
You can create a ConfigMap in the `openshift-config` namespace and use its name
|
||||
in `AdditionalTrustedCA` in the `image.config.openshift.io` resource to provide
|
||||
additional CAs that should be trusted when contacting external registries.
|
||||
|
||||
The ConfigMap key is the host name of a registry with the port for which this CA is to be
|
||||
trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust.
|
||||
|
||||
.Image registry CA ConfigMap example
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: my-registry-ca
|
||||
data:
|
||||
registry.example.com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
registry-with-port.example.com..5000: | <1>
|
||||
-----BEGIN CERTIFICATE-----
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
----
|
||||
<1> If the registry has the port, such as `registry-with-port.example.com:5000`,
|
||||
`:` should be replaced with `..`.
|
||||
|
||||
You can configure additional CAs with the following procedure.
|
||||
|
||||
. To configure an additional CA:
|
||||
+
|
||||
----
|
||||
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
|
||||
$ oc edit image.config.openshift.io cluster
|
||||
spec:
|
||||
additionalTrustedCA:
|
||||
name: registry-config
|
||||
----
|
||||
@@ -1,110 +0,0 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * registry/configuring-registry-operator.adoc
|
||||
|
||||
[id="registry-operator-config-resources-configmap_{context}"]
|
||||
= Configuring a ConfigMap for the Image Registry Operator
|
||||
|
||||
In addition to the `configs.imageregistry.operator.openshift.io` and secret
|
||||
resources, configuration is provided to the Operator by a separate ConfigMap
|
||||
resource located within the `openshift-image-registry` namespace.
|
||||
|
||||
.Prerequisites
|
||||
* The CAs must be PEM-encoded.
|
||||
|
||||
.Procedure
|
||||
|
||||
You can create a ConfigMap in the `openshift-config` namespace and use its name
|
||||
in `AdditionalTrustedCA` in the `image.config.openshift.io` resource to provide
|
||||
additional CAs that should be trusted when contacting external registries.
|
||||
|
||||
////
|
||||
* Create a `*ConfigMap*` holding the content of each file in this directory:
|
||||
+
|
||||
----
|
||||
$ oc create configmap registry-config \
|
||||
--from-file=</path/to/custom/registry/config.yml>/
|
||||
----
|
||||
|
||||
.Registry configuration file example
|
||||
[source,yaml]
|
||||
----
|
||||
version: 0.1
|
||||
log:
|
||||
level: debug
|
||||
http:
|
||||
addr: :5000
|
||||
storage:
|
||||
cache:
|
||||
blobdescriptor: inmemory
|
||||
filesystem:
|
||||
rootdirectory: /registry
|
||||
delete:
|
||||
enabled: true
|
||||
auth:
|
||||
openshift:
|
||||
realm: openshift
|
||||
middleware:
|
||||
registry:
|
||||
- name: openshift
|
||||
repository:
|
||||
- name: openshift
|
||||
options:
|
||||
acceptschema2: true
|
||||
pullthrough: true
|
||||
enforcequota: false
|
||||
projectcachettl: 1m
|
||||
blobrepositorycachettl: 10m
|
||||
storage:
|
||||
- name: openshift
|
||||
openshift:
|
||||
version: 1.0
|
||||
metrics:
|
||||
enabled: false
|
||||
secret: <secret>
|
||||
----
|
||||
////
|
||||
|
||||
The key is the host name of a registry with the port for which this CA is to be
|
||||
trusted.
|
||||
|
||||
You can configure additional CAs with the following procedure.
|
||||
|
||||
. To configure an additional CA:
|
||||
+
|
||||
----
|
||||
$ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config
|
||||
$ oc edit image.config.openshift.io cluster
|
||||
spec:
|
||||
additionalTrustedCA:
|
||||
name: registry-config
|
||||
----
|
||||
+
|
||||
. Check your image inside the `image-registry` pod:
|
||||
+
|
||||
----
|
||||
$ oc rsh image-registry-xxxxx
|
||||
sh-4.3
|
||||
$ ls /etc/pki/ca-trust/source/anchors
|
||||
<external_registry_address> image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000
|
||||
----
|
||||
|
||||
.Image registry CA example
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: my-registry-ca
|
||||
data:
|
||||
registry.example.com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
registry-with-port.example.com..5000: | <1>
|
||||
-----BEGIN CERTIFICATE-----
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
----
|
||||
<1> If the registry has the port, such as `registry-with-port.example.com:5000`,
|
||||
`:` should be replaced with `..`.
|
||||
@@ -3,11 +3,11 @@
|
||||
// * registry/configuring-registry-operator.adoc
|
||||
|
||||
|
||||
[id="registry-operator-config-resources-secret_{context}"]
|
||||
= Configuring a secret for the Image Registry Operator
|
||||
[id="registry-operator-config-resources-storage-credentials_{context}"]
|
||||
= Configuring storage credentials for the Image Registry Operator
|
||||
|
||||
In addition to the `configs.imageregistry.operator.openshift.io` and ConfigMap
|
||||
resources, configuration is provided to the Operator by a separate secret
|
||||
resources, storage credential configuration is provided to the Operator by a separate secret
|
||||
resource located within the `openshift-image-registry` namespace.
|
||||
|
||||
The `image-registry-private-configuration-user` secret provides
|
||||
@@ -10,6 +10,8 @@ include::modules/images-configuration-parameters.adoc[leveloffset=+1]
|
||||
|
||||
include::modules/images-configuration-file.adoc[leveloffset=+1]
|
||||
|
||||
include::modules/images-configuration-cas.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/images-configuration-insecure.adoc[leveloffset=+2]
|
||||
|
||||
include::modules/images-configuration-registry-mirror.adoc[leveloffset=+2]
|
||||
|
||||
@@ -39,9 +39,9 @@ include::modules/registry-operator-configuration-resource-overview.adoc[leveloff
|
||||
|
||||
include::modules/registry-operator-default-crd.adoc[leveloffset=+1]
|
||||
|
||||
include::modules/registry-operator-config-resources-configmap.adoc[leveloffset=+1]
|
||||
include::modules/images-configuration-cas.adoc[leveloffset=+1]
|
||||
|
||||
include::modules/registry-operator-config-resources-secret.adoc[leveloffset=+1]
|
||||
include::modules/registry-operator-config-resources-storage-credentials.adoc[leveloffset=+1]
|
||||
|
||||
== Additional resources
|
||||
|
||||
|
||||
Reference in New Issue
Block a user