diff --git a/modules/images-configuration-cas.adoc b/modules/images-configuration-cas.adoc new file mode 100644 index 0000000000..b52179f0f7 --- /dev/null +++ b/modules/images-configuration-cas.adoc @@ -0,0 +1,55 @@ +// Module included in the following assemblies: +// +// * registry/configuring-registry-operator.adoc +// * openshift_images/image-configuration.adoc + +[id="images-configuration-cas_{context}"] += Configuring additional trust stores for image registry access + +The `image.config.openshift.io/cluster` resource can contain a reference +to a ConfigMap that contains additional certificate authorities to be trusted +during image registry access. + +.Prerequisites +* The CAs must be PEM-encoded. + +.Procedure + +You can create a ConfigMap in the `openshift-config` namespace and use its name +in `AdditionalTrustedCA` in the `image.config.openshift.io` resource to provide +additional CAs that should be trusted when contacting external registries. + +The ConfigMap key is the host name of a registry with the port for which this CA is to be +trusted, and the base64-encoded certificate is the value, for each additional registry CA to trust. + +.Image registry CA ConfigMap example +[source,yaml] +---- +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-registry-ca +data: + registry.example.com: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + registry-with-port.example.com..5000: | <1> + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- +---- +<1> If the registry has the port, such as `registry-with-port.example.com:5000`, +`:` should be replaced with `..`. + +You can configure additional CAs with the following procedure. + +. To configure an additional CA: ++ +---- +$ oc create configmap registry-config --from-file==ca.crt -n openshift-config +$ oc edit image.config.openshift.io cluster +spec: + additionalTrustedCA: + name: registry-config +---- diff --git a/modules/registry-operator-config-resources-configmap.adoc b/modules/registry-operator-config-resources-configmap.adoc deleted file mode 100644 index 5ee3e8966f..0000000000 --- a/modules/registry-operator-config-resources-configmap.adoc +++ /dev/null @@ -1,110 +0,0 @@ -// Module included in the following assemblies: -// -// * registry/configuring-registry-operator.adoc - -[id="registry-operator-config-resources-configmap_{context}"] -= Configuring a ConfigMap for the Image Registry Operator - -In addition to the `configs.imageregistry.operator.openshift.io` and secret -resources, configuration is provided to the Operator by a separate ConfigMap -resource located within the `openshift-image-registry` namespace. - -.Prerequisites -* The CAs must be PEM-encoded. - -.Procedure - -You can create a ConfigMap in the `openshift-config` namespace and use its name -in `AdditionalTrustedCA` in the `image.config.openshift.io` resource to provide -additional CAs that should be trusted when contacting external registries. - -//// -* Create a `*ConfigMap*` holding the content of each file in this directory: -+ ----- -$ oc create configmap registry-config \ - --from-file=/ ----- - -.Registry configuration file example -[source,yaml] ----- -version: 0.1 -log: - level: debug -http: - addr: :5000 -storage: - cache: - blobdescriptor: inmemory - filesystem: - rootdirectory: /registry - delete: - enabled: true -auth: - openshift: - realm: openshift -middleware: - registry: - - name: openshift - repository: - - name: openshift - options: - acceptschema2: true - pullthrough: true - enforcequota: false - projectcachettl: 1m - blobrepositorycachettl: 10m - storage: - - name: openshift -openshift: - version: 1.0 - metrics: - enabled: false - secret: ----- -//// - -The key is the host name of a registry with the port for which this CA is to be -trusted. - -You can configure additional CAs with the following procedure. - -. To configure an additional CA: -+ ----- -$ oc create configmap registry-config --from-file==ca.crt -n openshift-config -$ oc edit image.config.openshift.io cluster -spec: - additionalTrustedCA: - name: registry-config ----- -+ -. Check your image inside the `image-registry` pod: -+ ----- -$ oc rsh image-registry-xxxxx -sh-4.3 -$ ls /etc/pki/ca-trust/source/anchors - image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000 ----- - -.Image registry CA example -[source,yaml] ----- -apiVersion: v1 -kind: ConfigMap -metadata: - name: my-registry-ca -data: - registry.example.com: | - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - registry-with-port.example.com..5000: | <1> - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- ----- -<1> If the registry has the port, such as `registry-with-port.example.com:5000`, -`:` should be replaced with `..`. diff --git a/modules/registry-operator-config-resources-secret.adoc b/modules/registry-operator-config-resources-storage-credentials.adoc similarity index 77% rename from modules/registry-operator-config-resources-secret.adoc rename to modules/registry-operator-config-resources-storage-credentials.adoc index 8ed4c50a09..1841d9009a 100644 --- a/modules/registry-operator-config-resources-secret.adoc +++ b/modules/registry-operator-config-resources-storage-credentials.adoc @@ -3,11 +3,11 @@ // * registry/configuring-registry-operator.adoc -[id="registry-operator-config-resources-secret_{context}"] -= Configuring a secret for the Image Registry Operator +[id="registry-operator-config-resources-storage-credentials_{context}"] += Configuring storage credentials for the Image Registry Operator In addition to the `configs.imageregistry.operator.openshift.io` and ConfigMap -resources, configuration is provided to the Operator by a separate secret +resources, storage credential configuration is provided to the Operator by a separate secret resource located within the `openshift-image-registry` namespace. The `image-registry-private-configuration-user` secret provides diff --git a/openshift_images/image-configuration.adoc b/openshift_images/image-configuration.adoc index bc872e44ee..4b8b02df40 100644 --- a/openshift_images/image-configuration.adoc +++ b/openshift_images/image-configuration.adoc @@ -10,6 +10,8 @@ include::modules/images-configuration-parameters.adoc[leveloffset=+1] include::modules/images-configuration-file.adoc[leveloffset=+1] +include::modules/images-configuration-cas.adoc[leveloffset=+2] + include::modules/images-configuration-insecure.adoc[leveloffset=+2] include::modules/images-configuration-registry-mirror.adoc[leveloffset=+2] diff --git a/registry/configuring-registry-operator.adoc b/registry/configuring-registry-operator.adoc index 15bb5723c1..b1d7f80f00 100644 --- a/registry/configuring-registry-operator.adoc +++ b/registry/configuring-registry-operator.adoc @@ -39,9 +39,9 @@ include::modules/registry-operator-configuration-resource-overview.adoc[leveloff include::modules/registry-operator-default-crd.adoc[leveloffset=+1] -include::modules/registry-operator-config-resources-configmap.adoc[leveloffset=+1] +include::modules/images-configuration-cas.adoc[leveloffset=+1] -include::modules/registry-operator-config-resources-secret.adoc[leveloffset=+1] +include::modules/registry-operator-config-resources-storage-credentials.adoc[leveloffset=+1] == Additional resources