openshift-docs/modules/images-editing-image-registry-settings-hcp.adoc

// Module included in the following assemblies:
//
// * openshift_images/image-configuration-hcp.adoc
// * post_installation_configuration/preparing-for-users.adoc

:_mod-docs-content-type: PROCEDURE
[id="images-editing-image-registry-settings-hcp_{context}"]
= Editing image registry settings for {product-title}

You can change the image registry config with the `rosa edit` command.

[WARNING]
====
When the `allowedRegistries` parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red{nbsp}Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of `image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io` and it is also visible when running the `rosa describe cluster` command.
====

[NOTE]
====
You can change any registry-related parameter, which will trigger a rollout across all machine pools; all machine pool nodes will be recreated, following pod draining from each node.
====

.Procedure

* Update or edit the image registry for the cluster by running the following command:

+
[source,terminal]
----
$ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \
   --registry-config-allowed-registries <allowed_registries> \
   --registry-config-allowed-registries-for-import <registry_name:insecure> \
   --registry-config-additional-trusted-ca <additional_trusted_ca_file>
----
+
.Example output
[source,terminal]
----
? Changing any registry related parameter will trigger a rollout across all machinepools
(all machinepool nodes will be recreated, following pod draining from each node).
Do you want to proceed? Yes
I: Updated cluster '<cluster_name>'
----

.Verification
* Run the `rosa describe` command again, to see if the changes you made to your image registry updated by running the following command:
+
[source,terminal]
----
$ rosa describe cluster --cluster=<cluster_name>
----
+
.Example output
[source,terminal]
----
Name:                       rosa-hcp-test
Domain Prefix:              rosa-hcp-test
Display Name:               rosa-hcp-test
ID:                         <cluster_hcp_id>
External ID:                <cluster_hcp_id>
Control Plane:              ROSA Service Hosted
OpenShift Version:          4.Y.Z
Channel Group:              stable
DNS:                        <dns>
AWS Account:                <aws_id>
AWS Billing Account:        <aws_id>
API URL:                    <ocm_api>
Console URL:
Region:                     us-east-1
Availability:
 - Control Plane:           MultiAZ
 - Data Plane:              SingleAZ

Nodes:
 - Compute (desired):       2
 - Compute (current):       2
Network:
 - Type:                    OVNKubernetes
 - Service CIDR:            <service_cidr>
 - Machine CIDR:            <machine_cidr>
 - Pod CIDR:                <pod_cidr>
 - Host Prefix:             /23
 - Subnets:                 <subnet_ids>
EC2 Metadata Http Tokens:   optional
Role (STS) ARN:             arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
Support Role ARN:           arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
Instance IAM Roles:
 - Worker:                  arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud
Managed Policies:           Yes
State:                      ready
Private:                    No
Delete Protection:          Disabled
Created:                    Oct 01 2030 09:48:52 UTC
User Workload Monitoring:   Enabled
OIDC Endpoint URL:          https://<endpoint> (Managed)
Audit Log Forwarding:       Disabled
External Authentication:    Disabled
Etcd Encryption:            Disabled
Registry Configuration:
 - Allowed Registries: <allowed_registry> <1> <2>
 - Insecure Registries: <insecure_registry> <3>
 - Allowed Registries for Import: <4>
    - Domain Name: <domain_name> <5>
    - Insecure: true <6>
 - Platform Allowlist: <platform_allowlist_id> <7>
    - Registries:      <list_of_registries> <8>
 - Additional Trusted CA: <9>
    - <registry_name> : REDACTED
----
<1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
<5> `domainName`: Specifies a domain name for the registry.
<6> `insecure`: Indicates whether the registry is secure or insecure.
<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.