Updating the OpenShift Local (Code Ready Containers) Internal Registry Mirroring or Adding External Registries

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/01 at 11:51 PM

 

Category:
RH OpenShift
Reference

Overview:


The OpenShift Container Platform cluster running in the OpenShift Local (CRC) instance includes an internal container image registry. This internal container image registry is used as a publication target for locally developed container images.


Instructions to Quickly Add Insecure Registries:


Note:
- In this case, we are not saying that TLS won't be used; we are saying that we don't care to validate the root certificate by importing the CA first
- If not wanting to perform insecurely, perform an import of the CA via oc create configmap. (search this repository)

1. Login as kubeadmin:
$ oc login -u kubeadmin <api-url-above>
<confirm Login successful>

$ oc config use-context crc-admin
$ oc whoami
<view output - confirm = kubeadmin>


2. Login to the registry and review Pods and image registry configuration:
$ oc registry login --insecure=true

$ oc get pods -n openshift-image-registry
<view output - should be 4 pods, the operator one and 3 node ones>

$ oc get image.config.openshift.io/cluster -o yaml
<view output>

Notes:
- The spec section is where we define insecure registries, allowed/blocked registries, and add root CA certificates for trust
- The internalRegistryHostname displays the URL of the internal registry (e.g. image-registry.openshift-image-registry.svc:5000)
- The OpenShift Local (CRC) is set-up with the registry-certs trusted CA and only its internal registry set-up

3. Create a new project (namespace) to to tag the image registry:
$ oc new-project <projectname>
<confirm created>


4. Adding images:
Notes:
- There are multiple ways to proceed. For example: oc patch adding a spec with a registrySource, and oc image mirror to map a remote registry with a new local one
- Before adding images, registry.access.redhat.com and registry.redhat.io registries require the ConfigMap import of certs and credentials for access (Registry Service Account Management Application)

a. Use oc patch to add one or multiple insecure registries:
- single:
$ oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["registry.mindwatering.net:5000"]}}}'

- multiple:
$ oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["registry.mindwatering.com:5000","10.0.122.50:8443","quay.io","registry.access.redhat.com","registry.redhat.io"]}}}'

b. Use oc image mirror to mirror a registry image into the local image registry in the <projectname> namespace created in step 3 above:
- Map Red Hat registry.access.redhat.com:
$ oc image mirror registry.access.redhat.com/ubi8/ubi:latest=default-route-openshift-image-registry.apps-crc.testing/<projectname>/ubi8:latest --insecure=true --filter-by-os=linux/amd64

c. Use oc edit to edit the image.config.openshift.io/cluster registry entries:
$ oc edit image.config.openshift.io/cluster

apiVersion: config.openshift.io/v1
kind: Image
metadata:
  name: cluster
spec:
  registrySources:
    insecureRegistries:
      - registry.mindwatering.net:5000
      - 10.0.122.50:8443
    allowedRegistries:
      - registry.mindwatering.net:5000
      - 10.0.122.50:8443
      - registry.redhat.io
      - quay.io
      - registry.access.redhat.com



5. Monitor the operator (MCO) rollout of image registries:
Notes:
- Performed in OpenShift by the Machine Config Operator (MCO)
- MCO updates the /etc/containers/registries.conf on each node
- MCO initiates reboot of each node, one at a time

$ oc get machineconfigpool
<view output, note whether the UPDATED column shows TRUE, when done, all nodes should show TRUE>


6. Create a test pod (deployment) using an image in a repository:
a. Create a pod called: test-pull-helloworld
$ oc run test-pull-helloworld --image=registry.mindwatering.net:5000/helloworld:latest --restart=Never
<wait a second>

b. Monitor:
$ oc get pod test-pull
<confirm pod READY = 1/1 and STATUS = Running>

Note:
- Repeat the command above until status shows Running
- If fails, run the oc describe on the pod

$ oc describe pod test-pull-helloworld

Alternate, if only wanting the EVENTS section:
$ oc describe pod test-pull-helloworld | grep -A 5 Events

c. Delete the test pod:
$ oc delete pod test-pull-helloworld












previous page

×