OpenShift’s internal registry provides a robust and secure way to manage container images. In this blog post, I'll walk through configuring the registry, exposing it as a route, pushing an Nginx image, and deploying the image using the internal service object for efficient and seamless operations.
1. Configure the OpenShift Internal Registry
The OpenShift internal registry is managed by the cluster’s image registry operator. To get started, ensure the registry is properly configured and verify its status.
Run the following command to check the registry configuration:
oc get configs.imageregistry.operator.openshift.io/cluster -o yaml
Ensure the managementState is set to Managed and the registry has a storage backend configured (e.g., Persistent Volume)
apiVersion: imageregistry.operator.openshift.io/v1
kind: Config
metadata:
name: cluster
spec:
defaultRoute: true
logLevel: Normal
managementState: Managed
observedConfig: null
operatorLogLevel: Normal
proxy: {}
replicas: 2
requests:
read:
maxWaitInQueue: 0s
write:
maxWaitInQueue: 0s
rolloutStrategy: RollingUpdate
storage:
managementState: Unmanaged
pvc:
claim: registry-storage-pv-claim
unsupportedConfigOverrides: null
2. Expose the Registry as a Route
To push images externally, expose the registry using a route. OpenShift automatically creates a default route for the registry if enabled.
Patch the registry configuration to enable the default route, if its not already enabled.
oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
Verify
REGISTRY_ROUTE=$(oc get route -n openshift-image-registry default-route -o jsonpath='{.spec.host}')
echo "Registry Route: $REGISTRY_ROUTE"
The registry will be accessible at https://<REGISTRY_ROUTE>.
3. Push an Nginx Image to the Internal Registry
Now that the registry is exposed, let’s push the Nginx image to a project in OpenShift.
Step 1: Create and Configure a Service Account
First, create a dedicated service account for pushing images and assign the necessary roles:
# oc new-project demo # Assuming we are using this project to operate
# Create a service account
oc create serviceaccount image-pusher -n demo
# Grant the system:image-pusher and edit roles to the service account
oc policy add-role-to-user edit system:serviceaccount:demo:image-pusher -n demo
Step 2: Get the Registry Route
Retrieve the OpenShift internal registry route dynamically:
REGISTRY_ROUTE=$(oc get route -n openshift-image-registry default-route -o jsonpath='{.spec.host}')
echo "Registry Route: $REGISTRY_ROUTE"
Step 3: Authenticate Using the Service Account
Log in to the registry using the service account token:
podman login --tls-verify=false $REGISTRY_ROUTE \
--username image-pusher \
--password $(oc create token image-pusher -n demo)
You should see:
Login Succeeded!
Step 4: Tag the Image
Pull the Nginx image locally and tag it for the OpenShift internal registry:
podman pull nginxinc/nginx-unprivileged:latest
podman tag nginxinc/nginx-unprivileged:latest $REGISTRY_ROUTE/demo/nginx-unprivileged:latest
Step 5: Push the Image
Push the tagged image to the OpenShift internal registry:
podman push --tls-verify=false $REGISTRY_ROUTE/demo/nginx-unprivileged:latest
Step 6: Verify the Push
Confirm the image is successfully pushed by listing the image streams in the project:
oc get imagestreams -n demo
You should see the nginx image listed with the appropriate tags.
4. Deploy the Nginx Image Using the Internal Service Object
Using the internal service object avoids the need for external routes and automatically manages certificates.
Step 1: Reference the Internal Service
The internal service for the registry is available at:
image-registry.openshift-image-registry.svc.cluster.local:5000
You can directly reference your image in this format:
image-registry.openshift-image-registry.svc.cluster.local:5000/<PROJECT>/nginx:latest
Step 2: Grant Image Pull Access
Service accounts require an image pull secret to access the OpenShift internal registry. Follow these steps:
- Create an ImagePullSecret: Generate a pull secret for the internal registry using your credentials or service account token:
oc create secret docker-registry image-pull-secret \
--docker-server=image-registry.openshift-image-registry.svc.cluster.local:5000 \
--docker-username=serviceaccount \
--docker-password=$(oc whoami -t) \
--docker-email=unused \
-n demo
- Link the Secret to the Service Account: Attach the image-pull-secret to the service account used by your pod (e.g., default):
oc secrets link default image-pull-secret --for=pull -n demo
- Grant Image Pull Permissions Ensure that the service account pulling the image has permission to access it. Grant the system:image-puller role to the service account:
oc policy add-role-to-user system:image-puller system:serviceaccount:demo:default -n demo
Replace default with the service account name if you use a custom service account.
Step 3: Create a Deployment
Deploy the Nginx container using the internal service object:
cat <<EOF | oc apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: demo
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: image-registry.openshift-image-registry.svc.cluster.local:5000/demo/nginx-unprivileged:latest
ports:
- containerPort: 80
EOF
Verify pod is running.
oc get pods -n demo
Top comments (0)