For any deployment on OpenShift / OKD cluster 4.x, a source for container images is a requirement for it to be successful. OpenShift allows you to use your private registries as source of images. Public registries such as Docker Hub, Quay, gcr, e.t.c and the integrated OpenShift registry always work well. But the problem arise when you want to use private registries without valid SSL certificate or using HTTP.
There are two ways you can use private insecure registries on OpenShift / OKD cluster.
- If using self-signed SSL certificate – Import the certificate OpenShift CA trust.
- Add the registry to insecure registries list – The Machine Config Operator (MCO) will push updates to all nodes in the cluster and reboot them.
OpenShift Courses:
Practical OpenShift for Developers – New Course 2021
Ultimate Openshift (2021) Bootcamp by School of Devops
Private image registries for OpenShift / Kubernetes:
Install Harbor Image Registry on Kubernetes / OpenShift with Helm Chart
Install Harbor Container Image Registry on CentOS / Debian / Ubuntu
Install Project Quay Registry on OpenShift With Operator
How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu
Add additional trust stores for image registry access
Let’s assume your registry URL is ocr.example.com, on the default HTTPS port (443), and certificate file is ocr.example.com.crt.
This is how you will configure additional CAs that should be trusted during image imports, pod image pull, and builds. Note that the CAs must be PEM-encoded format.
--- syntax ---
$ oc create configmap registry-config \
--from-file=<external_registry_address>=ca.crt \
-n openshift-config
--- Example ---
$ oc create configmap registry-config \
--from-file=ocr.example.com=ocr.example.com.crt \
-n openshift-config
Then edit the image registry cluster config and specify additionalTrustedCA.
$ oc edit image.config.openshift.io cluster
spec:
additionalTrustedCA:
name: registry-config
Whitelisting insecure image registries
You can as well add an insecure registry by editing the image.config.openshift.io/cluster custom resource (CR). This is common for registries which only support HTTP connections or have invalid certificates.
Edit the image.config.openshift.io/cluster custom resource:
$ oc edit image.config.openshift.io/cluster
Specify the registries to be permitted for image pull and push actions under the allowedRegistries section.
....
spec:
additionalTrustedCA:
name: registry-config
registrySources:
insecureRegistries:
- ocr.example.com
You can add more lines for insecure registries if you have multiple. To block a registry, add like below.
....
spec:
additionalTrustedCA:
name: registry-config
registrySources:
insecureRegistries:
- ocr.example.com
blockedRegistries:
- untrusted.com
The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster for any changes to registries and reboots the nodes when it detects changes.
The new registry configurations are written to /etc/containers/registries.conf file on each node.
More guides:
How To Check Pod / Container Metrics on OpenShift & Kubernetes
Install Production Kubernetes Cluster with Rancher RKE