Image Registry Operator in OKD

    After the control plane deploys, the Operator creates a default configs.imageregistry.operator.openshift.io resource instance based on configuration detected in the cluster.

    If insufficient information is available to define a complete configs.imageregistry.operator.openshift.io resource, the incomplete resource is defined and the Operator updates the resource status with information about what is missing.

    The Image Registry Operator runs in the openshift-image-registry namespace, and manages the registry instance in that location as well. All configuration and workload resources for the registry reside in that namespace.

    Image Registry on bare metal and vSphere

    On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

    After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

    Image Registry Operator distribution across availability zones

    The default configuration of the Image Registry Operator spreads image registry pods across topology zones to prevent delayed recovery times in case of a complete zone failure where all pods are impacted.

    The Image Registry Operator defaults to the following when deployed with a zone-related topology constraint:

    Image Registry Operator deployed with a zone related topology constraint

    The Image Registry Operator defaults to the following when deployed without a zone-related topology constraint, which applies to bare metal and vSphere instances:

    Image Registry Operator deployed without a zone related topology constraint

    1.  topologySpreadConstraints:
    2.   - labelSelector:
    3.       matchLabels:
    4.         docker-registry: default
    5.     maxSkew: 1
    6.     whenUnsatisfiable: DoNotSchedule
    8.       matchLabels:
    9.         docker-registry: default
    10.     maxSkew: 1
    11.     topologyKey: node-role.kubernetes.io/worker
    12.     whenUnsatisfiable: DoNotSchedule

    A cluster administrator can override the default topologySpreadConstraints by configuring the configs.imageregistry.operator.openshift.io/cluster spec file. In that case, only the constraints you provide apply.

    Image Registry Operator configuration parameters

    The configs.imageregistry.operator.openshift.io resource offers the following configuration parameters.

    Enable the Image Registry default route with the Custom Resource Definition

    In OKD, the Registry Operator controls the OpenShift image registry feature. The Operator is defined by the configs.imageregistry.operator.openshift.io Custom Resource Definition (CRD).

    If you need to automatically enable the Image Registry default route, patch the Image Registry Operator CRD.

    Procedure

    • Patch the Image Registry Operator CRD:

    The image.config.openshift.io/cluster custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.

    Prerequisites

    • The certificate authorities (CA) must be PEM-encoded.

    Procedure

    You can create a config map in the openshift-config namespace and use its name in AdditionalTrustedCA in the image.config.openshift.io custom resource to provide additional CAs that should be trusted when contacting external registries.

    The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the PEM certificate content is the value, for each additional registry CA to trust.

    Image registry CA config map example

    1. apiVersion: v1
    2. metadata:
    3.   name: my-registry-ca
    4. data:
    5.   registry.example.com: |
    6.     -----BEGIN CERTIFICATE-----
    7.     ...
    8.     -----END CERTIFICATE-----
    9.   registry-with-port.example.com..5000: | (1)
    10.     -----BEGIN CERTIFICATE-----
    11.     ...
    12.     -----END CERTIFICATE-----

    You can configure additional CAs with the following procedure.

    1. To configure an additional CA:

      1. $ oc edit image.config.openshift.io cluster

    Configuring storage credentials for the Image Registry Operator

    In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, storage credential configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

    The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

    Procedure

    • Create an OKD secret that contains the required keys.

      1. $ oc create secret generic image-registry-private-configuration-user --from-literal=KEY1=value1 --from-literal=KEY2=value2 --namespace openshift-image-registry

    Additional resources