For any deployment on OpenShift / OKD cluster 4.x, a source for container images is a requirement for it to be successful. OpenShift allows you to use your private registries as source of images. Public registries such as Docker Hub, Quay, gcr, e.t.c and the integrated OpenShift registry always work well. But the problem arise when you want to use private registries without valid SSL certificate or using HTTP.
There are two ways you can use private insecure registries on OpenShift / OKD cluster.
- If using self-signed SSL certificate – Import the certificate OpenShift CA trust.
- Add the registry to insecure registries list – The Machine Config Operator (MCO) will push updates to all nodes in the cluster and reboot them.
Private image registries for OpenShift / Kubernetes:
Add additional trust stores for image registry access
Let’s assume your registry URL is ocr.example.com, on the default HTTPS port (443), and certificate file is ocr.example.com.crt.
This is how you will configure additional CAs that should be trusted during image imports, pod image pull, and builds. Note that the CAs must be PEM-encoded format.
--- syntax --- $ oc create configmap registry-config \ --from-file=<external_registry_address>=ca.crt \ -n openshift-config --- Example --- $ oc create configmap registry-config \ --from-file=ocr.example.com=ocr.example.com.crt \ -n openshift-config
Then edit the image registry cluster config and specify additionalTrustedCA.
$ oc edit image.config.openshift.io cluster spec: additionalTrustedCA: name: registry-config
Whitelisting insecure image registries
You can as well add an insecure registry by editing the image.config.openshift.io/cluster custom resource (CR). This is common for registries which only support HTTP connections or have invalid certificates.
Edit the image.config.openshift.io/cluster custom resource:
$ oc edit image.config.openshift.io/cluster
Specify the registries to be permitted for image pull and push actions under the allowedRegistries section.
.... spec: additionalTrustedCA: name: registry-config registrySources: insecureRegistries: - ocr.example.com
You can add more lines for insecure registries if you have multiple. To block a registry, add like below.
.... spec: additionalTrustedCA: name: registry-config registrySources: insecureRegistries: - ocr.example.com blockedRegistries: - untrusted.com
The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster for any changes to registries and reboots the nodes when it detects changes.
The new registry configurations are written to /etc/containers/registries.conf file on each node.