Accessing and Using the Internal OpenShift Registry
Вставка
- Опубліковано 29 сер 2024
- If you'd like to experiment or evaluate the internal registry that is included with OCP, then follow along. For production use cases, I highly recommend a real external registry, like Docker (DTR), Nexus, Harbor or one provided by many cloud providers.
In this video I enable external access to the registry, provide a secured secondary route using my private certificate/key and push images into a project.
The string to enable the registry is "oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge"
I've updated "Minecraft" to run on OpenShift 4.x for fun, linked here : github.com/ocp...
A link to the documentation about using the internal registry may be found here: docs.openshift... - Наука та технологія
Thank you so much. This was so helpful in getting my image into openshift. really appreciate you taking the time to make these videos.
Really Good video ! I am getting real hands on information from your videos .. keep it up 👍
Very helpful! Do you have an example how to deploy a simple application with oc CLI using that custom image in the internal registry?
I launch the app at about 8:25
@@OCPdude Sure, I meant using CLI and a yml file.
@@JoseLausuch It'd be the same as normal, but you'd refer to the image based in the internal registry (registry.redcloud.land/$namespace/$image:$tag)
@@OCPdude thanks!
Does OCR provides any UI dashboard kind of thing to see the uploaded images ?
The internal registry doesn't provide the full repository view you're likely thinking of. For this view, I would recommend other "external" registries like those provided by cloud services, Nexus, DTR, and others.
@@OCPdude Is it possible so see in logs what images are pushed and pulled through logs or by any other mean in OCR. Currently using " oc logs deployments/image-registry -n openshift-image-registry " to see the registry logs. But they are not providing any image related details.
@@magesh4806 If you monitor the image-registry-$podID (oc -n openshift-image-registry logs image-registry-59f995b7b4-ph9rf) you'll see the images being pulled into and from the registry.
@@OCPdude Are you sure about that? Isnt this the same as Image Streams tab under Builds?
@@jaakkouusitalo1094 Sorry, I'm not sure what question you are asking. Is this about viewing logs?
how to generate docker loging password. can you give steps?
The user accounts accessible are those OpenShift have access too... whether they're local, ldap, etc. My accounts are linked via ldap integration. 6:52
From where u got the certs for the Registry??? I don't see certs for my existing internal registry.
When you expose the internal registry you can use that route and self-signed certificate - for my lab, I generated a cert from my internal CA. More details can be found on my GitHub link here: github.com/ocpdude/ocp-internal-registry
@@OCPdude This environment was provisioned temporarily in my organization , so I am not sure where to get those very details... Suppose I don't want to create a smaller route name then the image which I create with the original internal registry name should also be accessible right ?
@@gayu12345 It will still work with the exposed default route. It essentially works off of your wildcard *.apps.cluster.domain.com see the docs here: docs.openshift.com/container-platform/4.9/registry/securing-exposing-registry.html#registry-exposing-secure-registry-manually_securing-exposing-registry
Actually I am using Tekton Task and Pipeline to push my Maven image into the internal registry but I am getting unauthorised : authentication required error when trying to pull image from the default registry. If any email ID of urs is available, I can email u my problem with screenshots so that u can help me out if possible.
@@gayu12345 you need to make sure your user has the right privileges - please watch from here: ua-cam.com/video/Sffe76L3fdo/v-deo.html
Great video. But I have some problems with re-encryption of my certs. We have our RootCA in our company. I got Rejected status: spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
Is this with Chrome? Try another browser.
@@OCPdude Firefox. I also tried in Chrome. When I create a route I get the error: spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
@@davorinkocbek4779 Sorry, are you getting this error on the using your docker/podman login? If you created a custom route for your internal registry, you should attach your CA to the cert as well. For example, my yaml looks like this... - sorry for some reason, UA-cam prevents me from pasting basic text formatted in .yaml. I have "tls: termination: reencrypt, certificate:, key:, caCertificate:.... "
@ocpdude how do I log-in to the registry internal registry with the user name and the password. Pretty new at this. I have the image tagged the project ready and the role binding.
Generate a token for your account and use it as your password. Then, oc login -u username “registry”; when prompted enter the token. See @7:28
Where are your minecraft images stored? I think you have not created a pv or pvc...
Please check my GitHub, I have a Minecraft repo that better explains it. *I use themes extracted on nfs, then mount those.