Expose the OpenShift internal registry from the outside and log in with Docker/Podman CLI

To
You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off
To

To
To

OpenShift Container Platform provides an internally integrated container image registry, which can be deployed in your OpenShift container platform environment to manage images locally. Through this registry, you can build a container image from source code, deploy it on the OpenShift platform and manage its life cycle. During the initial cluster setup process, you will set up the internal registry. The complete installation guide is included in the ” Deploy the registry on an existing cluster section.

Configure OpenShift internal image registry

On infrastructure platforms that do not provide sharable object storage, the OpenShift Image Registry Operator will guide itself as Removed. Since I am running the cluster on a bare metal server, I will change the registry operator configuration Management status From deleted to managed.

$ oc edit configs.imageregistry/cluster
spec:
  managementState: Managed

You also need to set persistent bulk declarations for the internal registry. See the example below.

...
storage:
    pvc:
      claim: ocs4registry

Confirm that PVC has been bound in the image registry name space.

$ oc get pvc -n openshift-image-registry
NAME           STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
ocs4registry   Bound    pvc-a07963ea-2b23-477f-936d-4f8f674de9a5   100Gi      RWX            cephfs         57d

Confirm that you do not have a registry pod:

$ oc get pod -n openshift-image-registry
NAME                                               READY   STATUS      RESTARTS   AGE
cluster-image-registry-operator-674b759cfb-vvsmr   2/2     Running     0          41d
image-pruner-1600387200-5qzgn                      0/1     Completed   0          2d10h
image-pruner-1600473600-x8rd6                      0/1     Completed   0          34h
image-pruner-1600560000-ss6mn                      0/1     Completed   0          10h
image-registry-6f4b4db789-2wdmt                    1/1     Running     0          41d
node-ca-7pkp4                                      1/1     Running     0          53d
node-ca-f5pnq                                      1/1     Running     0          53d
node-ca-h5v2f                                      1/1     Running     0          53d
node-ca-ldgvv                                      1/1     Running     0          53d
node-ca-ldplz                                      1/1     Running     0          53d
node-ca-rl8xt                                      1/1     Running     0          53d
node-ca-s59td                                      1/1     Running     0          53d
node-ca-shk7l                                      1/1     Running     0          53d
node-ca-t7ghk                                      1/1     Running     0          53d
node-ca-vk9sl                                      1/1     Running     0          53d
node-ca-xjz45                                      1/1     Running     0          53d
node-ca-xr75h                                      1/1     Running     0          53d

Expose the OpenShift internal image registry externally

When the registry is installed, it will not be exposed externally. This means that the registry can only be used inside the cluster. For external access, we need to use OpenShift routing to expose services.

You can expose routes by using the DefaultRoute parameter in the configs.imageregistry.operator.openshift.io resource or using custom routes. You will run the following command to expose the route by modifying the DefaultRoute parameter.

oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

Expected output:

config.imageregistry.operator.openshift.io/cluster patched

Confirm that the route has been created.

$ oc get  route  -n openshift-image-registry
NAME            HOST/PORT                                                          PATH   SERVICES         PORT    TERMINATION   WILDCARD
default-route   default-route-openshift-image-registry.apps.ocp.example.net               image-registry      reencrypt     None

Log in to the OpenShift registry with Docker | Podman

$ oc login https://api..:6443

After logging in, use the following command to automatically obtain the registry route.

HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

You can verify this value using the following methods:

$ echo $HOST

Then, you can log in to our public registry with the following command:

$ podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false $HOST

$ docker login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false $HOST

Push the container image to the OpenShift registry

To push the container image to the registry, first tag it. See the example below.

$ docker pull busybox:latest
$ docker tag busybox:latest registry.dev.example.com/testplatform/busybox:latest
$ docker push  registry.dev.example.com/testplatform/busybox:latest
$ oc get is busybox

After pushing the image to the registry, an OpenShift ImageStream will be created automatically. No further action is required.

Other OpenShift guides:

How to allow insecure registry in OpenShift/OKD 4.x cluster

Use HTPasswd identity provider to manage OpenShift/OKD users

How to run telnet/tcpdump in OpenShift v4 CoreOS node