By default, the OpenShift Container Platform registry is secured during cluster installation so that it serves traffic via TLS. A passthrough route is also created by default to expose the service externally.

Exposing a secure registry manually

Instead of logging in to the OpenShift Container Platform registry from within the OpenShift Container Platform cluster, you can gain external access to it by first securing the registry and then exposing it with a route. This allows you to log in to the registry from outside the cluster using the route address, and to tag and push images using the route host.

Prerequisites:
  • The following prerequisites are automatically preformed:

    • Deploy the registry.

    • Secure the registry.

    • Deploy a router.

Procedure
  1. Verify whether a passthrough route exists, the route should have been created by default for the registry during the initial cluster installation:

    $ oc get route/pod-registry -o yaml
    apiVersion: v1
    kind: Route
    metadata:
      name: podman-registry
    spec:
      host: <host> (1)
      to:
        kind: Service
        name: podman-registry (2)
      tls:
        termination: passthrough (3)
    1 The host for your route. You must be able to resolve this name externally by DNS to the router’s IP address.
    2 The service name for your registry.
    3 Specifies this route as a passthrough route.

    Re-encrypt routes are also supported for exposing the secure registry.

    1. If it does not exist, create the route with the oc create route passthrough command, specifying the registry as the route’s service. By default, the name of the created route is the same as the service name:

      1. Get the podman-registry service details:

        $ oc get svc
        NAME              CLUSTER_IP       EXTERNAL_IP   PORT(S)                 SELECTOR                  AGE
        podman-registry   172.30.69.167    <none>        5000/TCP                podman-registry=default   4h
        kubernetes        172.30.0.1       <none>        443/TCP,53/UDP,53/TCP   <none>                    4h
        router            172.30.172.132   <none>        80/TCP                  router=router             4h
      2. Create the route:

        $ oc create route passthrough    \
            --service=podman-registry    \(1)
            --hostname=<host>
        route "podman-registry" created     (2)
        1 Specifies the registry as the route’s service.
        2 The route name is identical to the service name.
  2. Trust the certificates being used for the registry on your host system to allow the host to push and pull images. The certificates referenced were created when you secured your registry:

    $ sudo mkdir -p /etc/podman/certs.d/<host>
    $ sudo cp <ca_certificate_file> /etc/podman/certs.d/<host>
    $ sudo systemctl restart podman
  3. Log in to the registry using the information from securing the registry. However, this time point to the host name used in the route rather than your service IP. When logging in to a secured and exposed registry, make sure you specify the registry in the podman login command:

    # podman login -e user@company.com \
        -u f83j5h6 \
        -p Ju1PeM47R0B92Lk3AZp-bWJSck2F7aGCiZ66aFGZrs2 \
        <host>
  4. You can now tag and push images using the route host. For example, to tag and push a busybox image in a project called test:

    $ oc get imagestreams -n test
    NAME      PODMAN REPO   TAGS      UPDATED
    
    $ podman pull busybox
    $ podman tag busybox <host>/test/busybox
    $ podman push <host>/test/busybox
    The push refers to a repository [<host>/test/busybox] (len: 1)
    8c2e06607696: Image already exists
    6ce2e90b0bc7: Image successfully pushed
    cf2616975b4a: Image successfully pushed
    Digest: sha256:6c7e676d76921031532d7d9c0394d0da7c2906f4cb4c049904c4031147d8ca31
    
    $ podman pull <host>/test/busybox
    latest: Pulling from <host>/test/busybox
    cf2616975b4a: Already exists
    6ce2e90b0bc7: Already exists
    8c2e06607696: Already exists
    Digest: sha256:6c7e676d76921031532d7d9c0394d0da7c2906f4cb4c049904c4031147d8ca31
    Status: Image is up to date for <host>/test/busybox:latest
    
    $ oc get imagestreams -n test
    NAME      PODMAN REPO                       TAGS      UPDATED
    busybox   172.30.11.215:5000/test/busybox   latest    2 seconds ago

    Your imagestreams will have the IP address and port of the registry service, not the route name and port. See oc get imagestreams for details.

Exposing a non-secure registry manually

Instead of securing the registry in order to expose the registry, you can simply expose a non-secure registry for non-production OpenShift Container Platform environments. This allows you to have an external route to the registry without using SSL certificates.

Only non-production environments should expose a non-secure registry to external access.

Procedure

To expose a non-secure registry:

  1. Expose the registry:

    # oc expose service podman-registry --hostname=<hostname> -n default

    This creates the following JSON file:

    apiVersion: v1
    kind: Route
    metadata:
      creationTimestamp: null
      labels:
        podman-registry: default
      name: podman-registry
    spec:
      host: registry.example.com
      port:
        targetPort: "5000"
      to:
        kind: Service
        name: podman-registry
    status: {}
  2. Verify that the route has been created successfully:

    # oc get route
    NAME              HOST/PORT                    PATH      SERVICE           LABELS                    INSECURE POLICY   TLS TERMINATION
    podman-registry   registry.example.com            podman-registry   podman-registry=default
  3. Check the health of the registry:

    $ curl -v http://registry.example.com/healthz

    Expect an HTTP 200/OK message.

    After exposing the registry, update your /etc/sysconfig/podman file by adding the port number to the OPTIONS entry. For example:

    OPTIONS='--selinux-enabled --insecure-registry=172.30.0.0/16 --insecure-registry registry.example.com:80'

    The options in the previous example should be added on the client from which you are trying to log in.

    Also, ensure that Podman is running on the client.

When logging in to the non-secured and exposed registry, make sure you specify the registry in the podman login command. For example:

# podman login -e user@company.com \
    -u f83j5h6 \
    -p Ju1PeM47R0B92Lk3AZp-bWJSck2F7aGCiZ66aFGZrs2 \
    <host>