| title | description | author | ms.author | ms.service | ms.topic | ms.date |
|---|---|---|---|---|---|---|
Configure built-in container registry for Azure Red Hat OpenShift 4 |
Configure built-in container registry for Azure Red Hat OpenShift 4 |
majguo |
jiangma |
azure-redhat-openshift |
conceptual |
10/15/2020 |
Azure Red Hat OpenShift provides an integrated container image registry that adds the ability to automatically provision new image repositories on demand. This provides users with a built-in location for their application builds to push the resulting images.
In this article, you'll configure the built-in container image registry for an Azure Red Hat OpenShift (ARO) 4 cluster. You'll learn how to:
[!div class="checklist"]
- Authorize an identity to access to the registry
- Access the built-in container image registry from inside the cluster
- Access the built-in container image registry from outside the cluster
This article assumes you have an existing ARO cluster (see Create an Azure Red Hat OpenShift 4 cluster). If you would like to configure Azure AD integration, make sure to create the cluster with the --pull-secret argument to az aro create.
Note
Configuring Azure AD Authentication for your cluster is the easiest way to interact with the internal registry from outside the cluster.
Once you have your cluster, connect to the cluster by authenticating as the kubeadmin user.
For any identity (a cluster user, Azure AD user, or ServiceAccount) to access the internal registry, it must be granted permissions inside the cluster:
As kubeadmin, execute the following commands:
# Note: replace "<user>" with the identity you need to access the registry
oc policy add-role-to-user -n openshift-image-registry registry-viewer <user>
oc policy add-role-to-user -n openshift-image-registry registry-editor <user>Note
For cluster users and Azure AD users - this will be the same name you use to authenticate into the cluster. For OpenShift ServiceAccounts, format the name as system:serviceaccount:<project>:<name>
Now that you've configured authentication for the registry, you can interact with it:
If you need to access the registry from inside the cluster (e.g. you are running a CI/CD platform as Pods that will push/pull images to the registry), you can access the registry via its ClusterIP Service at the fully qualified domain name image-registry.openshift-image-registry.svc.cluster.local:5000, which is accessible to all Pods within the cluster.
If your workflows require you access the internal registry from outside the cluster (e.g. you want to push/pull images from a developer's laptop, external CI/CD platform, and/or a different ARO cluster), you will need to perform a few additional steps:
As kubeadmin, execute the following commands to expose the built-in registry outside the cluster via a Route:
oc patch config.imageregistry.operator.openshift.io/cluster --patch='{"spec":{"defaultRoute":true}}' --type=merge
oc patch config.imageregistry.operator.openshift.io/cluster --patch='[{"op": "add", "path": "/spec/disableRedirect", "value": true}]' --type=jsonYou can then find the registry's externally-routable fully qualified domain name:
As kubeadmin, execute:
oc get route -n openshift-image-registry default-route --template='{{ .spec.host }}'Now that you've set up the built-in container image registry, you can get started by deploying an application on OpenShift. For Java applications, check out Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift 4 cluster.