Fixes bugs for registry content #14986
Conversation
openshift-ci-robot
added
the
size/M
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
4 times, most recently
from
eacdf49 to
7bc78d0
Compare
openshift-ci-robot
added
size/L
There was a problem hiding this comment.
This section is currently commented out of the documentation, but I made some requested changes just in case.
There was a problem hiding this comment.
I'd say we shouldn't recommend to secure the registry manually anymore. Inside the cluster it is secured by default. Outside of the cluster it can be accessed only through routes, which should have documentation about certificates and all this stuff.
There was a problem hiding this comment.
Thanks, @dmage! It sounds like we might want to move the entire Securing and exposing the registry topic: https://docs.openshift.com/container-platform/4.1/registry/securing-exposing-registry.html
Is that correct?
There was a problem hiding this comment.
@bmcelvee yes, the whole section of registry-securing-manually.adoc should be removed.
There was a problem hiding this comment.
Thanks! I'll go ahead and remove the entire assembly.
|
@sferich888 and @hongkailiu Please take a look, thanks! |
|
@dmage - if you have time, please take a look too. |
|
Going ahead and requesting QE review too so I can get the fixes merged sooner. Thanks! @wzheng1 Please take a look, thanks again! |
There was a problem hiding this comment.
But operator will not enable default route by default, user should enable it :
$oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registry
There was a problem hiding this comment.
Thanks, @wzheng1! Does the user need to enable the route during install or post install? And would this procedure be part of/an update to the securing the registry procedure in the operator docs? https://docs.openshift.com/container-platform/4.1/registry/configuring-registry-operator.html#registry-operator-default-crd_configuring-registry-operator
There was a problem hiding this comment.
User cannot enable it during install, can do it post install.
There was a problem hiding this comment.
The default route address will be like: default-route-openshift-image-registry.<cluster_name>, for example default-route-openshift-image-registry.apps.qe-521.qe.devcluster.openshift.com
There was a problem hiding this comment.
If use podman to login, I suggest to use internal registry address like before:
sh-4.4# podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
Login Succeeded!
There was a problem hiding this comment.
@dmage could you please decide which way is better about my above comment?
There was a problem hiding this comment.
Above steps can be added to accessing-the-registry.adoc.
There was a problem hiding this comment.
The assumptions of this article are not clear. If it assumes that all actions will be from outside of the cluster, then only external routes can be used. That's a good point that most likely the registry will have untrusted certificate.
There was a problem hiding this comment.
@bmcelvee so the conclusion is user has two options to access Openshift internal registry as below:
-
If use internal routes, user has to be inside cluster like below:
a. Access into node:
$oc get nodes --------------this is to get node address
$oc debug nodes/<node_address>
b. Use podman command to log into internal route: image-registry.openshift-image-registry.svc:5000:
sh-4.4# podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
Login Succeeded!
c. Then you can use $podman pull/push; -
If use external routes, user need to enable defaultRoute=true first, then create a CA file to copy to local like this:
a.Get wildcard route ca
$oc get secret router-certs-default -n openshift-ingress -o yaml
$echo <tls.crt_content> | base64 -d > ca.crt
b. Trust ca in your client platform
$sudo cp ca.crt /etc/pki/ca-trust/source/anchors/<external_route>.crt
#sudo update-ca-trust enable
c. Reload docker
#sudo systemctl daemon-reload
#sudo systemctl restart docker
d.the user can use docker to login with this default address locally: default-route-openshift-image-registry.<cluster_name>
There was a problem hiding this comment.
Thanks so much, @wzheng1! Wildcard routes are not supported in 4.1, so I've documented the external route method locally and can put it in the documentation if wildcard routes are offered in the future .
There was a problem hiding this comment.
@bmcelvee By re-reviewing the doc registry-accessing-directly.adoc, I wanna highlight my above 2 methods are separated with each other, one is with internal route address: image-registry.openshift-image-registry.svc:5000 ; another is to login with external route address enabled by user:
$ oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}'
default-route-openshift-image-registry.apps.qe-wewang-527.qe.devcluster.openshift.com;
If user use external route address, it is OK to use docker command.
There was a problem hiding this comment.
Thanks @wzheng1! So far I've only included the steps for accessing internally since wildcard routing is not supported in 4.1.
I'm a bit confused on the command we should document for the log in step, would it be better as one of the following:
-
$ podman login -u openshift -p
$(oc whoami -t) $ (oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}') -
podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
-
podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
There was a problem hiding this comment.
Thanks again! :) Updated.
There was a problem hiding this comment.
$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
There was a problem hiding this comment.
$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
There was a problem hiding this comment.
@dmage whether above steps works in 4.x now?
There was a problem hiding this comment.
We should show a user how to validate they are an admin here!
There was a problem hiding this comment.
Why does it need to be an administrator?
There was a problem hiding this comment.
@dmage What level of user do you need to be in order to access the registry? (I originally brought this content forward from 3.x, and am trying to clarify/update it.)
There was a problem hiding this comment.
The assumptions of this article are not clear. If it assumes that all actions will be from outside of the cluster, then only external routes can be used. That's a good point that most likely the registry will have untrusted certificate.
There was a problem hiding this comment.
I'd say we shouldn't recommend to secure the registry manually anymore. Inside the cluster it is secured by default. Outside of the cluster it can be accessed only through routes, which should have documentation about certificates and all this stuff.
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
5 times, most recently
from
0f38a72 to
1dcd584
Compare
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
1dcd584 to
4d98c73
Compare
There was a problem hiding this comment.
Could this be a single step w/o a substep?
There was a problem hiding this comment.
Replaceable could be lowercase.
There was a problem hiding this comment.
Also maybe semicolon instead: "You can pass any value for the user name; the token contains all necessary information."
adellape
added
the
peer-review-done
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
4d98c73 to
975cc47
Compare
There was a problem hiding this comment.
This command should be:
$ podman push image-registry.openshift-image-registry.svc:5000/openshift/image
There was a problem hiding this comment.
Thanks so much, @wzheng1!
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
975cc47 to
18ee0ef
Compare
|
All bugs moved to verified, and I pushed the final request. Merging the PR now, and we can make any additional edits in new PRs. Thanks! |
This PR addresses the following bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1704415
https://bugzilla.redhat.com/show_bug.cgi?id=1708765
https://bugzilla.redhat.com/show_bug.cgi?id=1704382
https://bugzilla.redhat.com/show_bug.cgi?id=1704381