Fixes bugs for registry content #14986
Conversation
openshift-ci-robot
added
the
size/M
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
4 times, most recently
from
eacdf49 to
7bc78d0
Compare
openshift-ci-robot
added
size/L
| @@ -16,30 +16,30 @@ Manually secure the registry to serve traffic via TLS: | |||
| example: | |||
There was a problem hiding this comment.
This section is currently commented out of the documentation, but I made some requested changes just in case.
There was a problem hiding this comment.
I'd say we shouldn't recommend to secure the registry manually anymore. Inside the cluster it is secured by default. Outside of the cluster it can be accessed only through routes, which should have documentation about certificates and all this stuff.
There was a problem hiding this comment.
Thanks, @dmage! It sounds like we might want to move the entire Securing and exposing the registry topic: https://docs.openshift.com/container-platform/4.1/registry/securing-exposing-registry.html
Is that correct?
There was a problem hiding this comment.
@bmcelvee yes, the whole section of registry-securing-manually.adoc should be removed.
There was a problem hiding this comment.
Thanks! I'll go ahead and remove the entire assembly.
|
@sferich888 and @hongkailiu Please take a look, thanks! |
|
@dmage - if you have time, please take a look too. |
|
Going ahead and requesting QE review too so I can get the fixes merged sooner. Thanks! @wzheng1 Please take a look, thanks again! |
| + | ||
| [NOTE] | ||
| ==== | ||
| Since the Image Registry Operator creates the route, it will likely be the |
There was a problem hiding this comment.
But operator will not enable default route by default, user should enable it :
$oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registry
There was a problem hiding this comment.
Thanks, @wzheng1! Does the user need to enable the route during install or post install? And would this procedure be part of/an update to the securing the registry procedure in the operator docs? https://docs.openshift.com/container-platform/4.1/registry/configuring-registry-operator.html#registry-operator-default-crd_configuring-registry-operator
There was a problem hiding this comment.
User cannot enable it during install, can do it post install.
| [NOTE] | ||
| ==== | ||
| Since the Image Registry Operator creates the route, it will likely be the | ||
| `default-route`. |
There was a problem hiding this comment.
The default route address will be like: default-route-openshift-image-registry.<cluster_name>, for example default-route-openshift-image-registry.apps.qe-521.qe.devcluster.openshift.com
| + | ||
| ---- | ||
| $ podman-login -u openshift -p $(oc whoami -t) <registry_ip>:<port> | ||
| $ podman login -u openshift -p $(oc whoami -t) $(oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}') |
There was a problem hiding this comment.
If use podman to login, I suggest to use internal registry address like before:
sh-4.4# podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
Login Succeeded!
There was a problem hiding this comment.
@dmage could you please decide which way is better about my above comment?
There was a problem hiding this comment.
Above steps can be added to accessing-the-registry.adoc.
There was a problem hiding this comment.
The assumptions of this article are not clear. If it assumes that all actions will be from outside of the cluster, then only external routes can be used. That's a good point that most likely the registry will have untrusted certificate.
There was a problem hiding this comment.
@bmcelvee so the conclusion is user has two options to access Openshift internal registry as below:
-
If use internal routes, user has to be inside cluster like below:
a. Access into node:
$oc get nodes --------------this is to get node address
$oc debug nodes/<node_address>
b. Use podman command to log into internal route: image-registry.openshift-image-registry.svc:5000:
sh-4.4# podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
Login Succeeded!
c. Then you can use $podman pull/push; -
If use external routes, user need to enable defaultRoute=true first, then create a CA file to copy to local like this:
a.Get wildcard route ca
$oc get secret router-certs-default -n openshift-ingress -o yaml
$echo <tls.crt_content> | base64 -d > ca.crt
b. Trust ca in your client platform
$sudo cp ca.crt /etc/pki/ca-trust/source/anchors/<external_route>.crt
#sudo update-ca-trust enable
c. Reload docker
#sudo systemctl daemon-reload
#sudo systemctl restart docker
d.the user can use docker to login with this default address locally: default-route-openshift-image-registry.<cluster_name>
There was a problem hiding this comment.
Thanks so much, @wzheng1! Wildcard routes are not supported in 4.1, so I've documented the external route method locally and can put it in the documentation if wildcard routes are offered in the future .
There was a problem hiding this comment.
@bmcelvee By re-reviewing the doc registry-accessing-directly.adoc, I wanna highlight my above 2 methods are separated with each other, one is with internal route address: image-registry.openshift-image-registry.svc:5000 ; another is to login with external route address enabled by user:
$ oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}'
default-route-openshift-image-registry.apps.qe-wewang-527.qe.devcluster.openshift.com;
If user use external route address, it is OK to use docker command.
There was a problem hiding this comment.
Thanks @wzheng1! So far I've only included the steps for accessing internally since wildcard routing is not supported in 4.1.
I'm a bit confused on the command we should document for the log in step, would it be better as one of the following:
-
$ podman login -u openshift -p
$(oc whoami -t) $ (oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}') -
podman login -u kubeadmin -p RDhLYKRgyw3JFpG4-9N9yBbLdGK4CtKeAc5aSjFuk3E image-registry.openshift-image-registry.svc:5000
-
podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
There was a problem hiding this comment.
Thanks again! :) Updated.
| ---- | ||
|
|
||
| .. Tag the new image with the form `<registry_ip>:<port>/<project>/<image>`. | ||
| The project name must appear in this pull specification for {product-title} to | ||
| correctly place and later access the image in the registry: | ||
| + | ||
| ---- | ||
| $ podman-tag name.io/image 172.30.124.220:5000/openshift/image | ||
| $ podman tag name.io/image 172.30.124.220:5000/openshift/image |
There was a problem hiding this comment.
$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
| to push the image. | ||
| ==== | ||
|
|
||
| .. Push the newly-tagged image to your registry: | ||
| + | ||
| ---- | ||
| $ podman-push 172.30.124.220:5000/openshift/image | ||
| $ podman push 172.30.124.220:5000/openshift/image |
There was a problem hiding this comment.
$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
| + | ||
| ---- | ||
| $ oc adm ca create-server-cert \ | ||
| --signer-cert=/etc/origin/master/ca.crt \ | ||
| --signer-key=/etc/origin/master/ca.key \ | ||
| --signer-serial=/etc/origin/master/ca.serial.txt \ | ||
| --hostnames='podman-registry.default.svc.cluster.local,podman-registry.default.svc,172.30.124.220' \ | ||
| --hostnames='openshift-image-registry.default.svc.cluster.local,openshift-image-registry.default.svc,172.30.124.220' \ |
| @@ -48,7 +48,7 @@ If the router will be exposed externally, add the public route host name in the | |||
| `--hostnames` flag: | |||
| + | |||
| ---- | |||
| --hostnames='mypodman-registry.example.com,podman-registry.default.svc.cluster.local,172.30.124.220 \ | |||
| --hostnames='myopenshift-image-registry.example.com,openshift-image-registry.default.svc.cluster.local,172.30.124.220 \ | |||
| @@ -134,7 +134,7 @@ done on all nodes in the cluster: | |||
| ---- | |||
| $ dcertsdir=/etc/podman/certs.d | |||
| $ destdir_addr=$dcertsdir/172.30.124.220:5000 | |||
| $ destdir_name=$dcertsdir/podman-registry.default.svc.cluster.local:5000 | |||
| $ destdir_name=$dcertsdir/openshift-image-registry.default.svc.cluster.local:5000 | |||
|
|
|||
| $ sudo mkdir -p $destdir_addr $destdir_name | |||
| $ sudo cp ca.crt $destdir_addr //<1> | |||
There was a problem hiding this comment.
@dmage whether above steps works in 4.x now?
| . Log in to the registry directly: | ||
|
|
||
| .. Ensure you are logged in to {product-title} as a *regular user*: | ||
| . Ensure you are logged in to {product-title} as a cluster administrator: | ||
| + | ||
| ---- | ||
| $ oc login |
There was a problem hiding this comment.
We should show a user how to validate they are an admin here!
| . Log in to the registry directly: | ||
|
|
||
| .. Ensure you are logged in to {product-title} as a *regular user*: | ||
| . Ensure you are logged in to {product-title} as a cluster administrator: |
There was a problem hiding this comment.
Why does it need to be an administrator?
There was a problem hiding this comment.
@dmage What level of user do you need to be in order to access the registry? (I originally brought this content forward from 3.x, and am trying to clarify/update it.)
| + | ||
| ---- | ||
| $ podman-login -u openshift -p $(oc whoami -t) <registry_ip>:<port> | ||
| $ podman login -u openshift -p $(oc whoami -t) $(oc get route -n openshift-image-registry default-route -o jsonpath='{.status.ingress[*].host}{"\n"}') |
There was a problem hiding this comment.
The assumptions of this article are not clear. If it assumes that all actions will be from outside of the cluster, then only external routes can be used. That's a good point that most likely the registry will have untrusted certificate.
| @@ -16,30 +16,30 @@ Manually secure the registry to serve traffic via TLS: | |||
| example: | |||
There was a problem hiding this comment.
I'd say we shouldn't recommend to secure the registry manually anymore. Inside the cluster it is secured by default. Outside of the cluster it can be accessed only through routes, which should have documentation about certificates and all this stuff.
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
5 times, most recently
from
0f38a72 to
1dcd584
Compare
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
1dcd584 to
4d98c73
Compare
| * For pulling images, for example when using the `podman-pull` command, | ||
| the user must have the *registry-viewer* role. To add this role: | ||
| . Access the node: | ||
| .. Get the node's address: |
There was a problem hiding this comment.
Could this be a single step w/o a substep?
| + | ||
| ---- | ||
| $ oc policy add-role-to-user registry-editor <user_name> | ||
| $ oc login -u kubeadmin -p <PASSWORD_FROM_INSTALL_LOG> |
There was a problem hiding this comment.
Replaceable could be lowercase.
| + | ||
| ---- | ||
| $ podman-login -u openshift -p $(oc whoami -t) <registry_ip>:<port> | ||
| Login Succeeded! | ||
| ---- | ||
| + | ||
| [NOTE] | ||
| ==== | ||
| You can pass any value for the username, the token contains all necessary |
There was a problem hiding this comment.
Also maybe semicolon instead: "You can pass any value for the user name; the token contains all necessary information."
adellape
added
the
peer-review-done
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
4d98c73 to
975cc47
Compare
| ... | ||
| cf2616975b4a: Image successfully pushed | ||
| Digest: sha256:3662dd821983bc4326bee12caec61367e7fb6f6a3ee547cbaff98f77403cab55 | ||
| $ podman push name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image |
There was a problem hiding this comment.
This command should be:
$ podman push image-registry.openshift-image-registry.svc:5000/openshift/image
There was a problem hiding this comment.
Thanks so much, @wzheng1!
bmcelvee
force-pushed
the
bugs-registry-improvement
branch
from
975cc47 to
18ee0ef
Compare
|
All bugs moved to verified, and I pushed the final request. Merging the PR now, and we can make any additional edits in new PRs. Thanks! |
This PR addresses the following bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1704415
https://bugzilla.redhat.com/show_bug.cgi?id=1708765
https://bugzilla.redhat.com/show_bug.cgi?id=1704382
https://bugzilla.redhat.com/show_bug.cgi?id=1704381