DO288 - ch03s03

Bookmark this page

Using External Registries in Red Hat OpenShift

Objectives

Use container images from remote container registries in Red Hat OpenShift.

Reviewing Container Registries

A container image registry, container registry, or registry server stores the images that you deploy as containers and provides mechanisms to pull, push, update, search, and remove container images. It uses a standard REST API defined by the Open Container Initiative (OCI), which is based on the Docker Registry HTTP API v2. From the perspective of an organization that runs a Red Hat OpenShift cluster, there are many kinds of container registries:

Public registries: Registries that allow anyone to consume container images directly from the internet without any authentication, such as Docker Hub, Quay.io, or the Red Hat Registry.
Private registries: Registries that are available only to selected consumers and usually require authentication. The Red Hat terms-based registry is an example of a private container registry.
Enterprise registries: Registries that your organization manages. Such registries are usually available only to the organization's employees.
OpenShift internal registries: A registry server managed internally by an OpenShift cluster to store container images.

These kinds of registries are not mutually exclusive: a registry can be, at the same time, both public and private.

Quay.io works as both a public and a private registry for some users. Some container images from Quay.io are public, but other container images require authentication. Organizations can create private registries in Quay.io that require authentication.

Alternatively, organizations can deploy and maintain an internal, on-premise Quay registry. See the references section for more information about deploying Red Hat Quay for both non-production and production use-cases.

Authenticating OpenShift with Private Registries

Developers commonly use internal container registries, which are managed by their organization, or cloud registries with private accounts. To deploy container images from those registries, OpenShift must be authenticated with the external registry.

To authorize OpenShift with an external registry, store credentials for authorizing the registry in OpenShift and associate the credentials with your service account.

Creating Registry Credentials in OpenShift

You can store credentials for a remote registry in a Secret object. Secrets and configuration maps (ConfigMap) are namespaced objects that enable you to externalize data from your applications in your OpenShift cluster.

You can use the oc create command to create a secret, for example:

[user@host ~]$ oc create secret generic example-secret \
--from-literal=user=developer --namespace=example-ns
secret/example-secret created

The preceding command creates a generic secret, which contains the user key with the developer value. Objects in the example-ns project can refer to that secret.

You can use the OpenShift console to create secrets. In the Developer perspective, click Secrets. Select a project, click Create, and then select the secret type that you want to create.

Figure 3.2: Create secrets in the OpenShift console

Kubernetes provides the docker-registry secret type to store credentials for authentication with the container registry.

[user@host ~]$ oc create secret docker-registry SECRET_NAME \
--docker-server REGISTRY_URL \
--docker-username USER \
--docker-password PASSWORD \
--docker-email=EMAIL
secret/SECRET_NAME created

You can also use the console to create the docker-registry secret.

Figure 3.3: Create docker-registry secrets in the OpenShift console

The docker-registry secret use the following YAML file:

apiVersion: v1
kind: Secret
metadata:
  name: SECRET_NAME
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: DATA

The preceding example uses the URL, user, and password to create the .dockerconfigjson key, with the value similar to the following example:

{
  "auths": {
    "REGISTRY_URL": {
      "username": "USER",
      "password": "PASSWORD",
      "email": "EMAIL",
      "auth": "ebz...eZ2"
    }
  }
}

You can also create the secret from existing credentials. For example, if you logged in to the private registry with Podman, then you have existing credentials in the ${XDG_RUNTIME_DIR}/containers/auth.json file. Because the auth.json file uses the same structure as the .dockerconfigjson file, you can create the secret by using the auth.json file.

[user@host ~]$ oc create secret generic SECRET_NAME \
--from-file .dockerconfigjson=${XDG_RUNTIME_DIR}/containers/auth.json \
--type kubernetes.io/dockerconfigjson

You can also upload the auth.json file in the OpenShift console when creating the secret.

Configuring OpenShift to Use the Registry Credentials

You can configure OpenShift to use custom credentials by using the spec.imagePullSecrets Pod property, for example:

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  containers:
  - name: example-container
    image: REGISTRY_URL
  imagePullSecrets:
  - name: SECRET_NAME

Consequently, you can use the property for controllers, such as the Deployment or DeploymentConfig objects:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: example-container
          image: REGISTRY_URL
      imagePullSecrets:
        - name: SECRET_NAME

Linking Registry Credentials to Service Accounts

Instead of manually assigning the credentials to pods, you can configure OpenShift to assign the credentials to pods automatically by using service accounts. A service account provides an identity for pods. Pods use the default service account unless you configure a different service account.

Use the oc secrets link command to connect a secret with a service account, for example:

[user@host ~]$ oc secrets link --for=pull default SECRET_NAME
no output expected

The preceding command creates a new entry in the service account .spec.imagePullSecrets field:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
imagePullSecrets:
- name: SECRET_NAME

When you create a pod that uses the default service account, it inherits the imagePullSecrets field without you explicitly specifying the field in the pod definition.

This means that every pod that uses the default service account is authorized with the registry credentials in your secret.

See the Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster course for more information about service accounts.

References

Red Hat Quay is a distributed and highly available container image registry

Pull an Image from a Private Registry

Configure Service Accounts for Pods

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster

For more information about deploying Red Hat Quay for non-production use-cases, refer to the Red Hat Quay Deploy Red Hat Quay for proof-of-concept (non-production) purposes documentation at https://access.redhat.com/documentation/en-us/red_hat_quay/3.8/html-single/deploy_red_hat_quay_for_proof-of-concept_non-production_purposes/index

For more information about deploying Red Hat Quay for production use-cases, refer to the Red Hat Quay Deploy Red Hat Quay - High Availability documentation at https://access.redhat.com/documentation/en-us/red_hat_quay/3.8/html-single/deploy_red_hat_quay_-_high_availability/index

For more information about authenticating OpenShift with image registries, refer to the Using image pull secrets chapter in the Red Hat OpenShift Container Platform 4.12 Images documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html-single/images/index#using-image-pull-secrets

Discuss Red Hat OpenShift Developer II: Building and Deploying Cloud-native Applications

Go to community

Red Hat OpenShift Developer II: Building Kubernetes Applications (DO288)

Haley_Ruccio

31 lip 2023

Design, build, and deploy containerized applications on Red Hat OpenShiftRed Hat OpenShift Developer II: Building Kubernetes Applications (DO288) teaches you how to design, build, and deploy containerized software applications on an OpenShift clusterWhether you are migrating existing applications or writing container-native applications, you will learn how to boost developer productivity powered by Red Hat® OpenShift Container Platform, a containerized application platform that allows enterprises to manage container deployments and scale their applications using Kubernetes.This course is based on Red Hat OpenShift Container Platform 4.10.Course content summaryDesign containerized applications for OpenShift.Manage and trigger application builds using Source-to-Image (S2I).Customize an existing source-to-image base image.Deploy multi-container applications using Helm Charts.Create health checks to monitor and improve application reliability.Create and deploy cloud-native applications on OpenShift.Audience for this courseEnterprise application developersDevOps site reliability engineersRecommended for this courseTake our free assessment to gauge whether this offering is the best fit for your skills.View the Red Hat OpenShift skill paths.Complete Red Hat OpenShift I: Containers & Kubernetes (DO180), or have equivalent knowledgeBeing a Red Hat Certified System Administrator or having earned a higher certification is helpful for navigation and usage of the command line, but is not requiredTechnology considerationsThis course uses a lab environment provisioned in the Red Hat Online Learning (ROL) cloud.Internet access is required to run the exercises and labs.

Welcome to the Red Hat OpenShift Developer II (DO288) group in the Red Hat Learning Community!

Deanna

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course DO288! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO288.Read more about Red Hat OpenShift Developer II: Building Kubernetes Applications here.

406

Revision: do288-4.12-0d49506