diff --git a/_topic_map.yml b/_topic_map.yml index d950c774f7b3..d5880c70d520 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -293,7 +293,7 @@ Topics: - Name: Accessing the registry File: accessing-the-registry Distros: openshift-enterprise,openshift-origin -- Name: Securing and exposing the registry +- Name: Exposing the registry File: securing-exposing-registry Distros: openshift-enterprise,openshift-origin --- diff --git a/applications/pruning-objects.adoc b/applications/pruning-objects.adoc index 54778075cc11..617f2728c101 100644 --- a/applications/pruning-objects.adoc +++ b/applications/pruning-objects.adoc @@ -24,7 +24,7 @@ include::modules/pruning-builds.adoc[leveloffset=+1] include::modules/pruning-images.adoc[leveloffset=+1] .Additional resources - xref:../registry/accessing-the-registry.adoc#accessing-the-registry[Accessing the registry] -- xref:../registry/securing-exposing-registry.adoc#securing-exposing-registry[Securing and exposing the registry] +- xref:../registry/securing-exposing-registry.adoc#securing-exposing-registry[Exposing the registry] include::modules/pruning-hard-pruning-registry.adoc[leveloffset=+1] include::modules/pruning-cronjobs.adoc[leveloffset=+1] diff --git a/modules/pruning-images.adoc b/modules/pruning-images.adoc index 2cb31f68b0ce..7d72836525bf 100644 --- a/modules/pruning-images.adoc +++ b/modules/pruning-images.adoc @@ -47,8 +47,8 @@ routes are not created by default. See xref:../registry/configuring-registry-operator.adoc#configuring-registry-operator[Image Registry Operator in {product-title}] for information on how to create a registry route and see -xref:../registry/securing-exposing-registry.adoc#securing-exposing-registry[Securing -and exposing the registry] for details on how to expose the registry service. +xref:../registry/securing-exposing-registry.adoc#securing-exposing-registry[Exposing +the registry] for details on how to expose the registry service. .Prune images CLI configuration options [cols="4,8",options="header"] diff --git a/modules/registry-accessing-directly.adoc b/modules/registry-accessing-directly.adoc index f398581dcdf9..5537223e46e1 100644 --- a/modules/registry-accessing-directly.adoc +++ b/modules/registry-accessing-directly.adoc @@ -1,70 +1,47 @@ // Module included in the following assemblies: // -// * assembly/registry +// * registry/accessing-the-registry.adoc [id="registry-accessing-directly_{context}"] -= Accessing registry directly += Accessing registry directly from the cluster -You can access the registry directly to invoke `podman` commands. This allows -you to push images to or pull them from the integrated registry directly using -operations like `podman-push` or `podman-pull`. To do so, you must be logged in -to the registry using the `podman-login` command. The operations you can perform -depend on your user permissions, as described in the following sections. +You can access the registry from inside the cluster. -.Prerequisites +.Procedure -* For any direct access, you must have a regular user for your preferred identity -provider. -** A regular user can generate an access token required for logging in to -the registry. -** System users, such as *system:admin*, cannot obtain access tokens -and, therefore, cannot access the registry directly. -+ -For example, if you are using `HTPASSWD` authentication, you can create one -using the following command: -+ ----- -# htpasswd /etc/origin/openshift-htpasswd ----- +Access the registry from the cluster by using internal routes: -* For pulling images, for example when using the `podman-pull` command, -the user must have the *registry-viewer* role. To add this role: +. Access the node by getting the node's address: + ---- -$ oc policy add-role-to-user registry-viewer +$ oc get nodes +$ oc debug nodes/ ---- - -* For writing or pushing images, for example when using the `podman-push` command, -the user must have the *registry-editor* role. To add this role: + ----- -$ oc policy add-role-to-user registry-editor ----- - -.Procedure - -. Log in to the registry directly: - -.. Ensure you are logged in to {product-title} as a *regular user*: +. Log in to the container image registry by using your access token: + ---- -$ oc login +$ oc login -u kubeadmin -p +$ podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000 ---- - -.. Log in to the container image registry by using your access token: ++ +You should see a message confirming login, such as: + ---- -$ podman-login -u openshift -p $(oc whoami -t) : +Login Succeeded! ---- + [NOTE] ==== -You can pass any value for the username, the token contains all necessary -information. Passing a username that contains colons will result in a login +You can pass any value for the user name; the token contains all necessary +information. Passing a user name that contains colons will result in a login failure. + +Since the Image Registry Operator creates the route, it will likely be similar to +`default-route-openshift-image-registry.`. ==== + -. Perform `podman-pull` and `podman-push` operations against your registry: +. Perform `podman pull` and `podman push` operations against your registry: + [IMPORTANT] ==== @@ -96,7 +73,7 @@ In the following examples, use: .. Pull an arbitrary image: + ---- -$ podman-pull name.io/image +$ podman pull name.io/image ---- .. Tag the new image with the form `://`. @@ -104,22 +81,19 @@ The project name must appear in this pull specification for {product-title} to correctly place and later access the image in the registry: + ---- -$ podman-tag name.io/image 172.30.124.220:5000/openshift/image +$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image ---- + [NOTE] ==== -Your regular user must have the *system:image-builder* role for the specified +You must have the `system:image-builder` role for the specified project, which allows the user to write or push an image. Otherwise, the -`podman-push` in the next step will fail. To test, you can create a new project +`podman push` in the next step will fail. To test, you can create a new project to push the image. ==== .. Push the newly-tagged image to your registry: + ---- -$ podman-push 172.30.124.220:5000/openshift/image -... -cf2616975b4a: Image successfully pushed -Digest: sha256:3662dd821983bc4326bee12caec61367e7fb6f6a3ee547cbaff98f77403cab55 +$ podman push image-registry.openshift-image-registry.svc:5000/openshift/image ---- diff --git a/modules/registry-operator-default-crd.adoc b/modules/registry-operator-default-crd.adoc index 02ee8982765c..73a32ee20013 100644 --- a/modules/registry-operator-default-crd.adoc +++ b/modules/registry-operator-default-crd.adoc @@ -4,19 +4,19 @@ [id="registry-operator-default-crd_{context}"] -= Securing the Image Registry with the Custom Resource Definition += Enable the Image Registry default route with the Custom Resource Definition In {product-title}, the `Registry` Operator controls the registry feature. The Operator is defined by the `configs.imageregistry.operator.openshift.io` Custom Resource Definition (CRD). -If you must automatically secure the Image Registry, patch the Image Registry -Operator CRD. +If you need to automatically enable the Image Registry default route, patch the +Image Registry Operator CRD. .Procedure * Patch the Image Registry Operator CRD: + ---- -$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":false}}' +$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}' ---- diff --git a/modules/registry-securing-manually.adoc b/modules/registry-securing-manually.adoc deleted file mode 100644 index de6015b4e1ad..000000000000 --- a/modules/registry-securing-manually.adoc +++ /dev/null @@ -1,187 +0,0 @@ -// Module included in the following assemblies: -// -// * assembly/registry - -[id="registry-securing-manually_{context}"] -= Securing the registry manually - -If for any reason your registry has not been secured, see the following -sections for steps on how to manually do so. - -.Procedure - -Manually secure the registry to serve traffic via TLS: - -. Login to the registry as a user with cluster administrator privileges, for -example: -+ ----- -$ podman-login registry.redhat.io ----- -+ -. Fetch the service IP and port of the registry: -+ ----- -$ oc get svc/podman-registry -NAME LABELS SELECTOR IP(S) PORT(S) -podman-registry podman-registry=default podman-registry=default 172.30.124.220 5000/TCP ----- -+ -. You can use an existing server certificate, or create a key and server -certificate valid for specified IPs and host names, signed by a specified CA. To -create a server certificate for the registry service IP and the -*podman-registry.default.svc.cluster.local* host name, -run the following command from the first master listed in the Ansible host inventory file, -by default *_/etc/ansible/hosts_*: -+ ----- -$ oc adm ca create-server-cert \ - --signer-cert=/etc/origin/master/ca.crt \ - --signer-key=/etc/origin/master/ca.key \ - --signer-serial=/etc/origin/master/ca.serial.txt \ - --hostnames='podman-registry.default.svc.cluster.local,podman-registry.default.svc,172.30.124.220' \ - --cert=/etc/secrets/registry.crt \ - --key=/etc/secrets/registry.key ----- -+ -If the router will be exposed externally, add the public route host name in the -`--hostnames` flag: -+ ----- ---hostnames='mypodman-registry.example.com,podman-registry.default.svc.cluster.local,172.30.124.220 \ ----- -+ -[NOTE] -==== -The `oc adm ca create-server-cert` command generates a certificate that is valid -for two years. This can be altered with the `--expire-days` option, but for -security reasons, it is recommended to not make it greater than this value. -==== -+ -. Create the secret for the registry certificates: -+ ----- -$ oc create secret generic registry-certificates \ - --from-file=/etc/secrets/registry.crt \ - --from-file=/etc/secrets/registry.key ----- -+ -. Add the secret to the registry pod's service accounts (including the *default* -service account): -+ ----- -$ oc secrets link registry registry-certificates -$ oc secrets link default registry-certificates ----- -+ -[NOTE] -==== -Limiting secrets to only the service accounts that reference them is disabled by -default. This means that if `serviceAccountConfig.limitSecretReferences` is set -to `false` (the default setting) in the master configuration file, linking -secrets to a service is not required. -==== -+ -. Pause the `podman-registry` service: -+ ----- -$ oc rollout pause dc/podman-registry ----- -+ -. Add the secret volume to the registry DeploymentConfig: -+ ----- -$ oc set volume dc/podman-registry --add --type=secret \ - --secret-name=registry-certificates -m /etc/secrets ----- -+ -. Enable TLS by adding the following environment variables to the registry -DeploymentConfig: -+ ----- -$ oc set env dc/podman-registry \ - REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \ - REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key ----- -+ -. Update the scheme used for the registry's liveness probe from HTTP to HTTPS: -+ ----- -$ oc patch dc/podman-registry -p '{"spec": {"template": {"spec": {"containers":[{ - "name":"registry", - "livenessProbe": {"httpGet": {"scheme":"HTTPS"}} - }]}}}}' ----- -+ -. Resume the `podman-registry` service: -+ ----- -$ oc rollout resume dc/podman-registry ----- -+ -. Validate the registry is running in TLS mode. Wait until the latest *podman-registry* -deployment completes and verify the Podman logs for the registry container. You should -find an entry for `listening on :5000, tls`. -+ ----- -$ oc logs dc/podman-registry | grep tls -time="2015-05-27T05:05:53Z" level=info msg="listening on :5000, tls" instance.id=deeba528-c478-41f5-b751-dc48e4935fc2 ----- -+ -. Copy the CA certificate to the Podman certificates directory. This must be -done on all nodes in the cluster: -+ ----- -$ dcertsdir=/etc/podman/certs.d -$ destdir_addr=$dcertsdir/172.30.124.220:5000 -$ destdir_name=$dcertsdir/podman-registry.default.svc.cluster.local:5000 - -$ sudo mkdir -p $destdir_addr $destdir_name -$ sudo cp ca.crt $destdir_addr //<1> -$ sudo cp ca.crt $destdir_name ----- -<1> The *_ca.crt_* file is a copy - of *_/etc/origin/master/ca.crt_* on the master. -+ -. When using authentication, some versions of `podman` also require you to -configure your cluster to trust the certificate at the OS level. - -.. Copy the certificate: -+ ----- -$ cp /etc/origin/master/ca.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt ----- - -.. Run: -+ ----- -$ update-ca-trust enable ----- - -. Remove the `--insecure-registry` option only for this particular registry in -the *_/etc/sysconfig/podman_* file. Then, reload the daemon and restart the -*podman* service to reflect this configuration change: -+ ----- -$ sudo systemctl daemon-reload -$ sudo systemctl restart podman ----- -+ -. Validate the `podman` client connection. Running `podman push` -to the registry or `podman pull` from the registry should succeed. Make sure you have -logged into the registry. -+ ----- -$ podman tag|push ----- -+ -For example: -+ ----- -$ podman pull busybox -$ podman tag docker.io/busybox 172.30.124.220:5000/openshift/busybox -$ podman push 172.30.124.220:5000/openshift/busybox -... -cf2616975b4a: Image successfully pushed -Digest: sha256:3662dd821983bc4326bee12caec61367e7fb6f6a3ee547cbaff98f77403cab55 ----- diff --git a/registry/accessing-the-registry.adoc b/registry/accessing-the-registry.adoc index 064e936900e2..6b33cf692a43 100644 --- a/registry/accessing-the-registry.adoc +++ b/registry/accessing-the-registry.adoc @@ -7,6 +7,29 @@ toc::[] Use the following sections for instructions on accessing the registry, including viewing logs and metrics, as well as securing and exposing the registry. +You can access the registry directly to invoke `podman` commands. This allows +you to push images to or pull them from the integrated registry directly using +operations like `podman push` or `podman pull`. To do so, you must be logged in +to the registry using the `oc login` command. The operations you can perform +depend on your user permissions, as described in the following sections. + +.Prerequisites + +* You must have configured an identity provider (IDP). +* For pulling images, for example when using the `podman pull` command, +the user must have the `registry-viewer` role. To add this role: ++ +---- +$ oc policy add-role-to-user registry-viewer +---- + +* For writing or pushing images, for example when using the `podman push` command, +the user must have the `registry-editor` role. To add this role: ++ +---- +$ oc policy add-role-to-user registry-editor +---- + include::modules/registry-accessing-directly.adoc[leveloffset=+1] include::modules/registry-viewing-contents.adoc[leveloffset=+1] @@ -14,3 +37,11 @@ include::modules/registry-viewing-contents.adoc[leveloffset=+1] include::modules/registry-viewing-logs.adoc[leveloffset=+1] include::modules/registry-accessing-metrics.adoc[leveloffset=+1] + +.Additional resources + +* A `kubeadmin` can access the registry until deleted. See +xref:../authentication/remove-kubeadmin.adoc[Removing the kubeadmin user] for +more information. +* For more information on configuring an identity provider, see +xref:../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration]. diff --git a/registry/architecture-component-imageregistry.adoc b/registry/architecture-component-imageregistry.adoc index 5d47436aca46..57b88718d33f 100644 --- a/registry/architecture-component-imageregistry.adoc +++ b/registry/architecture-component-imageregistry.adoc @@ -6,7 +6,9 @@ toc::[] include::modules/registry-integrated-openshift-registry.adoc[leveloffset=+1] -//.Additional resources -//* LINK TO REGISTRY OPERATOR CONFIG DOCS +.Additional resources + +* xref:../registry/configuring-registry-operator.adoc[Image Registry Operator in {product-title}] + //* Link: Triggering updates on imagestream changes //* LINK TO API DOCS diff --git a/registry/securing-exposing-registry.adoc b/registry/securing-exposing-registry.adoc index 95c96d233bc5..911f41cf275d 100644 --- a/registry/securing-exposing-registry.adoc +++ b/registry/securing-exposing-registry.adoc @@ -1,6 +1,6 @@ :context: securing-exposing-registry [id="securing-exposing-registry"] -= Securing and exposing the registry += Exposing the registry include::modules/common-attributes.adoc[] toc::[] @@ -12,8 +12,6 @@ created by default to expose the service externally. endif::[] -include::modules/registry-securing-manually.adoc[leveloffset=+1] - include::modules/registry-exposing-secure-registry-manually.adoc[leveloffset=+1] include::modules/registry-exposing-non-secure-registry-manually.adoc[leveloffset=+1]