Add External Image Registry in OpenShift

There are serval ways to connect an external image registry (such as harbor) to your openshift environments. In installation phase, you can add image registry in installation-config.yaml, and set credentials in pull-secret. When your cluster is up and running, update cluster config to trust an external image registry. This article will describe how to setup harbor and add it to openshift cluster.

Harbor Installation

Install a standalone harbor instance with https enabled, using self signed certificate. before install harbor, docker and docker compose should be installed and be ready on your server. for how to install docker on your host os, refer it here.

First, generate ca certificate.

# openssl genrsa -out ca.key 4096

#openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/C=CN/ST=Beijing/L=Beijing/O=SheenCloud/OU=SheenCloud/CN=registry.dev.hyperkuber.io"  -key ca.key  -out ca.crt

Note

Update subj to your information, CN should be your registry domain.

Generate registry server certificate, using ca cert above to sign it.

# openssl genrsa -out registry.key 4096
# openssl req -sha512 -new   -subj "/C=CN/ST=Beijing/L=Beijing/O=SheenCloud/OU=SheenCloud/CN=registry.dev.hyperkuber.io"   -key registry.key   -out registry.csr

# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=registry.dev.hyperkuber.io
EOF

# openssl x509 -req -sha512 -days 3650    -extfile v3.ext    -CA ca.crt -CAkey ca.key -CAcreateserial  -in registry.csr    -out registry.crt

# openssl x509 -inform PEM -in registry.crt -out registry.cert

Deploy registry server cert to docker

# mkdir -p /etc/docker/certs.d/registry.dev.hyperkuber.io
# cp registry.cert /etc/docker/certs.d/registry.dev.hyperkuber.io/
# cp registry.key /etc/docker/certs.d/registry.dev.hyperkuber.io/
# cp ca.crt /etc/docker/certs.d/registry.dev.hyperkuber.io/
# systemctl restart docker

Download and configure harbor offline installer

# wget https://github.com/goharbor/harbor/releases/download/v2.7.0/harbor-offline-installer-v2.7.0.tgz

# tar zxf harbor-offline-installer-v2.7.0.tgz

# mv harbor.yml.tmpl harbor.yml
# vi harbor.yml

hostname: registry.dev.hyperkuber.io

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /root/certs/registry.cert
  private_key: /root/certs/registry.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: harbor@1234

Note

update red words configuration entries to yours.

Run install command

# ./prepare 
# ./install.sh

Connect Registry to OpenShift

Trust self signed ca certificate or you will get an error message:

Failed to pull image "registry.dev.hyperkuber.io/library/nginx:latest": rpc error: code = Unknown desc = pinging container registry registry.dev.hyperkuber.io: Get "https://registry.dev.hyperkuber.io/v2/": x509: certificate signed by unknown authority
# oc create configmap registry-config --from-file=registry.dev.hyperkuber.io=./ca.crt -n openshift-config

// if your image registry listens on other port(not 443), add port configuration
oc create configmap registry-config --from-file=registry.dev.hyperkuber.io..5000=./ca.crt -n openshift-config


# oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge

Also, you can set the registry as an insecure registry in openshift, and bypass the ca certificate verification.

# oc edit image.config.openshift.io/cluster
apiVersion: config.openshift.io/v1
kind: Image
metadata:
...
  name: cluster
...
spec:
...
  registrySources:
    insecureRegistries:
    - registry.dev.hyperkuber.io

Leave a Reply

Your email address will not be published. Required fields are marked *