Add External Image Registry in OpenShift

There are serval ways to connect an external image registry (such as harbor) to your openshift environments. In installation phase, you can add image registry in installation-config.yaml, and set credentials in pull-secret. When your cluster is up and running, update cluster config to trust an external image registry. This article will describe how to setup harbor and add it to openshift cluster.

Harbor Installation

Install a standalone harbor instance with https enabled, using self signed certificate. before install harbor, docker and docker compose should be installed and be ready on your server. for how to install docker on your host os, refer it here.

First, generate ca certificate.

# openssl genrsa -out ca.key 4096

#openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/C=CN/ST=Beijing/L=Beijing/O=SheenCloud/OU=SheenCloud/"  -key ca.key  -out ca.crt


Update subj to your information, CN should be your registry domain.

Generate registry server certificate, using ca cert above to sign it.

# openssl genrsa -out registry.key 4096
# openssl req -sha512 -new   -subj "/C=CN/ST=Beijing/L=Beijing/O=SheenCloud/OU=SheenCloud/"   -key registry.key   -out registry.csr

# cat > v3.ext <<-EOF
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names


# openssl x509 -req -sha512 -days 3650    -extfile v3.ext    -CA ca.crt -CAkey ca.key -CAcreateserial  -in registry.csr    -out registry.crt

# openssl x509 -inform PEM -in registry.crt -out registry.cert

Deploy registry server cert to docker

# mkdir -p /etc/docker/certs.d/
# cp registry.cert /etc/docker/certs.d/
# cp registry.key /etc/docker/certs.d/
# cp ca.crt /etc/docker/certs.d/
# systemctl restart docker

Download and configure harbor offline installer

# wget

# tar zxf harbor-offline-installer-v2.7.0.tgz

# mv harbor.yml.tmpl harbor.yml
# vi harbor.yml


# http related config
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /root/certs/registry.cert
  private_key: /root/certs/registry.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url:

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: harbor@1234


update red words configuration entries to yours.

Run install command

# ./prepare 
# ./

Connect Registry to OpenShift

Trust self signed ca certificate or you will get an error message:

Failed to pull image "": rpc error: code = Unknown desc = pinging container registry Get "": x509: certificate signed by unknown authority
# oc create configmap registry-config -n openshift-config

// if your image registry listens on other port(not 443), add port configuration
oc create configmap registry-config -n openshift-config

# oc patch --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge

Also, you can set the registry as an insecure registry in openshift, and bypass the ca certificate verification.

# oc edit
kind: Image
  name: cluster

Leave a Reply

Your email address will not be published. Required fields are marked *