openshift origin multi-master manually deployment part-5

8,deply route and docker registry service.
deploy a router, running on three master nodes

oadm policy add-scc-to-user hostnetwork -z router
oadm router router --replicas=3 --selector='region=infra' \

deploy docker registry running on node1, on node1:

mkdir -p /opt/openshift-registry
chown 1001:root /opt/openshift-registry

on master1, deploy docker registry service and secure it:

oadm registry --service-account=registry --mount-host=/opt/openshift-registry --selector='region=primary'
oadm policy add-scc-to-user privileged system:serviceaccount:default:registry
oc create route passthrough --service docker-registry -n default 

get service ip and route name

oc get svc
oc get route

use the svc ip address of docker registry and route name to generate registry certs:

oc adm ca create-server-cert --signer-cert=/etc/origin/master/ca.crt  --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt --hostnames="," --cert=/etc/origin/master/registry.crt --key=/etc/origin/master/registry.key

copy certs file to other master nodes:

scp /etc/origin/master/registry.* root@
scp /etc/origin/master/registry.* root@

update registry service

oc secrets new registry-certificates /etc/origin/master/registry.crt /etc/origin/master/registry.key -n default
oc secrets add registry registry-certificates -n default
oc secrets add default registry-certificates -n default

oc env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key -n default
oc patch dc/docker-registry --api-version=v1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","livenessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}'  -n default
oc patch dc/docker-registry --api-version=v1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","readinessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}'  -n default
oc volume dc/docker-registry --add --type=secret --secret-name=registry-certificates -m /etc/secrets -n default

Leave a Reply

Your email address will not be published. Required fields are marked *