8,deply route and docker registry service.
deploy a router, running on three master nodes
oadm policy add-scc-to-user hostnetwork -z router oadm router router --replicas=3 --selector='region=infra' \ --service-account=router
deploy docker registry running on node1, on node1:
mkdir -p /opt/openshift-registry chown 1001:root /opt/openshift-registry
on master1, deploy docker registry service and secure it:
oadm registry --service-account=registry --mount-host=/opt/openshift-registry --selector='region=primary' oadm policy add-scc-to-user privileged system:serviceaccount:default:registry oc create route passthrough --service docker-registry -n default
get service ip and route name
oc get svc oc get route
use the svc ip address of docker registry and route name to generate registry certs:
oc adm ca create-server-cert --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt --hostnames="172.30.157.162,docker-registry-default.route.openshift.qyos.com" --cert=/etc/origin/master/registry.crt --key=/etc/origin/master/registry.key
copy certs file to other master nodes:
scp /etc/origin/master/registry.* root@192.168.2.207:/etc/origin/master/ scp /etc/origin/master/registry.* root@192.168.2.208:/etc/origin/master/
update registry service
oc secrets new registry-certificates /etc/origin/master/registry.crt /etc/origin/master/registry.key -n default oc secrets add registry registry-certificates -n default oc secrets add default registry-certificates -n default oc env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key -n default oc patch dc/docker-registry --api-version=v1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","livenessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}' -n default oc patch dc/docker-registry --api-version=v1 -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","readinessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}' -n default oc volume dc/docker-registry --add --type=secret --secret-name=registry-certificates -m /etc/secrets -n default