Authenticating Openshift with Private Registries.
A container image registry, container registry, or registry server stores the images that you deploy as containers and provides mechanisms to pull, push, update, search, and remove container
images.
Private registries are available only to selected consumer and usually require authentication.
Most of the organization use their internal hosted registries which are managed by their devops team or cloud registries with private accounts. To deploy container images from those registries, Openshift must be authenticated with external registry.
To authorize OpenShift with an external registry, store credentials for authorizing the registry in OpenShift and associate the credentials with your serviceAccount.
Creating Registry Credentials in OpenShift:
Store the credentials for a remote registry in a Secret object. Secrets and configuration maps (ConfigMap) are namespaced objects that enable you to externalize data from your applications in your OpenShift cluster.
You can use the oc create command to create a secret. Kubernetes provides the docker-registry secret type to store credentials for authentication with the container registry.
create secret docker-registry SECRET_NAME --docker-server REGISTRY_URL
\--docker-username USER
\--docker-password PASSWORD
\--docker-email=EMAILWe can also use the console to create the docker-registry secret.
The docker-registry secret use the following YAML file.
Configuring OpenShift to Use the Registry Credentials.
We can configure OpenShift to use custom credentials by using the spec.imagePullSecrets Pod property, for example.
apiVersion: v1
kind: Pod
metadata:
name: sample-pod
spec:
containers:
- name: sample-container
image: REGISTRY_URL
imagePullSecrets:
- name: SECRET_NAMEWe can also use the property for controllers, such as the Deployment or DeploymentConfig objects:
apiVersion: apps/v1
kind: Deployment
metadata:
name: sample-deployment
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: sample-container
image: REGISTRY_URL
imagePullSecrets:
- name: SECRET_NAMELinking Registry Credentials to Service Accounts:
Instead of manually assigning the credentials to pods, we can configure OpenShift to assign the credentials to pods automatically by using service accounts. A service account provides an identity for pods. Pods use the default service account unless you configure a different service account. Use the oc secrets link command to connect a secret with a service account, for example:
$ oc secrets link --for=pull default SECRET_NAMEThe above command creates a new entry in the service account .spec.imagePullSecrets field:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
imagePullSecrets:- name: SECRET_NAMEWhen you create a pod that uses the default service account, it inherits the imagePullSecrets field without you explicitly specifying the field in the pod definition. This means that every pod that uses the default service account is authorized with the registry credentials in your secret.
