Skip to content

Latest commit

 

History

History
82 lines (56 loc) · 2.9 KB

README.md

File metadata and controls

82 lines (56 loc) · 2.9 KB
Raw

Use OpenShift registry for Kong images

This document is intended to provide instructions for how to use the openshift image registry to avoid depending on docker.io and its rate limits.

Create a new project

I recommend using a dedicated namespace to better identify Kong resources, especially for cleanup.

oc new-project kong-image-registry

Expose openshift-registry

From the Openshift documentation

Check if the default route is already exposed:

oc get configs.imageregistry.operator.openshift.io/cluster --template='{{ .spec.defaultRoute }}'

If the result of the previous command is not true, run the following command:

oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

The route to the external registry is:

OCP_REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

Trust the registry locally

In order to trust a container registry you first need to extract the certificate and save it to the ca-trust

oc get secret -n openshift-ingress  router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d | sudo tee /etc/pki/ca-trust/source/anchors/${OCP_REGISTRY}.crt  > /dev/null
sudo update-ca-trust enable

Login to the registry

$ podman login -u ruromero -p $(oc whoami -t) $OCP_REGISTRY
Login Succeeded!

Trust the external registry URL

OCP_CERT=$(oc get secret -n openshift-ingress  router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d)
oc create cm -n openshift-config registry-cas --from-literal="${OCP_REGISTRY}"="${OCP_CERT}"
oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

Tag and push the images

Identify all the images needed by the different Kong components and pull them from the original repository (i.e. docker.io), then tag and push to the openshift registry.

To make this step simpler, there are different files for each component containing all the images that are used and an utility script that can help you automating the process.

# Usage ./pull-tag-push.sh filename registry/kong-image-registry
./pull-tag-push.sh kong-mesh.properties $OCP_REGISTRY/kong-image-registry

Allow other namespaces to pull from the kong-image-registry

From the OpenShift documentation

for i in kong-mesh-system kong-mesh-metrics kong-mesh-logging kong-mesh-tracing kong kong-dp kuma-demo
do
    oc policy add-role-to-group system:image-puller system:serviceaccounts:$i --namespace=kong-image-registry
done