Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-367

Support configuring private endpoints via CIRO


    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.15
    • None
    • None
    • 8
    • False
    • None
    • False
    • OCPSTRAT-996 - Allow internal registry operator to configure a private storage endpoint on Azure
    • Sprint 243, Sprint 244, Sprint 245

      Story: As a user, I want to be able to configure the registry operator to use Azure Private Endpoints so that I can deploy the registry on Azure without a public facing endpoint.


      • There is an option to configure the registry operator to deploy the registry privately on Azure (this should not be available to other cloud providers)
      • When configuring the operator to deploy the registry privately, the user is also required to provide names for the cluster's VNet and Subnet for the operator to configure the private endpoint in
      • Configuring the operator to make the registry private also disables public access network in the storage account
      • Setting the registry back to public deletes the private endpoint and enables public access again
      • The operand's conditions reflects any errors that might happen during this procedure
      • When the registry is configured with private endpoints, pulling images from the registry outside of OCP will only work by first setting "disableRedirect: true" (assuming a route is configured)


      • Update post-installation docs for private clusters on Azure
        • Placement of this docs needs further investigation, as the post-install for private clusters does not seem cloud provider specific and we need this one to be just for Azure.
      • Installer documentation for private clusters on Azure should not be updated (there is no supported way to enable this feature through installer-config at this point)
      • The procedure to configure the registry to private should also mention that pulling images from the registry using the default route (provided by setting `defaultRoute: true`) will no longer work UNLESS customers set `disableRedirect: true` in the operator configuration.

        IR-367 Pre-merge testing Sub-task Closed Undefined Unassigned
        IR-367 Post-merge Testing Sub-task Closed Undefined Unassigned
        IR-367 E2E Automation Sub-task Closed Undefined Unassigned
        IR-367 CI Integration Sub-task Closed Undefined Unassigned

            fmissi Flavian Missi
            fmissi Flavian Missi
            0 Vote for this issue
            3 Start watching this issue