Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-367

Support configuring private endpoints via CIRO



    • Story
    • Resolution: Done
    • Critical
    • openshift-4.15
    • None
    • None
    • 8
    • False
    • None
    • False
    • OCPSTRAT-996 - Allow internal registry operator to configure a private storage endpoint on Azure
    • Sprint 243, Sprint 244, Sprint 245


      Story: As a user, I want to be able to configure the registry operator to use Azure Private Endpoints so that I can deploy the registry on Azure without a public facing endpoint.


      • There is an option to configure the registry operator to deploy the registry privately on Azure (this should not be available to other cloud providers)
      • When configuring the operator to deploy the registry privately, the user is also required to provide names for the cluster's VNet and Subnet for the operator to configure the private endpoint in
      • Configuring the operator to make the registry private also disables public access network in the storage account
      • Setting the registry back to public deletes the private endpoint and enables public access again
      • The operand's conditions reflects any errors that might happen during this procedure
      • When the registry is configured with private endpoints, pulling images from the registry outside of OCP will only work by first setting "disableRedirect: true" (assuming a route is configured)


      • Update post-installation docs for private clusters on Azure
        • Placement of this docs needs further investigation, as the post-install for private clusters does not seem cloud provider specific and we need this one to be just for Azure.
      • Installer documentation for private clusters on Azure should not be updated (there is no supported way to enable this feature through installer-config at this point)
      • The procedure to configure the registry to private should also mention that pulling images from the registry using the default route (provided by setting `defaultRoute: true`) will no longer work UNLESS customers set `disableRedirect: true` in the operator configuration.


        There are no Sub-Tasks for this issue.



            fmissi Flavian Missi
            fmissi Flavian Missi
            0 Vote for this issue
            3 Start watching this issue