Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-367

Support configuring private endpoints via CIRO

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.15
    • None
    • None
    • BU Product Work
    • 8
    • False
    • None
    • False
    • OCPSTRAT-996 - Allow internal registry operator to configure a private storage endpoint on Azure
    • Sprint 243, Sprint 244, Sprint 245

      Story: As a user, I want to be able to configure the registry operator to use Azure Private Endpoints so that I can deploy the registry on Azure without a public facing endpoint.

      ACCEPTANCE CRITERIA

      • There is an option to configure the registry operator to deploy the registry privately on Azure (this should not be available to other cloud providers)
      • When configuring the operator to deploy the registry privately, the user is also required to provide names for the cluster's VNet and Subnet for the operator to configure the private endpoint in
      • Configuring the operator to make the registry private also disables public access network in the storage account
      • Setting the registry back to public deletes the private endpoint and enables public access again
      • The operand's conditions reflects any errors that might happen during this procedure
      • When the registry is configured with private endpoints, pulling images from the registry outside of OCP will only work by first setting "disableRedirect: true" (assuming a route is configured)

      DOCUMENTATION

      • Update post-installation docs for private clusters on Azure
        • Placement of this docs needs further investigation, as the post-install for private clusters does not seem cloud provider specific and we need this one to be just for Azure.
      • Installer documentation for private clusters on Azure should not be updated (there is no supported way to enable this feature through installer-config at this point)
      • The procedure to configure the registry to private should also mention that pulling images from the registry using the default route (provided by setting `defaultRoute: true`) will no longer work UNLESS customers set `disableRedirect: true` in the operator configuration.

          There are no Sub-Tasks for this issue.

            [IR-367] Support configuring private endpoints via CIRO

            Wen Wang added a comment -

            fmissi  report a bug: https://issues.redhat.com/browse/OCPBUGS-23335, could you help to see it, thanks

            Wen Wang added a comment - fmissi   report a bug: https://issues.redhat.com/browse/OCPBUGS-23335 , could you help to see it, thanks

            Wen Wang added a comment -

            Tested it with respected result:

            [wewang@fedora ~]$ podman pull --tls-verify=false ${REGISTRY}/openshift/tools
            Trying to pull default-route-openshift-image-registry.apps.ci-ln-qcmjqs2-1d09d.ci.azure.devcluster.openshift.com/openshift/tools:latest...
            Getting image source signatures
            Copying blob dbfde842bbcf done  
            Copying blob b8a93fbc99d6 done  
            Copying blob d8190195889e done  
            Copying blob e2fdfbd3ef38 done  
            Copying blob 97da74cc6d8f done  
            Copying blob 7b33c69c7170 done  
            Copying blob dba5d6d39917 done  
            Copying config fe085eb09c done  
            Writing manifest to image destination
            Storing signatures
            fe085eb09c2b2314274f81855a27ea6f328a1164bb546309267bf3c0c0e5f890
            [wewang@fedora ~]$ oc patch configs.imageregistry cluster --type=merge -p '{"spec":{"disableRedirect": false}}'

            [wewang@fedora ~]$ podman pull --tls-verify=false ${REGISTRY}/openshift/tools
            Trying to pull default-route-openshift-image-registry.apps.ci-ln-qcmjqs2-1d09d.ci.azure.devcluster.openshift.com/openshift/tools:latest...
            Error: copying system image from manifest list: parsing image configuration: fetching blob: StatusCode: 403, <?xml version="1.0" encoding="utf-8"?><Error><C...

            Wen Wang added a comment - Tested it with respected result: [wewang@fedora ~] $ podman pull --tls-verify=false ${REGISTRY}/openshift/tools Trying to pull default-route-openshift-image-registry.apps.ci-ln-qcmjqs2-1d09d.ci.azure.devcluster.openshift.com/openshift/tools:latest... Getting image source signatures Copying blob dbfde842bbcf done   Copying blob b8a93fbc99d6 done   Copying blob d8190195889e done   Copying blob e2fdfbd3ef38 done   Copying blob 97da74cc6d8f done   Copying blob 7b33c69c7170 done   Copying blob dba5d6d39917 done   Copying config fe085eb09c done   Writing manifest to image destination Storing signatures fe085eb09c2b2314274f81855a27ea6f328a1164bb546309267bf3c0c0e5f890 [wewang@fedora ~] $ oc patch configs.imageregistry cluster --type=merge -p '{"spec":{"disableRedirect": false}}' [wewang@fedora ~] $ podman pull --tls-verify=false ${REGISTRY}/openshift/tools Trying to pull default-route-openshift-image-registry.apps.ci-ln-qcmjqs2-1d09d.ci.azure.devcluster.openshift.com/openshift/tools:latest... Error: copying system image from manifest list: parsing image configuration: fetching blob: StatusCode: 403, <?xml version="1.0" encoding="utf-8"?><Error><C...

            It looks good wewang@redhat.com!

            Flavian Missi added a comment - It looks good wewang@redhat.com !

            Wen Wang added a comment -

            Add test cases for the story:OCP-68677 

            Wen Wang added a comment - Add test cases for the story: OCP-68677  

              fmissi Flavian Missi
              fmissi Flavian Missi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: