Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 20 additions & 17 deletions modules/images-configuration-image-registry-settings-hcp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="images-configuring-image-registry-settings-hcp_{context}"]
= Configuring image registry settings for {product-title}

[role="_abstract"]
You can configure image registry settings at cluster creation. The cluster's nodes will use the required configuration after creation.

.Procedure
Expand Down Expand Up @@ -96,25 +97,27 @@ Audit Log Forwarding: Disabled
External Authentication: Disabled
Etcd Encryption: Disabled
Registry Configuration:
- Allowed Registries: <allowed_registry> <1> <2>
- Insecure Registries: <insecure_registry> <3>
- Allowed Registries for Import: <4>
- Domain Name: <domain_name> <5>
- Insecure: true <6>
- Platform Allowlist: <platform_allowlist_id> <7>
- Registries: <list_of_registries> <8>
- Additional Trusted CA: <9>
- Allowed Registries: <allowed_registry>
- Insecure Registries: <insecure_registry>
- Allowed Registries for Import:
- Domain Name: <domain_name>
- Insecure: true
- Platform Allowlist: <platform_allowlist_id>
- Registries: <list_of_registries>
- Additional Trusted CA:
- <registry_name> : REDACTED
----
<1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
<5> `domainName`: Specifies a domain name for the registry.
<6> `insecure`: Indicates whether the registry is secure or insecure.
<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
+
where:
* `Allowed Registries`:: A comma-separated list of registries for which image pull and push actions are allowed.
* `Blocked Registries`:: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
* `Insecure Registries`:: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
* `Allowed Registries for Import`:: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
* `domainName`:: Specifies a domain name for the registry.
* `insecure`:: Indicates whether the registry is secure or insecure.
* `Platform Allowlist`:: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
* `Registries`:: The list of registries that needs to be whitelisted for the platform to work.
* `Additional Trusted CA`:: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

. List your nodes to check the applied changes by running the following command:
+
Expand Down
1 change: 1 addition & 0 deletions modules/images-configuration-parameters-hcp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="images-configuration-parameters-hcp_{context}"]
= Image controller configuration parameters for {product-title}

[role="_abstract"]
The `image.config.openshift.io/cluster` resource holds cluster-wide information about how to handle images. The resource exists, but it is read only and can only be changed through supported tools like the ROSA CLI (`rosa`). The canonical and only valid name is `cluster`. It can be configured in {product-title} through `rosa` commands.


Expand Down
37 changes: 20 additions & 17 deletions modules/images-editing-image-registry-settings-hcp.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
[id="images-editing-image-registry-settings-hcp_{context}"]
= Editing image registry settings for {product-title}

[role="_abstract"]
You can change the image registry config with the `rosa edit` command.

[WARNING]
Expand Down Expand Up @@ -104,22 +105,24 @@ Audit Log Forwarding: Disabled
External Authentication: Disabled
Etcd Encryption: Disabled
Registry Configuration:
- Allowed Registries: <allowed_registry> <1> <2>
- Insecure Registries: <insecure_registry> <3>
- Allowed Registries for Import: <4>
- Domain Name: <domain_name> <5>
- Insecure: true <6>
- Platform Allowlist: <platform_allowlist_id> <7>
- Registries: <list_of_registries> <8>
- Additional Trusted CA: <9>
- Allowed Registries: <allowed_registry>
- Insecure Registries: <insecure_registry>
- Allowed Registries for Import:
- Domain Name: <domain_name>
- Insecure: true
- Platform Allowlist: <platform_allowlist_id>
- Registries: <list_of_registries>
- Additional Trusted CA:
- <registry_name> : REDACTED
----
<1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
<5> `domainName`: Specifies a domain name for the registry.
<6> `insecure`: Indicates whether the registry is secure or insecure.
<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
+
where:
* `Allowed Registries`:: A comma-separated list of registries for which image pull and push actions are allowed.
* `Blocked Registries`:: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
* `Insecure Registries`:: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
* `Allowed Registries for Import`:: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
* `domainName`:: Specifies a domain name for the registry.
* `insecure`:: Indicates whether the registry is secure or insecure.
* `Platform Allowlist`:: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
* `Registries`:: The list of registries that needs to be whitelisted for the platform to work.
* `Additional Trusted CA`:: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
93 changes: 93 additions & 0 deletions modules/images-registry-mirroring-create.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
// Module included in the following assemblies:
//
// * openshift_images/image-configuration-hcp.adoc

:_mod-docs-content-type: PROCEDURE
[id="images-registry-mirroring-create_{context}"]
= Creating an image mirror configuration

[role="_abstract"]
You can create an image mirror configuration for a {product-title} cluster with the {rosa-cli-first} tool.

[IMPORTANT]
====
The source registry cannot be modified after creation. You must delete and recreate the image mirror to change the source.
====

.Procedure

* Run the following command to create an image mirror configuration:
[source,terminal]
----
$ rosa create image-mirror [arguments]
----
+
.Arguments
[cols="30,70"]
|===
|Option |Definition

a|--cluster
|Required: The name or ID of the cluster the mirror configuration will be applied to.

|--source
|Required: The source registry that will be mirrored.

|--mirrors
|Required: List of mirror registries. Mirror registries must be comma-separated.

|--type=digest
|Optional: Type of image mirror. The `digest` type is set by default and the only available `type` option.

|--profile
|Optional: Specifies an AWS profile (string) from your credentials file.

|--region
|Optional:Specifies an AWS region, overriding the AWS_REGION environment variable.
|===
+
.Examples
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 [error] AsciiDocDITA.BlockTitle: Block titles can only be assigned to examples, figures, and tables in DITA.

Creates an image mirror configuration for a cluster named `mycluster`.
+
[source,terminal]
----
$ rosa create image-mirror --cluster=mycluster \
--source=registry.example.com/team \
--mirrors=mirror.corp.com/team,backup.corp.com/team
----
+
.Example Output
[source,terminal]
----
I: Image mirror with ID 'abc123def456' has been created on cluster 'mycluster'
I: Source: registry.example.com/team
I: Mirrors: [mirror.corp.com/team backup.corp.com/team]
----
+
[NOTE]
====
An ID is automatically generated and assigned to an image mirror during image mirror configuration creation.
====

* Run the following command to create an image mirror configuration with a specific type:
+
[source,terminal]
----
$ rosa create image-mirror --cluster=mycluster \
--type=digest --source=docker.io/library \
--mirrors=internal-registry.company.com/dockerhub
----
+
[NOTE]
====
The `digest` type is set by default and the only available `type` option.
====

. Run the following command to create a single image mirror configuration with multiple mirrors for a cluster:
+
[source,terminal]
----
$ rosa create image-mirror --cluster=mycluster \
--source=quay.io/openshift \
--mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift
----
63 changes: 63 additions & 0 deletions modules/images-registry-mirroring-delete.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
// Module included in the following assemblies:
//
// * openshift_images/image-configuration-hcp.adoc

:_mod-docs-content-type: PROCEDURE
[id="images-registry-mirroring-delete_{context}"]
= Deleting an image mirror configuration

[role="_abstract"]
You can delete an image mirror configuration from a {product-title} cluster with the {rosa-cli-first}.

[NOTE]
====
Delete operations require confirmation unless the `--yes` or `--y` argument is used.
====

.Procedure

. Run the following command to delete an image mirror configuration from a {product-title} cluster:
+
[source,terminal]
----
$ rosa delete image-mirror [arguments]
----
+
.Arguments
[cols="30,70"]
|===
|Option |Definition

|--cluster
|Required: The name or ID (string) of the cluster that the image mirror configuration will be deleted from.
|--id
|Required: ID of the image mirror configuration to delete.
|`--yes`, `-y`
|Optional: Automatically answers "yes" to confirm deletion.
|--profile
|Optional: Use a specific AWS profile from your credential file.
|--region
|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.

|===
+
.Examples
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 [error] AsciiDocDITA.BlockTitle: Block titles can only be assigned to examples, figures, and tables in DITA.

Deletes an image mirror configuration without a confirmation prompt.
+
[source,terminal]
----
$ rosa delete image-mirror --cluster=mycluster abc123def456 --yes
----
+
.Example Output
[source,terminal]
----
I: Image mirror 'abc123def456' has been deleted from cluster 'mycluster'
----

. Run the following command to deletes an image mirror configuration with a confirmation prompt:
+
[source,terminal]
----
$ rosa delete image-mirror --cluster=mycluster --id=abc123def456
----
69 changes: 69 additions & 0 deletions modules/images-registry-mirroring-edit.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
// Module included in the following assemblies:
//
// * openshift_images/image-configuration-hcp.adoc

:_mod-docs-content-type: PROCEDURE
[id="images-registry-mirroring-edit_{context}"]
= Editing an image mirroring configuration

[role="_abstract"]
You can edit an image mirror configuration for a {product-title} cluster with the {rosa-cli-first} tool.

[NOTE]
====
When editing an image mirror configuration, the new mirrors list completely replaces the existing mirrors list.
====

.Procedure

. Run the following command to edit an image mirror configuration:
+
[source,terminal]
----
$ rosa edit image-mirror [arguments]
----
+
.Arguments
[cols="30,70"]
|===
|Option |Definition

|--cluster
|Required: The name or ID (string) of the cluster to which the image mirror configuration applies.

|--mirrors
|Required: New list of mirror registries that replaces current mirror registries. Mirror registries must be comma-separated.

|--id
|Required: ID of the image mirror configuration to edit.

|--profile
|Optional: Use a specific AWS profile from your credential file.

|--region
|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.
|===

. Run the following command to replace a single mirror on an image mirror configuration:
+
[source,terminal]
----
$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
--mirrors=single-mirror.company.com/team
----
+
.Example Output
[source,terminal]
----
I: Image mirror 'abc123def456' has been updated on cluster 'mycluster'
I: Source: registry.example.com/team
I: Updated mirrors: [mirror.corp.com/team backup.corp.com/team new-mirror.corp.com/team]
----

. Run the following command to replace all mirrors on an image mirror configuration:
+
[source,terminal]
----
$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
--mirrors=new-primary.company.com/team,new-secondary.company.com/team
----
48 changes: 48 additions & 0 deletions modules/images-registry-mirroring-list.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// Module included in the following assemblies:
//
// * openshift_images/image-configuration-hcp.adoc

:_mod-docs-content-type: PROCEDURE
[id="images-registry-mirroring-list_{context}"]
= Listing all image mirror configurations

[role="_abstract"]
You can list all image mirror configurations from a {product-title} cluster with the {rosa-cli-first}.

.Procedure

. Run the following command to list all image mirror configurations for a {product-title} cluster:
+
[source,terminal]
----
$ rosa list image-mirrors [arguments]
----
+
.Arguments
[cols="30,70"]
|===
|Option |Definition

|--cluster
|Required: Name or ID of the cluster.
|--output
|Optional: Output format. Allowed formats are `json`, `yaml`
|--profile
|Optional: Use a specific AWS profile from your credential file.
|--region
|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.
|===


. Run the following command to list all image mirror configurations for a cluster:
+
[source,terminal]
----
$ rosa list image-mirrors --cluster=mycluster
----
.Example Outputs
[source,terminal]
----
ID TYPE SOURCE MIRRORS
abc123def456 digest registry.example.com/team mirror.corp.com/team, backup.corp.com/
----
Loading