Skip to content

Commit 589ab33

Browse files
fmcdonalopenshift-cherrypick-robot
authored and
openshift-cherrypick-robot
committed
resolved conflict
created new image registry procedure for hcp under rosa resolved new conflict in hcp topic map added conditions for hcp :# This is the commit message #5: update the :context to include hcp also removed 2 modules for short names and trust stores and added conditions for hcp fixed spacing and added n to an in the classic docs applied maggie chen comments from PR applied maggie chen suggestions of new modules added places need descriptions applied PR suggestions from Maggie, deleted insecure module and integrated describe with create module added dedicated attributes to the assembly readded dedicated attributes to the assembly added attributes before heading to capture the assembly title updated quote updated note changed the * to a . in verification changed the backticks applied andrea comments replaced steps with unnumbered bullets removed ref to controlplane in example output reworded parameter for allowlist applied QE Ying comments applied Merge reviewer suggestions applied Merge review last suggetsions applied Merge review last sugget
1 parent 0b8e081 commit 589ab33

8 files changed

+319
-4
lines changed

_topic_maps/_topic_map_rosa.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -832,9 +832,12 @@ Topics:
832832
- Name: Triggering updates on image stream changes
833833
File: triggering-updates-on-imagestream-changes
834834
Distros: openshift-rosa
835-
- Name: Image configuration resources
835+
- Name: Image configuration resources (Classic)
836836
File: image-configuration
837837
Distros: openshift-rosa
838+
- Name: Image configuration resources (HCP)
839+
File: image-configuration-hcp
840+
Distros: openshift-rosa
838841
- Name: Using templates
839842
File: using-templates
840843
- Name: Using Ruby on Rails

_topic_maps/_topic_map_rosa_hcp.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -781,8 +781,10 @@ Topics:
781781
# - Name: Triggering updates on image stream changes
782782
# File: triggering-updates-on-imagestream-changes
783783
# Distros: openshift-rosa-hcp
784-
# - Name: Image configuration resources
784+
# - Name: Image configuration resources (Classic)
785785
# File: image-configuration
786+
# - Name: Image configuration resources (HCP)
787+
# File: image-configuration-classic-hcp
786788
# Distros: openshift-rosa-hcp
787789
# - Name: Using templates
788790
# File: using-templates

modules/images-configuration-file.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ status:
6363
<1> `Image`: Holds cluster-wide information about how to handle images. The canonical, and only valid name is `cluster`.
6464
<2> `allowedRegistriesForImport`: Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or `ImageStreamMappings` from the API are not affected by this policy. Typically only cluster administrators have the appropriate permissions.
6565
<3> `additionalTrustedCA`: A reference to a config map containing additional certificate authorities (CA) that are trusted during image stream import, pod image pull, `openshift-image-registry` pullthrough, and builds. The namespace for this config map is `openshift-config`. The format of the config map is to use the registry hostname as the key, and the PEM certificate as the value, for each additional registry CA to trust.
66-
<4> `registrySources`: Contains configuration that determines whether the container runtime allows or blocks individual registries when accessing images for builds and pods. Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both. You can also define whether or not to allow access to insecure registries or registries that allow registries that use image short names. This example uses the `allowedRegistries` parameter, which defines the registries that are allowed to be used. The insecure registry `insecure.com` is also allowed. The `registrySources` parameter does not contain configuration for the internal cluster registry.
66+
<4> `registrySources`: Contains configuration that determines whether the container runtime allows or blocks individual registries when accessing images for builds and pods. Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both. You can also define whether or not to allow access to insecure registries or registries that allow registries that use image short names. This example uses the `allowedRegistries` parameter, which defines the registries that are allowed to be used. The insecure registry `insecure.com` is also allowed. The `registrySources` parameter does not contain configuration for the internal cluster registry.
6767
+
6868
[NOTE]
6969
====
Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * openshift_images/image-configuration-hcp.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="images-configuring-image-registry-settings-hcp_{context}"]
7+
= Configuring image registry settings for {hcp-title}
8+
9+
You can configure image registry settings at cluster creation. The cluster's nodes will use the required configuration after creation.
10+
11+
.Procedure
12+
13+
* Create {hcp-title} clusters with image registry by running the following command:
14+
15+
+
16+
[source,terminal]
17+
----
18+
$ rosa create cluster —cluster-name=<cluster_name> --sts --mode=auto \
19+
--hosted-cp --operator-roles-prefix <operator_role_prefix> \
20+
--oidc-config-id <id_of_oidc_configuration> \
21+
--subnet-ids=<public_subnet_id>,<private_subnet_id> \
22+
--registry-config-insecure-registries <insecure_registries> \
23+
--registry-config-allowed-registries <allowed_registries> \
24+
--registry-config-allowed-registries-for-import <registry_name:insecure> \
25+
--registry-config-additional-trusted-ca <additional_trusted_ca_file>
26+
----
27+
+
28+
[NOTE]
29+
====
30+
When using the `allowedRegistries`, `blockedRegistries`, or `insecureRegistries` parameter, you can specify an individual repository within a registry. For example: `reg1.io/myrepo/myapp:latest`.
31+
32+
Avoid insecure external registries to reduce possible security risks.
33+
Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
34+
====
35+
36+
.Verification
37+
38+
. Run the `rosa describe` command to verify that your image registry is enabled by running the following command:
39+
+
40+
[source,terminal]
41+
----
42+
$ rosa describe cluster --cluster=<cluster_name>
43+
----
44+
+
45+
.Example output
46+
[source,terminal]
47+
----
48+
Name: rosa-hcp-test
49+
Domain Prefix: rosa-hcp-test
50+
Display Name: rosa-hcp-test
51+
ID: <cluster_hcp_id>
52+
External ID: <cluster_hcp_id>
53+
Control Plane: ROSA Service Hosted
54+
OpenShift Version: 4.Y.Z
55+
Channel Group: stable
56+
DNS: <dns>
57+
AWS Account: <aws_id>
58+
AWS Billing Account: <aws_id>
59+
API URL: <ocm_api>
60+
Console URL:
61+
Region: us-east-1
62+
Availability:
63+
- Control Plane: MultiAZ
64+
- Data Plane: SingleAZ
65+
Nodes:
66+
- Compute (desired): 2
67+
- Compute (current): 2
68+
Network:
69+
- Type: OVNKubernetes
70+
- Service CIDR: <service_cidr>
71+
- Machine CIDR: <machine_cidr>
72+
- Pod CIDR: <pod_cidr>
73+
- Host Prefix: /23
74+
- Subnets: <subnet_ids>
75+
EC2 Metadata Http Tokens: optional
76+
Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
77+
Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
78+
Instance IAM Roles:
79+
- Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
80+
Operator IAM Roles:
81+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
82+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
83+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider
84+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
85+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
86+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent
87+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud
88+
Managed Policies: Yes
89+
State: ready
90+
Private: No
91+
Delete Protection: Disabled
92+
Created: Oct 01 2030 09:48:52 UTC
93+
User Workload Monitoring: Enabled
94+
OIDC Endpoint URL: https://<endpoint> (Managed)
95+
Audit Log Forwarding: Disabled
96+
External Authentication: Disabled
97+
Etcd Encryption: Disabled
98+
Registry Configuration:
99+
- Allowed Registries: <allowed_registry> <1>
100+
- Insecure Registries: <insecure_registry> <2>
101+
- Allowed Registries for Import: <3>
102+
- Domain Name: <domain_name> <4>
103+
- Insecure: true <5>
104+
----
105+
<1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
106+
<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
107+
<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
108+
<4> `domainName`: Specifies a domain name for the registry.
109+
<5> `insecure`: Indicates whether the registry is secure or insecure.
110+
111+
. List your nodes to check the applied changes by running the following command:
112+
+
113+
[source,terminal]
114+
----
115+
$ oc get nodes
116+
----
117+
+
118+
.Example output
119+
[source,terminal]
120+
----
121+
NAME STATUS ROLES AGE VERSION
122+
ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.30.3
123+
ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.30.3
124+
ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.30.3
125+
----
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * openshift_images/image-configuration-hcp.adoc
4+
5+
[id="images-configuration-parameters-hcp_{context}"]
6+
= Image controller configuration parameters for {hcp-title}
7+
8+
The `image.config.openshift.io/cluster` resource holds cluster-wide information about how to handle images. The resource exists, but it is read only and can only be changed through supported tools like ROSA CLI (`rosa`). The canonical and only valid name is `cluster`. It can be configured in {product-rosa} {hcp} through ROSA CLI (`rosa`) commands.
9+
10+
11+
[NOTE]
12+
====
13+
Parameters such as `DisableScheduledImport`, `MaxImagesBulkImportedPerRepository`, `MaxScheduledImportsPerMinute`, `ScheduledImageImportMinimumIntervalSeconds`, `InternalRegistryHostname` are not configurable.
14+
====
15+
16+
[cols="3a,8a",options="header"]
17+
|===
18+
|Parameters for ROSA CLI |Description
19+
20+
|`registry-config-allowed-registries`
21+
|Registries for which image pull and push actions are allowed. To specify all subdomains, add the asterisk (`\*`) wildcard character as a prefix to the domain name. For example, `*.example.com`. You can specify an individual repository within a registry. For example, `reg1.io/myrepo/myapp:latest`. All other registries are blocked. The format should be a comma-separated list of allowed registries. For example, `allowed.io, allowed.io2`.
22+
23+
|`registry-config-insecure-registries`
24+
|Registries which do not have a valid TLS certificate or only support HTTP connections. To specify all subdomains, add the asterisk (`\*`) wildcard character as a prefix to the domain name. For example, `*.example.com`. You can specify an individual repository within a registry. For example, `reg1.io/myrepo/myapp:latest`. The format should be a comma-separated list of insecure registries. For example, `insecure.io, insecure.io2`.
25+
26+
|`registry-config-blocked-registries`
27+
|Registries for which image pull and push actions are denied. To specify all subdomains, add the asterisk (`\*`) wildcard character as a prefix to the domain name. For example, `*.example.com`. You can specify an individual repository within a registry. For example, `reg1.io/myrepo/myapp:latest`. All other registries are allowed. The format should be a comma-separated list of blocked registries. For example, `blocked.io, blocked.io2`.
28+
29+
|`registry-config-allowed-registries-for-import`
30+
|Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For example, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry. Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`. `domainName` specifies a domain name for the registry. `insecure` indicates whether the registry is secure or insecure.
31+
32+
|`registry-config-additional-trusted-ca`
33+
|A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
34+
35+
|`registry-config-platform-allowlist`
36+
|A list of Red{nbsp}Hat registries is automatically allowed. This list can be periodically updated and impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID.
37+
38+
|===
39+
40+
[WARNING]
41+
====
42+
When the `allowedRegistries` parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red{nbsp}Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of `image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io` and it is also visible when running the `rosa describe cluster` command.
43+
====
Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * openshift_images/image-configuration-hcp.adoc
4+
// * post_installation_configuration/preparing-for-users.adoc
5+
6+
:_mod-docs-content-type: PROCEDURE
7+
[id="images-editing-image-registry-settings-hcp_{context}"]
8+
= Editing image registry settings for {hcp-title}
9+
10+
You can change the image registry config with the `rosa edit` command.
11+
12+
[WARNING]
13+
====
14+
When the `allowedRegistries` parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red{nbsp}Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of `image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io` and it is also visible when running the `rosa describe cluster` command.
15+
====
16+
17+
[NOTE]
18+
====
19+
You can change any registry-related parameter, which will trigger a rollout across all machine pools; all machine pool nodes will be recreated, following pod draining from each node.
20+
====
21+
22+
.Procedure
23+
24+
* Update or edit the image registry for the cluster by running the following command:
25+
26+
+
27+
[source,terminal]
28+
----
29+
$ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \
30+
--registry-config-allowed-registries <allowed_registries> \
31+
--registry-config-allowed-registries-for-import <registry_name:insecure> \
32+
--registry-config-additional-trusted-ca <additional_trusted_ca_file>
33+
----
34+
+
35+
.Example output
36+
[source,terminal]
37+
----
38+
? Changing any registry related parameter will trigger a rollout across all machinepools
39+
(all machinepool nodes will be recreated, following pod draining from each node).
40+
Do you want to proceed? Yes
41+
I: Updated cluster '<cluster_name>'
42+
----
43+
44+
.Verification
45+
* Run the `rosa describe` command again, to see if the changes you made to your image registry updated by running the following command:
46+
+
47+
[source,terminal]
48+
----
49+
$ rosa describe cluster --cluster=<cluster_name>
50+
----
51+
+
52+
.Example output
53+
[source,terminal]
54+
----
55+
Name: rosa-hcp-test
56+
Domain Prefix: rosa-hcp-test
57+
Display Name: rosa-hcp-test
58+
ID: <cluster_hcp_id>
59+
External ID: <cluster_hcp_id>
60+
Control Plane: ROSA Service Hosted
61+
OpenShift Version: 4.Y.Z
62+
Channel Group: stable
63+
DNS: <dns>
64+
AWS Account: <aws_id>
65+
AWS Billing Account: <aws_id>
66+
API URL: <ocm_api>
67+
Console URL:
68+
Region: us-east-1
69+
Availability:
70+
- Control Plane: MultiAZ
71+
- Data Plane: SingleAZ
72+
73+
Nodes:
74+
- Compute (desired): 2
75+
- Compute (current): 2
76+
Network:
77+
- Type: OVNKubernetes
78+
- Service CIDR: <service_cidr>
79+
- Machine CIDR: <machine_cidr>
80+
- Pod CIDR: <pod_cidr>
81+
- Host Prefix: /23
82+
- Subnets: <subnet_ids>
83+
EC2 Metadata Http Tokens: optional
84+
Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
85+
Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
86+
Instance IAM Roles:
87+
- Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
88+
Operator IAM Roles:
89+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
90+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
91+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider
92+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
93+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
94+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent
95+
- arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud
96+
Managed Policies: Yes
97+
State: ready
98+
Private: No
99+
Delete Protection: Disabled
100+
Created: Oct 01 2030 09:48:52 UTC
101+
User Workload Monitoring: Enabled
102+
OIDC Endpoint URL: https://<endpoint> (Managed)
103+
Audit Log Forwarding: Disabled
104+
External Authentication: Disabled
105+
Etcd Encryption: Disabled
106+
Registry Configuration:
107+
- Allowed Registries: <allowed_registry> <1>
108+
- Insecure Registries: <insecure_registry> <2>
109+
- Allowed Registries for Import: <3>
110+
- Domain Name: <domain_name> <4>
111+
- Insecure: true <5>
112+
----
113+
<1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
114+
<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
115+
<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
116+
<4> `domainName`: Specifies a domain name for the registry.
117+
<5> `insecure`: Indicates whether the registry is secure or insecure.
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
:_mod-docs-content-type: ASSEMBLY
2+
include::_attributes/common-attributes.adoc[]
3+
ifdef::openshift-dedicated,openshift-rosa[]
4+
include::_attributes/attributes-openshift-dedicated.adoc[]
5+
endif::openshift-dedicated,openshift-rosa[]
6+
:context: image-configuration-hcp
7+
[id="image-configuration-hcp"]
8+
= Image configuration resources for {hcp-title}
9+
10+
toc::[]
11+
12+
Use the following procedure to configure image registries.
13+
14+
include::modules/images-configuration-parameters-hcp.adoc[leveloffset=+1]
15+
16+
include::modules/images-configuration-image-registry-settings-hcp.adoc[leveloffset=+1]
17+
18+
include::modules/images-editing-image-registry-settings-hcp.adoc[leveloffset=+1]
19+
20+
ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
21+
[role="_additional-resources"]
22+
.Additional resources
23+
24+
* xref:../openshift_images/managing_images/using-image-pull-secrets.adoc#images-update-global-pull-secret_using-image-pull-secrets[Updating the global cluster pull secret]
25+
endif::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]

openshift_images/image-configuration.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
:_mod-docs-content-type: ASSEMBLY
22
[id="image-configuration"]
3-
= Image configuration resources
3+
= Image configuration resources (Classic)
44
include::_attributes/common-attributes.adoc[]
55
:context: image-configuration
66

0 commit comments

Comments
 (0)