Skip to content

Commit 7dd269f

Browse files
michaelryanpetermichaelryanpeter
authored
Merge pull request #46758 from kelbrown20/OSDOCS-3661-block-payload-registry
OSDOCS-3661: Adding section for blocking payload registries
2 parents eb13671 + 9ed7c7c commit 7dd269f

File tree

2 files changed

+72
-0
lines changed

2 files changed

+72
-0
lines changed

modules/images-configuration-blocked-payload.adoc

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
//Modules included in the following assemblies
2+
//
3+
// * openshift_images/image-configuration.adoc
4+
5+
:_content-type: PROCEDURE
6+
[id="images-configuration-blocked-payload"]
7+
8+
= Blocking a payload registry
9+
10+
In a mirroring configuration, you can block upstream payload registries in a disconnected environment using a `ImageContentSourcePolicy` (ICSP) object. The following example procedure demonstrates how to block the `quay.io/openshift-payload` payload registry.
11+
12+
.Procedure
13+
. Create the mirror configuration using an `ImageContentSourcePolicy` (ICSP) object to mirror the payload to a registry in your instance. The following example ICSP file mirrors the payload `internal-mirror.io/openshift-payload`:
14+
+
15+
[source,yaml]
16+
----
17+
apiVersion: operator.openshift.io/v1alpha1
18+
kind: ImageContentSourcePolicy
19+
metadata:
20+
name: my-icsp
21+
spec:
22+
repositoryDigestMirrors:
23+
- mirrors:
24+
- internal-mirror.io/openshift-payload
25+
source: quay.io/openshift-payload
26+
----
27+
. After the object deploys onto your nodes, verify that the mirror configuration is set by checking the `/etc/containers/registries.conf` file:
28+
+
29+
.Example output
30+
[source,terminal]
31+
----
32+
[[registry]]
33+
prefix = ""
34+
location = "quay.io/openshift-payload"
35+
mirror-by-digest-only = true
36+
37+
[[registry.mirror]]
38+
location = "internal-mirror.io/openshift-payload"
39+
----
40+
. Use the following command to edit the `image.config.openshift.io` custom resource file:
41+
+
42+
[source,terminal]
43+
----
44+
$ oc edit image.config.openshift.io cluster
45+
----
46+
. To block the payload registry, add the following configuration to the `image.config.openshift.io` custom resource file:
47+
+
48+
[source,yaml]
49+
----
50+
spec:
51+
registrySource:
52+
blockedRegistries:
53+
- quay.io/openshift-payload
54+
----
55+
56+
.Verification
57+
* Verify that the upstream payload registry is blocked by checking the `/etc/containers/registries.conf` file on the node.
58+
+
59+
.Example output
60+
[source,terminal]
61+
----
62+
[[registry]]
63+
prefix = ""
64+
location = "quay.io/openshift-payload"
65+
blocked = true
66+
mirror-by-digest-only = true
67+
68+
[[registry.mirror]]
69+
location = "internal-mirror.io/openshift-payload"
70+
----

openshift_images/image-configuration.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ include::modules/images-configuration-allowed.adoc[leveloffset=+2]
1616

1717
include::modules/images-configuration-blocked.adoc[leveloffset=+2]
1818

19+
include::modules/images-configuration-blocked-payload.adoc[leveloffset=+3]
20+
1921
include::modules/images-configuration-insecure.adoc[leveloffset=+2]
2022

2123
include::modules/images-configuration-shortname.adoc[leveloffset=+2]

0 commit comments

Comments
 (0)