|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * scalability_and_performance/ztp_far_edge/ztp-preparing-the-hub-cluster.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="ztp-configuring-the-hub-cluster-to-use-unauthenticated-registries_{context}"] |
| 7 | += Configuring the hub cluster to use unauthenticated registries |
| 8 | + |
| 9 | +You can configure the hub cluster to use unauthenticated registries. |
| 10 | +Unauthenticated registries does not require authentication to access and download images. |
| 11 | + |
| 12 | +.Prerequisites |
| 13 | + |
| 14 | +* You have installed and configured a hub cluster and installed {rh-rhacm-first} on the hub cluster. |
| 15 | +
|
| 16 | +* You have installed the OpenShift Container Platform CLI (oc). |
| 17 | +
|
| 18 | +* You have logged in as a user with `cluster-admin` privileges. |
| 19 | +
|
| 20 | +* You have configured an unauthenticated registry for use with the hub cluster. |
| 21 | +
|
| 22 | +.Procedure |
| 23 | + |
| 24 | +. Update the `AgentServiceConfig` custom resource (CR) by running the following command: |
| 25 | ++ |
| 26 | +[source,terminal] |
| 27 | +---- |
| 28 | +$ oc edit AgentServiceConfig agent |
| 29 | +---- |
| 30 | + |
| 31 | +. Add the `unauthenticatedRegistries` field in the CR: |
| 32 | ++ |
| 33 | +[source,yaml] |
| 34 | +---- |
| 35 | +apiVersion: agent-install.openshift.io/v1beta1 |
| 36 | +kind: AgentServiceConfig |
| 37 | +metadata: |
| 38 | + name: agent |
| 39 | +spec: |
| 40 | + unauthenticatedRegistries: |
| 41 | + - example.registry.com |
| 42 | + - example.registry2.com |
| 43 | + ... |
| 44 | +---- |
| 45 | ++ |
| 46 | +Unauthenticated registries are listed under `spec.unauthenticatedRegistries` in the `AgentServiceConfig` resource. |
| 47 | +Any registry on this list is not required to have an entry in the pull secret used for the spoke cluster installation. |
| 48 | +`assisted-service` validates the pull secret by making sure it contains the authentication information for every image registry used for installation. |
| 49 | + |
| 50 | +[NOTE] |
| 51 | +==== |
| 52 | +Mirror registries are automatically added to the ignore list and do not need to be added under `spec.unauthenticatedRegistries`. |
| 53 | +Specifying the `PUBLIC_CONTAINER_REGISTRIES` environment variable in the `ConfigMap` overrides the default values with the specified value. |
| 54 | +The `PUBLIC_CONTAINER_REGISTRIES` defaults are https://quay.io[quay.io] and https://registry.svc.ci.openshift.org[registry.svc.ci.openshift.org]. |
| 55 | +==== |
| 56 | + |
| 57 | +.Verification |
| 58 | + |
| 59 | +Verify that you can access the newly added registry from the hub cluster by running the following commands: |
| 60 | + |
| 61 | +. Open a debug shell prompt to the hub cluster: |
| 62 | ++ |
| 63 | +[source,terminal] |
| 64 | +---- |
| 65 | +$ oc debug node/<node_name> |
| 66 | +---- |
| 67 | + |
| 68 | +. Test access to the unauthenticated registry by running the following command: |
| 69 | ++ |
| 70 | +[source,terminal] |
| 71 | +---- |
| 72 | +sh-4.4# podman login -u kubeadmin -p $(oc whoami -t) <unauthenticated_registry> |
| 73 | +---- |
| 74 | ++ |
| 75 | +where: |
| 76 | ++ |
| 77 | +-- |
| 78 | +<unauthenticated_registry>:: Is the new registry, for example, `unauthenticated-image-registry.openshift-image-registry.svc:5000`. |
| 79 | +-- |
| 80 | ++ |
| 81 | +.Example output |
| 82 | +[source,terminal] |
| 83 | +---- |
| 84 | +Login Succeeded! |
| 85 | +---- |
0 commit comments