×

Configuring a secret for the Image Registry Operator

In addition to the configs.imageregistry.operator.openshift.io and ConfigMap resources, configuration is provided to the Operator by a separate secret resource located within the openshift-image-registry namespace.

The image-registry-private-configuration-user secret provides credentials needed for storage access and management. It overrides the default credentials used by the Operator, if default credentials were found.

For GCS on GCP storage, the secret is expected to contain one key whose value is the contents of a credentials file provided by GCP:

  • REGISTRY_STORAGE_GCS_KEYFILE

Procedure
  • Create an OKD secret that contains the required keys.

    $ oc create secret generic image-registry-private-configuration-user --from-file=REGISTRY_STORAGE_GCS_KEYFILE=<path_to_keyfile> --namespace openshift-image-registry

Registry storage for GCP with user-provisioned infrastructure

You must set up the storage medium manually and configure the settings in the registry custom resource (CR).

Prerequisites
  • A cluster on GCP with user-provisioned infrastructure.

  • To configure registry storage for GCP, you need to provide Registry Operator cloud credentials.

  • For GCS on GCP storage, the secret is expected to contain one key whose value is the contents of a credentials file provided by GCP:

    • REGISTRY_STORAGE_GCS_KEYFILE

Image Registry Operator configuration parameters for GCP GCS

Procedure

The following configuration parameters are available for GCP GCS registry storage.

Parameter Description

bucket

Bucket is the bucket name in which you want to store the registry’s data. It is optional and is generated if not provided.

region

Region is the GCS location in which your bucket exists. It is optional and is set based on the installed GCS Region.

projectID

ProjectID is the Project ID of the GCP project that this bucket should be associated with. It is optional.

keyID

KeyID is the KMS key ID to use for encryption. It is optional because buckets are encrypted by default on GCP. This allows for the use of a custom encryption key.