Registry v2: Exposing the Registry
By default, use the internal registry service for workloads inside the cluster. Expose Registry v2 only when developer machines, CI systems, or other external clients must push or pull images.
TOC
PrerequisitesExpose the Default RegistryExpose a Custom Secure Registry HostConfigure Client TrustVerify External AccessTroubleshootingPrerequisites
- Registry v2 is installed and available.
- You have permission to update
Config/clusterand create or reference TLS Secrets inimage-registry-system. - The cluster has an Ingress controller that can route traffic to
image-registry-system. - For a custom host, prepare a DNS record and a TLS certificate whose Subject Alternative Name matches the Registry hostname.
Expose the Default Registry
Enable the default external endpoint in Config/cluster:
The Operator renders a Kubernetes Ingress named default-route in image-registry-system.
Verify the generated Ingress and Registry configuration:
Get the generated host:
Expected results:
Config/cluster.spec.defaultRouteistrue.- The
default-routeIngress exists inimage-registry-system. REGISTRY_HOSTcontains the hostname assigned to the default route.
If the Ingress certificate is signed by a private CA, add the CA certificate to the trust store of the external client and the OCI client before logging in. Verify the TLS chain from the external client:
Write credentials for the generated host:
Expose a Custom Secure Registry Host
Create or provide a TLS Secret in image-registry-system, then configure Config.spec.routes[].
The TLS Secret must exist in image-registry-system when secretName is set.
The generated Ingress uses the registry service as the backend and sets the backend protocol to HTTPS.
Patch Config/cluster with the custom route. Use a merge patch so other Config/cluster.spec fields, such as storage and pull-secret settings, are not removed. The routes array in this patch replaces the current routes array, so include every custom route that must remain configured:
Verify the configuration and generated Ingress:
Expected results:
Config/cluster.spec.routes[]containspublic-registry.- The
public-registryIngress usesregistry.example.com. - The Ingress references the
registry-tlsSecret.
Verify TLS trust and login:
Configure Client Trust
If the Ingress certificate is signed by a private CA, add the CA to each external client's trust store before login and push or pull operations.
For a test client that uses an insecure registry option, scope the insecure setting to the registry host only:
Configure the OCI client's trust or insecure-registry setting separately if that client also connects to an HTTP endpoint or an untrusted certificate.
Verify External Access
Check the Ingress:
Write credentials from an external client:
Push and pull a test image: