Using Rahti 2 integrated registry
Manual Image Caching
It is possible to manually cache images in Rahti 2. This could be useful to remove an external dependency or improve performance.
The process is simple:
-
Install and login with OC.
-
With a terminal, connect to the Rahti 2 registry:
docker login -p $(oc whoami -t ) -u unused image-registry.apps.2.rahti.csc.fi
Info
If you get any error, make sure you are logged in. If you run
oc whoami
, the command should return your username. -
Tag the image you want to push:
Replace {YOUR_PROJECT_NAME} by the name of your project.docker tag centos:7 image-registry.apps.2.rahti.csc.fi/{YOUR_PROJECT_NAME}/centos:<tag>
-
Push your image:
docker push image-registry.apps.2.rahti.csc.fi/{YOUR_PROJECT_NAME}/centos:<tag>
You should be able to see your images in your project:
Using Manually Cached Images
Go to your project's deployment, and edit it.
Go to the Images section, make sure the option "Deploy images from an image stream tag" is clicked. Finally select the new image.
Access Control for the Rahti 2 Integrated Registry
Rahti 2 allows fine-grained control over access to the integrated image registry, enabling management of access based on user authentication.
1. Anonymous Access (system:anonymous
)
This refers to users who access the registry without providing any authentication credentials. In this scenario, they have no identity attached to their requests.
- How to enable: Use the following command to allow anonymous users to pull images from your project's registry:
oc policy add-role-to-user registry-viewer system:anonymous -n <project>
- Use case: Suitable for cases where you want to make images publicly accessible, allowing anyone to view or pull images without logging in.
2. Unauthenticated Access (system:unauthenticated
)
This group includes all users who are accessing the system without valid authentication credentials, including anonymous users but potentially also used automated systems, scripts or external services that do not need to be authenticate.
- How to enable: Grant unauthenticated users access with the command:
oc policy add-role-to-user registry-viewer system:unauthenticated -n <project>
- Use case: This is broader than
system:anonymous
and is useful for systems or services to access your registry without authentication.
3. Authenticated Access (system:authenticated
)
Authenticated users are those who have successfully logged in using valid credentials (e.g., OAuth tokens).
- How to enable: To allow all authenticated users to access the registry:
oc policy add-role-to-user registry-viewer system:authenticated -n <project>
- Use case: This allows any user with valid credentials to view or pull images, useful for restricting access.
Guide on Pulling Images from Rahti 1 Registry
To securely pull images from Rahti 1 registry to Rahti 2, follow this guide. It also explains how to convert images using Skopeo
for compatibility with future releases.