To enable faster dev process with OpenShift Local (CRC) where you can push dev images to the local internal registry included with OpenShift and pull those same images internally in the cluster you need to follow these steps:
Push images to OpenShift Local's image registry, must be labeled like:
REGISTRY=$(oc get route/default-route -n openshift-image-registry -o=jsonpath='{.spec.host}'); \
IMAGE_PUSH=$($REGISTRY/openshift/pod-identity-webhook:0.4) \
or simpler and actually working:
IMAGE_PUSH = default-route-openshift-image-registry.apps-crc.testing/default/pod-identity-webhook:0.4
oc login
as kubeadmin to the cluster.
docker login to the cluster internal regsistry with:
docker login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
This results in a push-able registry:image:tag that looks something like this:
default-route-openshift-image-registry.apps-crc.testing/default/pod-identity-webhook:0.4
Pulling from the internal registry requires using a different image pull spec (see below) AND the following enabling steps:
$ oc debug node/$(oc get node | grep master | head -1 | awk '{print $1}')
sh-4.4# chroot /host
sh-4.4# oc login -u kubeadmin -p <PASSWORD> https://api.<CLUSTER_NAME>.<DOMAIN_NAME>:6443
sh-4.4# oc create sa image-puller -n openshift-config
sh-4.4# oc adm policy add-cluster-role-to-user system:image-puller -z image-puller -n openshift-config
sh-4.4# TOKEN=$(oc create token image-puller -n openshift-config)
sh-4.4# oc get secret pull-secret -n openshift-config -o json | jq '.data.".dockerconfigjson"' -r | base64 -d > /tmp/pull-secret
sh-4.4# oc registry login --registry=image-registry.openshift-image-registry.svc:5000 --auth-basic=image-puller:${TOKEN} --to=/tmp/pull-secret
sh-4.4# oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/tmp/pull-secret
sh-4.4# exit
sh-4.4# exit
Pull images from internal registry (like in a Deployment for instance) with the following:
spec:
containers:
- name: pod-identity-webhook
image: image-registry.openshift-image-registry.svc:5000/default/pod-identity-webhook:0.4
Note: the deployment namespace name, default
is substituted for openshift
in the pull spec and overall the registry name is not the same as the push registry name.