Merge pull request #13402 from bmcelvee/osdocs-227-registry-options

osdocs-227 registry options modules

Author: bmcelvee

_topic_map.yml

@@ -63,7 +63,7 @@ Distros: openshift-*
 Topics:
 - Name: Architecture
   File: architecture
----  
+---
 Name: Authentication
 Dir: authentication
 Distros: openshift-*
@@ -113,8 +113,8 @@ Topics:
   File: using-service-accounts-as-oauth-client
 - Name: Scoping tokens
   File: tokens-scoping
-- Name: Managing Security Context Constraints 
-  File: managing-security-context-constraints  
+- Name: Managing Security Context Constraints
+  File: managing-security-context-constraints
 ---
 Name: Users and roles
 Dir: users_and_roles
@@ -143,6 +143,13 @@ Topics:
 - Name: Using cookies to keep route statefulness
   File: using-cookies-to-keep-route-statefulness
 ---
+Name: Registry
+Dir: registry
+Distros: openshift-*
+Topics:
+- Name: Registry options
+  File: registry-options
+---
 Name: Scalability and performance
 Dir: scalability_and_performance
 Distros: openshift-origin, openshift-enterprise

modules/registry-authentication-enabled-registry-overview.adoc

@@ -0,0 +1,61 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-authentication-enabled-registry-overview-{context}']
+= Authentication enabled Red Hat registry
+
+All container images available through the Red Hat Container Catalog are hosted
+on an image registry, `registry.access.redhat.com`. With {product-title} 3.11
+Red Hat Container Catalog moved from `registry.access.redhat.com` to
+`registry.redhat.io`.
+
+The new registry, `registry.redhat.io`, requires authentication for access to
+images and hosted content on {product-title}. Following the move to the new
+registry, the existing registry will be available for a period of time.
+
+[NOTE]
+====
+{product-title} pulls images from `registry.redhat.io`, so you must configure
+your cluster to use it.
+====
+
+The new registry uses standard OAuth mechanisms for authentication,
+with the following methods:
+
+* *Authentication token.*  Tokens, which are generated by administrators,
+are service accounts that give systems the ability to authenticate against the
+container image registry.
+Service accounts are not affected by changes in user accounts, so the token
+authentication method is reliable and resilient. This is the only supported
+authentication option for production clusters.
+* *Web username and password.* This is the standard set of credentials you use
+to log in to resources such as `access.redhat.com`.
+While it is possible to use this authentication method with {product-title}, it is not supported for
+production deployments. Restrict this authentication method to
+stand-alone projects outside {product-title}.
+
+You can use `docker login` with your credentials, either username and password
+or authentication token, to access content on the new registry.
+
+All image streams point to the new registry. Because the new registry requires
+authentication for access, there is a new secret in the OpenShift namespace
+called `imagestreamsecret`.
+
+You must place your credentials in two places:
+
+* *OpenShift namespace*. Your credentials must exist in the OpenShift
+namespace so that the image streams in the OpenShift namespace can import.
+* *Your host*. Your credentials must exist on your host because Kubernetes
+uses the credentials from your host when it goes to pull images.
+
+To access the new registry:
+
+* Verify image import secret, `imagestreamsecret`, is in your OpenShift
+namespace. That secret has credentials that allow you to access
+the new registry.
+* Verify all of your cluster nodes have a `/var/lib/origin/.docker/config.json`,
+copied from master, that allows you to access the Red Hat registry.
+
+//.Additional resources
+//* link:https://access.redhat.com/terms-based-registry[Authentication tokens]

modules/registry-integrated-openshift-registry.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-integrated-openshift-registry-{context}']
+= Integrated {product-title} registry
+
+{product-title} provides an integrated container image registry called
+_{product-title} Container Registry_ (OCR) that adds the ability to automatically
+provision new image repositories on demand. This provides users with a built-in
+location for their application builds to push the resulting images.
+
+Whenever a new image is pushed to OCR, the registry notifies {product-title}
+about the new image, passing along all the information about it, such as the
+namespace, name, and image metadata. Different pieces of {product-title} react
+to new images, creating new builds and deployments.
+
+OCR can also be deployed as a stand-alone component that acts solely as a
+container image registry, without the build and deployment integration. See
+Installing a Stand-alone Deployment of {product-title} Container Registry for
+details.

modules/registry-quay-overview.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-quay-overview-{context}']
+= Red Hat Quay registries
+
+If you need an enterprise-quality container image registry, Red Hat Quay is
+available both as a hosted service and as software you can install in your own
+data center or cloud environment. Advanced registry features in Red Hat Quay
+include geo-replication, image scanning, and the ability to roll back images.
+
+Visit the Quay.io site to set up your own hosted Quay registry account. After
+that, follow the Quay Tutorial to log in to the Quay registry and start managing
+your images.
+
+You can access your Red Hat Quay registry from {product-title} like any remote
+container image registry.
+
+//.Additional resources
+//* link:https://quay.io[Quay.io]
+//* link:https://quay.io/tutorial/[Quay Tutorial]
+//* Refer to link:https://access.redhat.com/documentation/en-us/red_hat_quay/2.9/html-single/getting_started_with_red_hat_quay/[Getting Started with Red Hat Quay]
+//for information about setting up your own Red Hat Quay registry.
+//* To learn how to set up credentials to access
+//Red Hat Quay as a secured registry, refer to xref:../../dev_guide/managing_images.adoc#allowing-pods-to-reference-images-from-other-secured-registries[Allowing Pods to Reference Images from Other Secured Registries].

modules/registry-third-party-registries.adoc

@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-third-party-registries-{context}']
+= Third party registries
+
+{product-title} can create containers using images from third party registries,
+but it is unlikely that these registries offer the same image notification
+support as the integrated {product-title} registry. In this situation
+{product-title} will fetch tags from the remote registry upon imagestream
+creation.
+
+Refreshing the fetched tags is as simple as running `oc import-image
+<stream>`. When new images are detected, the previously-described build and
+deployment reactions occur.
+
+== Authentication
+{product-title} can communicate with registries to access private image
+repositories using credentials supplied by the user. This allows {product-title}
+to push and pull images to and from private repositories. 
+
+//.Additional resources
+//* See authentication for more information.

registry/registry-options.adoc

@@ -0,0 +1,17 @@
+:context: registry-options
+= Registry options
+include::modules/common-attributes.adoc[]
+toc::[]
+
+{product-title} can build images from your source code, deploy them, and manage
+their lifecycle. To enable this, {product-title} provides an internal,
+integrated container image registry that can be deployed in your {product-title}
+environment to locally manage images.
+
+include::modules/registry-integrated-openshift-registry.adoc[leveloffset=+1]
+
+include::modules/registry-third-party-registries.adoc[leveloffset=+1]
+
+include::modules/registry-quay-overview.adoc[leveloffset=+1]
+
+include::modules/registry-authentication-enabled-registry-overview.adoc[leveloffset=+1]