openshift
diff --git a/‎_topic_map.yml
Lines changed: 2 additions & 0 deletions b/‎_topic_map.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/registry-accessing-directly.adoc
Lines changed: 11 additions & 11 deletions b/‎modules/registry-accessing-directly.adoc
Lines changed: 11 additions & 11 deletions
diff --git a/‎modules/registry-authentication-enabled-registry-overview.adoc
Lines changed: 1 addition & 1 deletion b/‎modules/registry-authentication-enabled-registry-overview.adoc
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/registry-exposing-non-secure-registry-manually.adoc
Lines changed: 85 additions & 0 deletions b/‎modules/registry-exposing-non-secure-registry-manually.adoc
Lines changed: 85 additions & 0 deletions
diff --git a/‎modules/registry-exposing-secure-registry-manually.adoc
Lines changed: 130 additions & 0 deletions b/‎modules/registry-exposing-secure-registry-manually.adoc
Lines changed: 130 additions & 0 deletions
@@ -157,6 +157,8 @@ Topics:
   File: registry-options
 - Name: Accessing the registry
   File: accessing-the-registry
+- Name: Securing and exposing the registry
+  File: securing-exposing-registry
 ---
 Name: Scalability and performance
 Dir: scalability_and_performance
 
@@ -5,10 +5,10 @@
 [id='registry-accessing-directly-{context}']
 = Accessing registry directly
 
-You can access the registry directly to invoke `docker` commands. This allows
+You can access the registry directly to invoke `podman` commands. This allows
 you to push images to or pull them from the integrated registry directly using
-operations like `docker push` or `docker pull`. To do so, you must be logged in
-to the registry using the `docker login` command. The operations you can perform
+operations like `podman push` or `podman pull`. To do so, you must be logged in
+to the registry using the `oc registry login` command. The operations you can perform
 depend on your user permissions, as described in the following sections.
 
 .Prerequisites
@@ -27,14 +27,14 @@ using the following command:
 # htpasswd /etc/origin/openshift-htpasswd <user_name>
 ----
 
-* For pulling images, for example when using the `docker pull` command,
+* For pulling images, for example when using the `podman pull` command,
 the user must have the *registry-viewer* role. To add this role:
 +
 ----
 $ oc policy add-role-to-user registry-viewer <user_name>
 ----
 
-* For writing or pushing images, for example when using the `docker push` command,
+* For writing or pushing images, for example when using the `podman push` command,
 the user must have the *registry-editor* role. To add this role:
 +
 ----
@@ -54,7 +54,7 @@ $ oc login
 .. Log in to the container image registry by using your access token:
 +
 ----
-docker login -u openshift -p $(oc whoami -t) <registry_ip>:<port>
+podman login -u openshift -p $(oc whoami -t) <registry_ip>:<port>
 ----
 +
 [NOTE]
@@ -64,7 +64,7 @@ information. Passing a username that contains colons will result in a login
 failure.
 ====
 +
-. Perform `docker pull` and `docker push` operations against your registry:
+. Perform `podman pull` and `podman push` operations against your registry:
 +
 [IMPORTANT]
 ====
@@ -96,29 +96,29 @@ In the following examples, we use:
 .. Pull an arbitrary image:
 +
 ----
-$ docker pull docker.io/busybox
+$ podman pull podman.io/busybox
 ----
 
 .. Tag the new image with the form `<registry_ip>:<port>/<project>/<image>`.
 The project name *must* appear in this pull specification for {product-title} to
 correctly place and later access the image in the registry:
 +
 ----
-$ docker tag docker.io/busybox 172.30.124.220:5000/openshift/busybox
+$ podman tag podman.io/busybox 172.30.124.220:5000/openshift/busybox
 ----
 +
 [NOTE]
 ====
 Your regular user must have the *system:image-builder* role for the specified
-project, which allows the user to write or push an image. Otherwise, the `docker
+project, which allows the user to write or push an image. Otherwise, the `podman
 push` in the next step will fail. To test, you can create a new project to
 push the *busybox* image.
 ====
 
 .. Push the newly-tagged image to your registry:
 +
 ----
-$ docker push 172.30.124.220:5000/openshift/busybox
+$ podman push 172.30.124.220:5000/openshift/busybox
 ...
 cf2616975b4a: Image successfully pushed
 Digest: sha256:3662dd821983bc4326bee12caec61367e7fb6f6a3ee547cbaff98f77403cab55
 
@@ -35,7 +35,7 @@ While it is possible to use this authentication method with {product-title}, it
 production deployments. Restrict this authentication method to
 stand-alone projects outside {product-title}.
 
-You can use `docker login` with your credentials, either username and password
+You can use `podman login` with your credentials, either username and password
 or authentication token, to access content on the new registry.
 
 All image streams point to the new registry. Because the new registry requires
 
@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-exposing-non-secure-registry-manually-{context}']
+= Exposing a non-secure registry manually
+
+Instead of securing the registry in order to expose the registry, you can simply
+expose a non-secure registry for non-production {product-title} environments.
+This allows you to have an external route to the registry without using SSL
+certificates.
+
+[WARNING]
+====
+Only non-production environments should expose a non-secure registry to external access.
+====
+
+.Procedure
+
+To expose a non-secure registry:
+
+. Expose the registry:
++
+----
+# oc expose service podman-registry --hostname=<hostname> -n default
+----
++
+This creates the following JSON file:
++
+----
+apiVersion: v1
+kind: Route
+metadata:
+  creationTimestamp: null
+  labels:
+    podman-registry: default
+  name: podman-registry
+spec:
+  host: registry.example.com
+  port:
+    targetPort: "5000"
+  to:
+    kind: Service
+    name: podman-registry
+status: {}
+----
+. Verify that the route has been created successfully:
++
+----
+# oc get route
+NAME              HOST/PORT                    PATH      SERVICE           LABELS                    INSECURE POLICY   TLS TERMINATION
+podman-registry   registry.example.com            podman-registry   podman-registry=default
+----
+. Check the health of the registry:
++
+----
+$ curl -v http://registry.example.com/healthz
+----
++
+Expect an HTTP 200/OK message.
++
+After exposing the registry, update your *_/etc/sysconfig/podman_* file by
+adding the port number to the `OPTIONS` entry. For example:
++
+----
+OPTIONS='--selinux-enabled --insecure-registry=172.30.0.0/16 --insecure-registry registry.example.com:80'
+----
++
+[IMPORTANT]
+====
+The options in the previous example should be added on the client from which you
+are trying to log in.
+
+Also, ensure that Podman is running on the client.
+====
+
+When logging in to the non-secured and exposed registry, make sure you specify the registry
+in the `podman login` command. For example:
+
+----
+# podman login -e user@company.com \
+    -u f83j5h6 \
+    -p Ju1PeM47R0B92Lk3AZp-bWJSck2F7aGCiZ66aFGZrs2 \
+    <host>
+----
@@ -0,0 +1,130 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-exposing-secure-registry-manually-{context}']
+= Exposing a secure registry manually
+
+Instead of logging in to the {product-title} registry from within the
+{product-title} cluster, you can gain external access to it by first securing
+the registry and then exposing it with a route. This allows you to log in to the
+registry from outside the cluster using the route address, and to tag and push
+images using the route host.
+
+.Prerequisites:
+
+* The following prerequisites are automatically preformed:
+** Deploy the registry.
+** Secure the registry.
+** Deploy a router.
+
+.Procedure
+
+. Verify whether a passthrough route exists, the route should have been created by
+default for the registry during the initial cluster installation:
++
+----
+$ oc get route/pod-registry -o yaml
+apiVersion: v1
+kind: Route
+metadata:
+  name: podman-registry
+spec:
+  host: <host> <1>
+  to:
+    kind: Service
+    name: podman-registry <2>
+  tls:
+    termination: passthrough <3>
+----
+<1> The host for your route. You must be able to resolve this name externally by
+DNS to the router's IP address.
+<2> The service name for your registry.
+<3> Specifies this route as a passthrough route.
++
+[NOTE]
+====
+Re-encrypt routes are also supported for exposing the secure registry.
+====
+
+.. If it does not exist, create the route with the `oc create route passthrough`
+command, specifying the registry as the route’s service. By default, the name of
+the created route is the same as the service name:
+
+... Get the *podman-registry* service details:
++
+----
+$ oc get svc
+NAME              CLUSTER_IP       EXTERNAL_IP   PORT(S)                 SELECTOR                  AGE
+podman-registry   172.30.69.167    <none>        5000/TCP                podman-registry=default   4h
+kubernetes        172.30.0.1       <none>        443/TCP,53/UDP,53/TCP   <none>                    4h
+router            172.30.172.132   <none>        80/TCP                  router=router             4h
+----
+
+... Create the route:
++
+----
+$ oc create route passthrough    \
+    --service=podman-registry    \//<1>
+    --hostname=<host>
+route "podman-registry" created     <2>
+----
+<1> Specifies the registry as the route's service.
+<2> The route name is identical to the service name.
+
+. Trust the certificates being used for the registry on your host
+system to allow the host to push and pull images. The certificates referenced
+were created when you secured your registry:
++
+----
+$ sudo mkdir -p /etc/podman/certs.d/<host>
+$ sudo cp <ca_certificate_file> /etc/podman/certs.d/<host>
+$ sudo systemctl restart podman
+----
+
+. Log in to the registry using the information from securing the registry.
+However, this time point to the host name used in the route rather than your
+service IP. When logging in to a secured and exposed registry, make sure you
+specify the registry in the `podman login` command:
++
+----
+# podman login -e user@company.com \
+    -u f83j5h6 \
+    -p Ju1PeM47R0B92Lk3AZp-bWJSck2F7aGCiZ66aFGZrs2 \
+    <host>
+----
+
+. You can now tag and push images using the route host. For example, to tag and
+push a `busybox` image in a project called `test`:
++
+----
+$ oc get imagestreams -n test
+NAME      PODMAN REPO   TAGS      UPDATED
+
+$ podman pull busybox
+$ podman tag busybox <host>/test/busybox
+$ podman push <host>/test/busybox
+The push refers to a repository [<host>/test/busybox] (len: 1)
+8c2e06607696: Image already exists
+6ce2e90b0bc7: Image successfully pushed
+cf2616975b4a: Image successfully pushed
+Digest: sha256:6c7e676d76921031532d7d9c0394d0da7c2906f4cb4c049904c4031147d8ca31
+
+$ podman pull <host>/test/busybox
+latest: Pulling from <host>/test/busybox
+cf2616975b4a: Already exists
+6ce2e90b0bc7: Already exists
+8c2e06607696: Already exists
+Digest: sha256:6c7e676d76921031532d7d9c0394d0da7c2906f4cb4c049904c4031147d8ca31
+Status: Image is up to date for <host>/test/busybox:latest
+
+$ oc get imagestreams -n test
+NAME      PODMAN REPO                       TAGS      UPDATED
+busybox   172.30.11.215:5000/test/busybox   latest    2 seconds ago
+----
++
+[NOTE]
+====
+Your image streams will have the IP address and port of the registry service,
+not the route name and port. See `oc get imagestreams` for details.
+====