2019-05-24 • OPENSHIFT , LINUX

OpenShift Authenticate all Namespaces to a Secured Registry

If your organization maintains or uses a third-party container registry requiring authentication, this article will help you setup one set of credentials in OpenShift for all your users.

Implication: all users have access to these credentials. They should be read-only.

Recently Red Hat launched a new Container Registry at registry.redhat.io requiring authenticated logins. When you install an OpenShift 3.10 or greater cluster, your default pull registry for the images and templates in the OpenShift namespace will use this registry. If you tried to run the OpenShift installer without adding the credentials for oreg_auth_user and oreg_auth_password, you would have found that installation will fail.

The openshift-ansible installer playbooks will add your specified credentials to a secret named imagestreamsecret in the openshift namespace. This means that any import-images into that namespace will use those credentials. However, due to security and permission policies being isolated between namespaces, when you try to perform an import-image from a container image at registry.redhat.io in another namespace, you will find it fails with an error showing you have not provided authentication credentials for the registry. If you execute oc get secrets in this other namespace, you will see your common dockerconfig secrets for your internal registry, but not the imagestreamsecret for registry.redhat.io. These secrets are created when the namespace is built, and you may notice that every namespace has its own secrets. However, by default your credentials for the registry.redhat.io container registry are not copied to other namespaces. You may like this behavior if you want full control over what images are allowed within your platform, requiring all users to pull only those images available in the openshift namespace. However, you may want to provide your users the freedom to pull any images from approved external catalogs using preset credentials. Keep in mind that your users are not restricted, in this case, from using the registry with their own provided credentials, unless you have explicity set rules in your local container engine to allow only particular registries and/or deny others. In other words, if your user has their own credentials, they can create a dockerconfig secret with those credentials in their namespace and successfully pull images from that registry. If you would like to have the authentication work without further intervention from users, by default during namespace creation, then proceed with the following steps.

The documentation explains how to modify the default template for new namespaces:

https://docs.openshift.com/container-platform/3.11/admin_guide/managing_projects.html#modifying-the-template-for-new-projects

We will provide the same documenation steps here, with a few additional details particular to this use case.

To create your own custom project template:

Start with the current default project template:

$ oc adm create-bootstrap-project-template -o yaml > template.yaml

Use a text editor to modify the template.yaml file by adding objects or modifying existing objects.

If you installed your cluster with oreg_url set to the default value of registry.redhat.io, then you can export the imagestream dockerconfig from the openshift namespace.
```
oc get secret imagestreamsecret -n openshift -o yaml --export > is-secret.yaml
```
If you do not have this secret available, you need to create a Red Hat Registry Service Account through the Customer Portal here:

https://access.redhat.com/terms-based-registry/

Once you create your credentials, you can navigate to the tab that allows you to download the YAML file. This object will be named differently from imagestreamsecret.

https://access.redhat.com/RegistryAuthentication

If you would like to authenticate to some other registry, follow these steps to create a dockerconfig secret:

https://docs.openshift.com/container-platform/3.11/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

Example secret object to add to the bottom of your template.yaml file:
```
- apiVersion: v1
  data:
    .dockerconfigjson: <ENCODED_VALUE>
  kind: Secret
  metadata:
    name: imagestreamsecret
  type: kubernetes.io/dockerconfigjson
```
Load the template:
```
$ oc create -f template.yaml -n default
```

Modify the master-config.yaml file to reference the loaded template (on each master):

    ...
    projectConfig:
      projectRequestTemplate: "default/project-request"
      ...

Restart the api services (on each master):
```
$ master-restart api api
```