Adding the OpenShift internal registry with Codewind

Prerequisites

1. Install an OKD or OpenShift cluster with the internal Docker registry.
2. Be able to create service accounts on the cluster.
3. Be able to assign the system:image-builder role to service accounts.

Setting up a service account

Some of the following instructions were adapted from Remotely Push and Pull Container Images to OpenShift.

1. Determine which project to push images to.
   • If you’re creating a new project, run the oc new-project <project> command.
2. Create a service account in the project.
   • Run: oc create serviceaccount <serviceaccount>
   • Example: oc create serviceaccount pusher
3. Grant push access to the registry to the new service account.
   • Run: oc policy add-role-to-user system:image-builder system:serviceaccount:<project>:<serviceaccount>
   • Example: oc policy add-role-to-user system:image-builder system:serviceaccount:pushed:pusher
4. Retrieve the secret containing the service account token.
   • Run: oc describe sa <serviceaccount>
   • Example output:

      Name:                pusher
      Namespace:           pushed
      Labels:              <none>
      Annotations:         <none>
      Image pull secrets:  pusher-dockercfg-6lkbp
      Mountable secrets:   pusher-token-zfqbv
                           pusher-dockercfg-6lkbp
      Tokens:              pusher-token-hhd2g
                           pusher-token-zfqbv
      Events:              <none>
     

   • In this example, pusher-token-hhd2g and pusher-token-zfqbv are the secrets containing the service account token.
5. Select one of the token secrets and retrieve the token from it.
   • Run: oc describe secret <secret>
   • Example output:

     Name:         pusher-token-hhd2g
     Namespace:    pushed
     Labels:       <none>
     Annotations:  kubernetes.io/created-by=openshift.io/create-dockercfg-secrets
                   kubernetes.io/service-account.name=pusher
                   kubernetes.io/service-account.uid=aaf3102c-c4f6-11e9-b12c-00000a1f0ade
     
     Type:  kubernetes.io/service-account-token
     
     Data
     ====
     token:           eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJwdXNoZWQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicHVzaGVyLXRva2VuLWhoZDJnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InB1c2hlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFhZjMxMDJjLWM0ZjYtMTFlOS1iMTJjLTAwMDAwYTFmMGFkZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpwdXNoZWQ6cHVzaGVyIn0.nO1QMQixfCLNeJXJnn5O--7WFjaSJCUB2I3Exb4dSKuN93BKJOp14XlZk_w_zXrOk8CtUA-8J6t3FHtdLvoXxWgxeq7GRZLU89HRX8j-eNfQzQHxhhh1-uLgFiwySQu32vpSCdPQRZQVmHHk3I0qpebp4m8IVbDyrVd1jPNhznNdmKj5FGwBYxz1SySsoAcotvXjVdahe_3KsCxkYq5ZDeAmzdJWnZOBJpXKojowS_J6cd-2HzWu6aq1QSFmRi8b31Yh9mRBo5NHF6hNXsafQzXB094ZiGjbsNwKjD_lL4qugrDw5OXjRdP-IHYYQ-zRFyQKWuTji5JtyE4MK7B59w
     ca.crt:          1070 bytes
     namespace:       6 bytes
     service-ca.crt:  2186 bytes
     
     

6. Copy the value from the token field.

Adding the OpenShift registry in Codewind

1. Create or open a Codewind workspace.
2. Run the command, Codewind: Image Registry Manager.
3. Enter docker-registry.default.svc:5000 as the Address (image-registry.openshift-image-registry.svc:5000 for OCP version 4).
4. Enter the service account name as the username.
5. Enter the token retrieved from the service account token secret as the password.
6. Enter <project> as namespace, where <project> is the OpenShift project where you created the service account.
7. Click Enter.