Securing the OpenShift V3 Registry

September 25, 2015

In my previous post I described how to manually export/import a Docker image from one system into the Docker registry of OpenShift.

A next step would be to push an image from a non OpenShift system directly into the registry.

The documentation of OpenShift recommends to secure the registry before opening it for external access. This is, what this article is going to document, while another one will show how to do the remote push.

Please run the following steps as a user with cluster-admin privileges.

Step 1

Change into the default project

# oc project default

Step 2

Check the IP-Address and Port of your OpenShift Docker registry

# oc get service docker-registry
docker-registry docker-registry=default docker-registry=default 5000/TCP

Step 3

Change into the directory where you have the certificates of your OpenShift installation and create a new server-certificate for your registry

# cd /etc/openshift/master/

[root@master master]# oadm ca create-server-cert --signer-cert=ca.crt \
 --signer-key=ca.key --signer-serial=ca.serial.txt \
 --hostnames=',,' \
 --cert=registry.crt --key=registry.key

Step 4

Create a new OpenShift secret and add the newly created certificate to it

# oc secrets new registry-secret registry.crt registry.key

Step 5

Add the newly created secret to the service-account under which the registry runs

# oc secrets add serviceaccounts/registry secrets/registry-secret

Step 6

Update the registries deployment-configuration to include the new secret and the TLS definition

# oc volume dc/docker-registry --add --type=secret \
  --secret-name=registry-secret -m /etc/secrets

# oc env dc/docker-registry \
  REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt \

Step 7

To be able to connect to the registry from outside of OpenShift, we need to create a route to the registry. For this we create a file describing the required route

 "kind": "Route",
 "apiVersion": "v1",
 "metadata": {
 "name": "registry",
 "namespace": "default",
 "labels": {
 "docker-registry": "default"
 "spec": {
 "host": "",
 "to": {
 "kind": "Service",
 "name": "docker-registry"
 "tls": {
 "termination": "passthrough"
 "status": {}

The ‘host’ section in this definition defines the name under which the registry is supposed to be known from outside. In this case it is ‘’.

Which we then need to add to our OpenShift installation

# oc create -f registry-route.json

Step 8

Last, but not least, we need to make Docker use the correct certificate, when trying to connect to the secured registry. To do this, you will have to copy the ‘ca.crt’ from ‘/etc/openshift/master/’ into the right directory on all systems, which need to communicate with our registry, so the OpenShift Master, all Nodes and potential other systems.

For the OpenShift Master, the commands to do so are as follows:

# mkdir -p /etc/docker/certs.d/
# cp /etc/openshift/master/ca.crt /etc/docker/certs.d/

Don’t forget to restart the Docker service

# sudo systemctl daemon-reload
# sudo systemctl restart docker

One reply on “Securing the OpenShift V3 Registry”

Leave a Reply


Subscribe to our newsletter.

Please select all the ways you would like to hear from Open Sourcerers:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our newsletter platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.