The image management API is accessible from the proxy node.
Other users are able to view a list of repositories in the private registry.
The image management API is accessible from the \<proxy_node_ip\>:8600 port.
Change the port location of image management API to the port with management ingress.
Complete the following steps to update your proxy node port for the image management API:
Log in to your IBM Cloud Private management console.
Note: If you installed IBM Cloud Pak for Multicloud Management, click Local Cluster > Manage Local Cluster after you log in.
From the navigation menu, click Cluster Services.
Add a new ingress rule by selecting the Ingress tab. Click Create Ingress to add the icp-management-ingress rule. For example, your icp-management-ingress ingress might resemble the following content:
{
"apiVersion": "extensions/v1beta1",
"kind": "Ingress",
"metadata": {
"name": "image-manager-registry",
"namespace": "kube-system",
"annotations": {
"icp.management.ibm.com/secure-backends": "true",
"kubernetes.io/ingress.class": "ibm-icp-management"
}
},
"spec": {
"tls": [
{
"hosts": [
"<cluster_CA_domain>"
],
"secretName": "image-manager-registry-tls-secret"
}
],
"rules": [
{
"http": {
"paths": [
{
"path": "/",
"backend": {
"serviceName": "image-manager",
"servicePort": 8500
}
}
]
}
}
]
}
}
Modify the registry-config ConfigMap so that the realm uses port 8443 instead of 8600. For example, your registry-config ConfigMap might resemble the following content:
{
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {
"name": "registry-config",
"namespace": "kube-system",
"resourceVersion": "14761",
"labels": {
"chart": "image-manager-99.99.99",
"component": "image-manager",
"heritage": "Tiller",
"release": "image-manager"
}
},
"data": {
"registry-config.yaml": "version: 0.1\nlog:\n fields:\n service: registry\nstorage:\n cache:\n layerinfo: inmemory\n filesystem:\n rootdirectory: /var/lib/registry\n maintenance:\n uploadpurging:\n enabled: false\n delete:\n enabled: true\nhttp:\n addr: :8500\n tls:\n certificate: /path/to/x509/public\n key: /path/to/x509/private\nauth:\n token:\n issuer: registry-token-issuer\n realm: https://<cluster_CA_domain>:8443/image-manager/api/v1/auth/token\n rootcertbundle: /root/certs/bundle\n service: token-service\n"
}
}
Modify the image-manager Statefulset and change the hostNetwork parameter value. Your hostNetwork parameter must resemble the following information: hostNetwork: false.
Modify the image-manger rules in the icp-management-ingress ingress by adding a host which routes to the same port. For example, add your <cluster_CA_domain> host into the icp-management-ingress ingress:
{
"apiVersion": "extensions/v1beta1",
"kind": "Ingress",
"metadata": {
"name": "image-manager",
"namespace": "kube-system",
"labels": {
"chart": "image-manager-99.99.99",
"component": "image-manager",
"heritage": "Tiller",
"release": "image-manager"
},
"annotations": {
"icp.management.ibm.com/auth-type": "id-token",
"icp.management.ibm.com/secure-backends": "true",
"kubernetes.io/ingress.class": "ibm-icp-management"
}
},
"spec": {
"rules": [
{
"host": "<cluster_CA_domain>",
"http": {
"paths": [
{
"path": "/image-manager/api/v1",
"backend": {
"serviceName": "image-manager",
"servicePort": 8600
}
}
]
}
},
{
"http": {
"paths": [
{
"path": "/image-manager/api/v1",
"backend": {
"serviceName": "image-manager",
"servicePort": 8600
}
}
]
}
}
]
}
}
Since the registry port is changed, port 8443 must be used for Docker commands and other image-manager APIs. Copy the /etc/docker/certs.d/<cluster_CA_domain>:8500 directory and add the information into the /etc/docker/certs.d/<cluster_CA_domain>:8443 directory for Docker commands to work properly. Run the following command:
cp "/etc/docker/certs.d/<cluster_CA_domain>:8500"/ "/etc/docker/certs.d/<cluster_CA_domain>.icp:8443"/
Verify the functionality of the Docker commands by logging into Docker. Run the following commands:
docker login <cluster_CA_domain>:8443
docker push <cluster_CA_domain>:8443/namespace/imageName:tag