Skip to content

Using Rahti 2 integrated registry

Manual Image Caching

It is possible to manually cache images in Rahti 2. This could be useful to remove an external dependency or improve performance.

The process is simple:

  1. Install and login with OC.

  2. With a terminal, connect to the Rahti 2 registry:

    docker login -p $(oc whoami -t ) -u unused image-registry.apps.2.rahti.csc.fi
    

    Info

    If you get any error, make sure you are logged in. If you run oc whoami, the command should return your username.

  3. Tag the image you want to push:

    docker tag centos:7 image-registry.apps.2.rahti.csc.fi/{YOUR_PROJECT_NAME}/centos:<tag>
    
    Replace {YOUR_PROJECT_NAME} by the name of your project.

  4. Push your image:

    docker push image-registry.apps.2.rahti.csc.fi/{YOUR_PROJECT_NAME}/centos:<tag>
    

You should be able to see your images in your project: Image Streams

Using Manually Cached Images

Go to your project's deployment, and edit it.

Edit deployment

Go to the Images section, make sure the option "Deploy images from an image stream tag" is clicked. Finally select the new image.

Use cached image

Access Control for the Rahti 2 Integrated Registry

Rahti 2 allows fine-grained control over access to the integrated image registry, enabling management of access based on user authentication.

1. Anonymous Access (system:anonymous)

This refers to users who access the registry without providing any authentication credentials. In this scenario, they have no identity attached to their requests.

  • How to enable: Use the following command to allow anonymous users to pull images from your project's registry:
    oc policy add-role-to-user registry-viewer system:anonymous -n <project>
    
  • Use case: Suitable for cases where you want to make images publicly accessible, allowing anyone to view or pull images without logging in.

2. Unauthenticated Access (system:unauthenticated)

This group includes all users who are accessing the system without valid authentication credentials, including anonymous users but potentially also used automated systems, scripts or external services that do not need to be authenticate.

  • How to enable: Grant unauthenticated users access with the command:
    oc policy add-role-to-user registry-viewer system:unauthenticated -n <project>
    
  • Use case: This is broader than system:anonymous and is useful for systems or services to access your registry without authentication.

3. Authenticated Access (system:authenticated)

Authenticated users are those who have successfully logged in using valid credentials (e.g., OAuth tokens).

  • How to enable: To allow all authenticated users to access the registry:
    oc policy add-role-to-user registry-viewer system:authenticated -n <project>
    
  • Use case: This allows any user with valid credentials to view or pull images, useful for restricting access.

Guide on Pulling Images from Rahti 1 Registry

To securely pull images from Rahti 1 registry to Rahti 2, follow this guide. It also explains how to convert images using Skopeo for compatibility with future releases.


Last update: September 19, 2024