# Noobaa MCG vs Ceph RGW for OpenShift Image Registry Considerations: 1. Noobaa's MCG (Multi Cloud Gateway) -vs- Ceph's RGW (RADOS Gateway) 2. Service (Internal) -vs- Route (External) * https://rook-ceph-rgw-ocs-storagecluster-cephobjectstore.openshift-storage.svc * http://ocs-storagecluster-cephobjectstore-openshift-storage.apps.example.com I'm going to document RGW via Service because it is a more direct network path and simpler architecture than Noobaa via Route. Noobaa may be valuable if you intend to mirro, replicate, encrypt the object bucket in the future. Documentation available at https://docs.openshift.com/container-platform/4.15/registry/configuring_registry_storage/configuring-registry-storage-rhodf.html#registry-configuring-registry-storage-rhodf-cephrgw_configuring-registry-storage-rhodf :::warning It is NOT recommended to use CephFS ::: ## Ceph RGW via Service Please note, the name of the `secret` that holds the bucket access/secret keys is hard coded as: `image-registry-private-configuration-user` https://github.com/openshift/cluster-image-registry-operator?tab=readme-ov-file#image-registry-private-configuration-user-secret ```bash cat <<EOF | oc apply -f - --- apiVersion: objectbucket.io/v1alpha1 kind: ObjectBucketClaim metadata: name: imageregistry namespace: openshift-image-registry spec: generateBucketName: imageregistry storageClassName: ocs-storagecluster-ceph-rgw EOF CLAIM_NAME=$(oc get objectbucketclaim imageregistry -n openshift-image-registry -o jsonpath='{.spec.objectBucketName}') BUCKET_NAME=$(oc get objectbucket $CLAIM_NAME -n openshift-image-registry -o=jsonpath='{.spec.endpoint.bucketName}') ACCESS_KEY=$(oc extract secret/imageregistry -n openshift-image-registry --keys=AWS_ACCESS_KEY_ID --to=-) SECRET_KEY=$(oc extract secret/imageregistry -n openshift-image-registry --keys=AWS_SECRET_ACCESS_KEY --to=-) ENDPOINT=$(oc get objectbucket $CLAIM_NAME -n openshift-image-registry -o=jsonpath='{.spec.endpoint.bucketHost}') echo "CLAIM_NAME: ${CLAIM_NAME} BUCKET_NAME: ${BUCKET_NAME} ACCESS_KEY: ${ACCESS_KEY} SECRET_KEY: ${SECRET_KEY} ENDPOINT: ${ENDPOINT}" # The secret name must be "image-registry-private-configuration-user" oc create secret generic image-registry-private-configuration-user \ --namespace openshift-image-registry \ --from-literal=REGISTRY_STORAGE_S3_ACCESSKEY=${ACCESS_KEY} \ --from-literal=REGISTRY_STORAGE_S3_SECRETKEY=${SECRET_KEY} oc extract configmap/openshift-service-ca.crt --keys=service-ca.crt -n openshift-ingress --confirm oc create configmap/imageregistry-trusted-ca --from-file=ca-bundle.crt=./service-ca.crt -n openshift-config oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${BUCKET_NAME}\"',"region":"us-east-1","regionEndpoint":'\"https://${ENDPOINT}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"imageregistry-trusted-ca"}}}}}' --type=merge ``` ## Noobaa via default Route / Ingress ``` # route, trust default ingress CA oc extract secret/router-certs-default --keys=tls.crt -n openshift-ingress --confirm oc create configmap imageregistry-trusted-ca --from-file=ca-bundle.crt=./tls.crt -n openshift-config oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${BUCKET_NAME}\"',"region":"us-east-1","regionEndpoint":'\"https://${ENDPOINT}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"imageregistry-trusted-ca"}}}}}' --type=merge ``` ## Noobaa via custom Route / Ingress For situations where a proper certificate (not self-signed) was installed ``` # route, trust external CA ```
Last changed by  
John Call
60

Read more

OpenShift Node Network Configuration

[jcall@rhdata6 ocp-tacos]$ oc get nncp/rhdata1-all-in-one -o yamlapiVersion: nmstate.io/v1kind: NodeNetworkConfigurationPolicymetadata:annotations:nmstate.io/webhook-mutating-timestamp: “1668188212258738502”creationTimestamp: “2022-07-24T22:28:25Z”generation: 2name: rhdata1-all-in-oneresourceVersion: “1693703259”uid: 79e47460-056e-45b2-9ded-d6e16c1b0e9bspec:desiredState:dns-resolver:config:search:- dota-lab.iad.redhat.comserver:- 10.15.168.26interfaces:- bridge:options:stp:enabled: falseport:- name: enp1s0f0description: Bridge to Red Hat networks and internet (10.15.168.0/24)ipv4:address:- ip: 10.15.168.21prefix-length: 24dhcp: falseenabled: truename: bridge-redhatstate: uptype: linux-bridge- description: Bridge member (bridge-redhat)lldp:enabled: truename: enp1s0f0state: uptype: ethernet- bridge:options:stp:enabled: trueport:- name: bond-datadescription: Bridge to 172.16.1.0/24 and VLAN 999 - 172.31.255.0/24ipv4:address:- ip: 172.16.1.21prefix-length: 24dhcp: falseenabled: truemtu: 9000name: bridge-datastate: uptype: linux-bridge- description: LACP bond to arctica-data1 (172.16.1.0/24 and VLAN 999 - 172.31.255.0/24)ipv4:enabled: falseipv6:enabled: falselink-aggregation:mode: 802.3adoptions:lacp_rate: fastport:- ens1f0- ens1f1lldp:enabled: truemtu: 9000name: bond-datastate: uptype: bond- description: LACP bond member (bond-data)lldp:enabled: truemtu: 9000name: ens1f0state: uptype: ethernet- description: LACP bond member (bond-data)lldp:enabled: truemtu: 9000name: ens1f1state: uptype: ethernet- bridge:options:stp:enabled: trueport:- name: bond-privdescription: Bridge to 172.16.2.0/24ipv4:address:- ip: 172.16.2.21prefix-length: 24dhcp: falseenabled: truemtu: 9000name: bridge-privstate: uptype: linux-bridge- description: LACP bond to arctica-data2 (172.16.2.0/24)ipv4:enabled: falseipv6:enabled: falselink-aggregation:mode: 802.3adoptions:lacp_rate: fastport:- ens12f0- ens12f1lldp:enabled: truemtu: 9000name: bond-privstate: uptype: bond- description: LACP bond member (bond-priv)lldp:enabled: truemtu: 9000name: ens12f0state: uptype: ethernet- description: LACP bond member (bond-priv)lldp:enabled: truemtu: 9000name: ens12f1state: uptype: ethernetroutes:config:- destination: 0.0.0.0/0next-hop-address: 10.15.168.254next-hop-interface: bridge-redhatnodeSelector:kubernetes.io/hostname: rhdata1.dota-lab.iad.redhat.comstatus:conditions:

4/30/2024
Installing OpenShift on a single drive

Procedure to restrict CoreOS root partition from growing to consume the entire drive. Just create a new partition during installation with a MachineConfig YAML manifest. LVMStorage can use this empty partition after the installation is complete to dynamically allocate storage to VMs and Pods/containers.

4/25/2024
Deploying csi-driver-nfs to OpenShift

A few of my notes related to installing csi-driver-nfs into OpenShift.

4/18/2024
OpenShift certificates

oc create configmap trusted-ca-list --from-file=ca-bundle.crt=MyRootCA.pem -n openshift-config

4/17/2024
Read more from John Call
Published on HackMD