docs/doc/source/admintasks/kubernetes/setting-up-a-public-repository.rst

Set up a Public Repository in Local Docker Registry

There will likely be scenarios where you need to make images publicly available to all users.

The suggested method to do that is to create a keystone tenant/user = 'registry'/'public', which will therefore have access to images in the registry.local:9001/public/ repository. Then share access to those images by sharing the registry/public user's credentials with other users.

1. Create the keystone tenant/user of registry/public.

   ~(keystone_admin)]$ openstack project create registry
   ~(keystone_admin)]$ TENANTNAME="registry"
   ~(keystone_admin)]$ TENANTID=`openstack project list | grep ${TENANTNAME} | awk '{print $2}'`
   ~(keystone_admin)]$ USERNAME="public"
   ~(keystone_admin)]$ USERPASSWORD="${USERNAME}K8*"
   ~(keystone_admin)]$ openstack user create --password ${USERPASSWORD} --project ${TENANTID} ${USERNAME}
   ~(keystone_admin)]$ openstack role add --project ${TENANTNAME} --user ${USERNAME} _member

2. Create a secret containing the credentials of the public repository in kube-system namespace.

   % kubectl create secret docker-registry registry-local-public-key --docker-server=registry.local:9001 --docker-username=public --docker-password=public --docker-email=noreply@windriver.com -n kube-system

3. Share the credentials of the public repository with other namespaces.

   Copy the secret to the other namespace and add it as an ImagePullSecret to the namespace's default serviceAccount.

   % kubectl get secret registry-local-public-key -n kube-system -o yaml | grep -v '^\s*namespace:\s'  | kubectl apply --namespace=<USERNAMESPACE> -f -
   % kubectl patch serviceaccount default  -p "{\"imagePullSecrets\": [{\"name\": \"registry-local-public-key\"}]}" -n <USERNAMESPACE>