如何`docker登录`到OpenShift Docker注册表

image-registry.openshift-image-registry.svc:5000在Openshift群集的外部无法解析，因为它是内部注册表服务名称。 因此，您应该通过注册表的路由主机名访问内部注册表服务，以便进行docker login。如果内部注册表未公开，请参考Exposing a secure registry manually。

// expose the internal registry to external using Route.
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

// Verify the internal registry Route hostname.
$ oc get route -n openshift-image-registry
NAME            HOST/PORT                                                            PATH   SERVICES         PORT    TERMINATION   WILDCARD
default-route   default-route-openshift-image-registry.apps.clustername.basedomain            image-registry   <all>   reencrypt     None

// Try to login using the internal registry Route hostname.
$ docker login -u <user_name> -p $(oc whoami -t) default-route-openshift-image-registry.apps.clustername.basedomain

以下是我使用podman的测试证据。 首先，您应该在执行了docker或podman客户端的客户端主机上放置并更新Router通配符证书的受信任CA。

# podman login  -u admin -p $(oc whoami -t) default-route-openshift-image-registry.apps.<clustername>.<basedomain>
Login Succeeded!

此外，如果您遇到“ x509：证书由未知授权机构签名”错误消息，则应将路由器受信任的CA放置在主机上，或者在podman情况下或使用相同选项时应使用“ --tls-verify = false”而不是那种情况。

# podman login  -u admin -p $(oc whoami -t) default-route-openshift-image-registry.apps.<clustername>.<basedomain>
Error: error authenticating creds for "default-route-openshift-image-registry.apps.<clustername>.<basedomain>": pinging docker registry returned: Get https://default-route-openshift-image-registry.apps.<clustername>.<basedomain>/v2/: x509: certificate signed by unknown authority

# podman login --tls-verify=false  -u admin -p $(oc whoami -t) default-route-openshift-image-registry.apps.<clustername>.<basedomain>
Login Succeeded!