Add operation doc for Docker Reg Mgmt

This operation guide describes Docker registry tasks to be completed on controller nodes. Patchset 3: Updates and additional content per feedback. Replaced CLI descriptions with link to CLI ref (and update CLI ref with additional info) Patchset 4: Fix typo and move general info link to overview. Story: 2006881 Tasks: 37490, 37509, 37510 Includes reviewer comment and removes possible upstream urls. Change-Id: I5d167adbd7c4141cd765e4dc5a962fbc45a2e13e Signed-off-by: MCamp859 <maryx.camp@intel.com> Signed-off-by: Kristal Dale <kristal.dale@intel.com>
2019-12-09 15:25:59 -05:00 · 2019-12-09 15:25:59 -05:00 · ec62ca3cda
commit ec62ca3cda
parent f54d6f00c6
2 changed files with 156 additions and 9 deletions
--- a/doc/source/cli_ref/system.rst
+++ b/doc/source/cli_ref/system.rst
@ -76,6 +76,8 @@ for a variety of StarlingX use cases. For example:
 Local Docker registry management
 ********************************
 .. incl-cli-local-docker-reg-start:
 Local Docker registry management commands enable you to remove images and
 free disk resources consumed by the local Docker registry. This is required if
 the local Docker registry's file system (`docker-distribution`) becomes full.
@ -83,15 +85,38 @@ the local Docker registry's file system (`docker-distribution`) becomes full.
 ``registry-garbage-collect``
    Run the registry garbage collector.
    This frees up the space on the file system used by deleted images. In rare
    cases, the system may trigger a `swact` in the small time window when
    garbage-collect is running. This may cause the registry to get stuck in
    read-only mode. If this occurs, run garbage-collect again to take the
    registry out of read-only mode.
 ``registry-image-delete``
    Remove the specified Docker image from the local registry.
    The image should be specified in the form :command:`name:tag`. This command
    only removes the image from the local Docker registry. It does not free
    space on the file system.
    .. note::
       Any stx-openstack images in a system with stx-openstack applied should
       not be deleted. If space is needed, you can delete the older tags of
       stx-openstack images, but do not delete the most recent one. Deleting
       both the registry stx-openstack images and the one from the Docker
       cache will prevent failed pods from recovering. If this happens,
       manually download the deleted images from the same source as
       application-apply and push it to the local registry under the same
       name and tag.
 ``registry-image-list``
    List all images in local docker registry.
 ``registry-image-tags``
    List all tags for a Docker image from the local registry.
 .. incl-cli-local-docker-reg-end:
 *****************************************
 Host/controller file system configuration
 *****************************************
--- a/doc/source/operations/k8s_docker_reg_management.rst
+++ b/doc/source/operations/k8s_docker_reg_management.rst
@ -2,15 +2,137 @@
 Kubernetes Docker Registry Management (Local)
 =============================================
-This is a stub page for the topic: Kubernetes Docker Registry Management (Local). You
+This guide describes how to use and manage the local Docker registry.
 can help StarlingX by expanding the content.
 See the story for additional information about what is needed:
 `Add Kubernetes Docker Registry Management (Local) Guide <https://storyboard.openstack.org/#!/story/2006881>`_
 For information about contributing to the StarlingX documentation, see the
 :doc:`/contributor/doc_contribute_guide`.
 .. contents::
   :local:
-   :depth: 1
+   :depth: 1
 --------
 Overview
 --------
 A local Docker registry is deployed by default on the controller/master nodes,
 as part of the StarlingX Kubernetes deployment. It can be accessed at
 `registry.local:9001`.
 StarlingX stores container images in the local Docker registry, which is also
 available for end users to store hosted application container images.
 For more information about Docker Registry, refer to the upstream
 `Docker Registry documentation <https://docs.docker.com/registry/>`_.
 ----------------------------
 Configure custom certificate
 ----------------------------
 By default, the local Docker registry uses a self-signed certificate. It is
 highly recommended to replace the self-signed certificate with a CA-signed
 certificate.
 Use the :command:`system certificate-install` command and the :command:`docker_registry`
 option to update the certificate used by all Docker registry communication, as
 shown below:
 ::
   $ system certificate-install -m/--mode docker_registry path_to_cert
 ---------------------------------
 Authentication and authentication
 ---------------------------------
 Authentication is enabled for the local Docker registry. When logging in, users
 are authenticated using platform keystone credentials.
 For example, if using the local Docker to log in, use the following command:
 ::
  docker login registry.local:9001 -u <keystoneUserName> -p <keystonePassword>
 The `admin` platform keystone user is authorized to perform all actions on all
 repositories. Any other platform keystone user can perform all actions but only
 on their own repositories.
 For example, the non-admin keystone user `testuser` can only push or pull images
 located under `registry.local:9001/testuser/...`.
 .. note::
   A keystone user name must be all lowercase, because the Docker registry does
   not allow repository names to use capital letters. For example, the following
   repository is invalid: `registry.local:9001/TESTUSER/busybox:latest`.
 -------------------------------------------------------------
 Use local Docker registry images in Kubernetes container spec
 -------------------------------------------------------------
 When creating a pod spec or deployment spec that uses an image from the local
 Docker registry you must:
 * Use the full image name, including the registry.
 * Specify an imagePullSecret with your keystone credentials.
 This example procedure assumes that the `testuser/busybox:latest` container
 image has been pushed to the local Docker registry.
 Example procedure:
 #. Create a secret with platform keystone credentials for the local Docker registry:
   ::
     kubectl create secret docker-registry testuser-registry-secret \
     --docker-server=registry.local:9001 --docker-username=testuser \
     --docker-password=<testuserPassword> --docker-email=noreply@windriver.com
 #. Create a Kubernetes deployment YAML file using the busybox container image
   stored in the local Docker registry. Note that `imagePullSecret` must be
   specified in the YAML file, providing the secret created in the previous step.
   ::
     cat <<EOF > busybox.yaml apiVersion: apps/v1
     kind: Deployment metadata:
       name: busybox
       namespace: default
     spec:
       progressDeadlineSeconds: 600
       replicas: 1
       selector:
         matchLabels:
           run: busybox
       template:
         metadata:
           labels:
             run: busybox
         spec:
           containers:
           - args:
             - sh
             image: registry.local:9001/testuser/busybox:latest
             imagePullPolicy: Always
             name: busybox
             stdin: true
             tty: true
           restartPolicy: Always
           imagePullSecrets:
           - name: testuser-registry-secret
     EOF
 #. Apply the ``busybox.yaml`` manifest that will pull the image from the
   authenticated local Docker registry using the keystone credentials in the
   `imagePullSecret`.
   ::
     kubectl apply -f busybox.yaml
 ----------------------------
 Free space in local registry
 ----------------------------
 .. include:: /cli_ref/system.rst
   :start-after: incl-cli-local-docker-reg-start:
   :end-before: incl-cli-local-docker-reg-end: