Technology certification
Red Hat recommended practices for container distribution
As you are going through the process of certification for the Red Hat OpenShift Container Platform you have a couple choices to make when setting up your containerized application and Operator projects. One of the most important choices is the distribution method. In this context, the distribution method refers to two things: the repository where your images are hosted, and where your Operator will be listed and available for deployment. This post will help to clarify your choices and help you to understand what a partner needs to do when setting up their projects in connect.redhat.com.
At this point you are probably aware of the fact that for certification purposes, a partner has to use either a base image of Red Hat Enterprise Linux (RHEL) or the Red Hat Universal Base Image (UBI). Using RHEL limits your ability to host your container images to our internal repository only and the partner must fill out an Export Compliance form in order to obtain the Red Hat Registry publishing approval. If you use UBI you can host your images in any repository you wish and if you use an external repository you can waive the Export Compliance step if hosting in an external registry.
When you set up your project to get your product Red Hat certified, you have a few choices for the distribution method:
Red Hat Container Registry and Marketplace
Red Hat Container Registry is managed by Red Hat at no cost to partners. It is available for container images whether you use UBI content or the broader RHEL content. You can also distribute to Red Hat Marketplace, if applicable. This requires Export Compliance approval. If you choose to host your images in our internal repository, we host them on registry.connect.redhat.com.
Red Hat Marketplace only
Distribute your container image exclusively via the Red Hat marketplace. This option requires customers to have an entitlement to pull your container. Requires Export Compliance. If you choose to host your images in our internal repository we host them on registry.connect.redhat.com.
Non-Red Hat container registry
In this option you provide your own registry or use a non-Red Hat container registry. This option is only available for container images built with the UBI base image. This option will exclude you from a Red Hat Marketplace listing.
Here’s a side-by-side view of your options:
Once you have chosen your distribution method you can change this in your project settings as long as no images have been published. Once the image has been uploaded and published you will then need to use that path-to-image in your metadata for your operator so it pulls the certified image. (registry.connect.redhat.com/<company-name>/<operator-project>:<tag>)
By the end of December 2020, projects that use “Non-Red Hat Container Registry” distribution method, instead of pushing your container images to the project for certification scanning, we will pull your images. In order for us to pull your images, you will be required to provide the following details by selecting “Scan new image” option:
- Container pull specification (the hostname, repository path and tag)
- Pull Secret (optional) Note: Pull secrets are used to pull private container images from registries like Quay and Docker Hub.
The choice is yours as you go through the certification journey. With that in mind if you have any questions regarding the distribution method please contact the Technology Partner Success Desk (TPSD).
Credits: Photo by Marcin Jozwiak on Unsplash