Secure vs insecure image pruning

[miminar]

Document new options related to secure connection to integrated docker registry and a mechanism that decides whether to fall-back to insecure connection.

Resolves #4232
Resolves bz#1469654

Is blocked on openshift/origin#14114? No longer blocked.

[miminar]

@legionus PTAL

[miminar]

@soltysh PTAL

[ahardin-rh]

xref:using-insecure-connection-against-secured-registry[the one below]

[ahardin-rh]

`certificate-authority`
`registry-url`

[ahardin-rh]

`prune` command

s/with error similar to/with an error similar to

[ahardin-rh]

s/config/configuration file
s/-/--

[ahardin-rh]

I would move the code block to just before "By default...." so that the first sentence does not get broken up.

[ahardin-rh]

registry, but

[ahardin-rh]

Perhaps we can use a discrete heading here instead?

[ahardin-rh]

Perhaps we can use a discrete heading here instead?

[soltysh]

I left you some comments.

[soltysh]

I'd move the last sentence as a NOTE below. Additionally, reword this to something like:

Whenever possible use --certificate-authority, instead. Use of this option is strongly discouraged.

[miminar]

I've ditched it. There is plenty of other places advocating the same. Instead, I've put (Dangerous) at the beginning.

[soltysh]

Don't encourage using --force-insecure anywhere, so drop the last sentence. It's already explained and that's it, it should not be used anywhere, though.

[soltysh]

Suggestion:
The secure connection is the preferred and recommended approach.

It's the recommended as a rule, not only for production.

[soltysh]

s/following/the following

[soltysh]

following cases , unless

[soltysh]

Add info in parenthesis this is not recommended.

[soltysh]

Add not recommended at the end in parens.

[miminar]

Now blocked on openshift/origin#14405. I will need to update error messages once it lands.

[miminar]

Now blocked on openshift/origin#14914

[miminar]

Thanks for all the comments. They should be addressed now. The dependency PR is still waiting for the unblocked merge queue.

[miminar]

No longer blocked. @ahardin-rh could you please review once more?

[miminar]

I'd like to make some corrections for earlier releases. Shall I re-open this against enterprise-3.6 and enterprise-3.5?

[bparees]

@miminar if we label this PR for 3.5 and 3.6, the changes will be applied there.

if 3.5 and 3.6 need a different set of doc, then you'll need to open a separate PR and only label it for 3.5 and 3.6.

[bparees]

@miminar so which versions is this specific PR appropriate for?

[miminar]

@bparees 3.6 - latest; I'll re-submit new PRs for 3.4 and 3.5

[ahardin-rh]

Images Not Being Pruned

[ahardin-rh]

Using a Secure Connection Against an Insecure Registry

[ahardin-rh]

If you see a message similar to the following in the output of the oadm prune images command, then your registry is not secured and the oadm prune images client will attempt to use a secure connection:

[ahardin-rh]

you can force the client to use an insecure

[ahardin-rh]

Using an Insecure Connection Against a Secured Registry

[ahardin-rh]

use the

[ahardin-rh]

Using the Wrong Certificate Authority

[ahardin-rh]

that the certificate

[ahardin-rh]

different than

[ahardin-rh]

Docker registry

[ahardin-rh]

can be added instead

[ahardin-rh]

Docker registry

[ahardin-rh]

Docker registry

[ahardin-rh]

@miminar Thanks! Just a few minor comments from me.

Just a heads-up that, given our new docs workflow, if you want to submit separate PRs for 3.4 and 3.5, be sure to do so against enterprise-3.4-stage and enterprise-3.5-stage respectively. Thanks again!

[miminar]

@ahardin-rh thanks a lot! Comments should be addressed now.

[ahardin-rh]

@miminar Excellent. Thank you!

[ahardin-rh]

[rev_history]
|xref:../admin_guide/pruning_resources.adoc#admin-guide-pruning-resources[Pruning Objects]
|Added details on secure versus insecure image pruning.
%