OpenShift Private Registry Authentication¶

Introduction¶

OpenShift ImageStreams track image tags used by builds and deployments. They are useful for promotion and triggers, but a missing or stale ImageStreamTag can block rollout or image pull workflows.

Before You Start¶

Make sure you are in the correct project and know whether the application is driven by a Deployment, DeploymentConfig, BuildConfig, ImageStream, or external registry image.

Practical Examples¶

oc get imagestream web -n app

oc get istag web:latest -n app

oc describe istag web:latest -n app

oc import-image web:latest --from=quay.io/example/web:latest --confirm -n app

Example output:

NAME   IMAGE REPOSITORY                                           TAGS     UPDATED
web    image-registry.openshift-image-registry.svc:5000/app/web  latest   4 minutes ago

Verification¶

oc get istag web:latest -n app

oc describe imagestream web -n app

oc get events -n app --sort-by=.lastTimestamp

Troubleshooting¶

For image stream issues, confirm the tag exists, the import succeeded, and the workload references the ImageStreamTag or registry image you expect.

Common Mistakes¶

• Using an ImageStreamTag that has no imported image.
• Missing imagePullSecrets for external private registries.
• Confusing the internal registry service name with the external route.

Quick Checklist¶

• Confirm the active project.
• Inspect the exact object named in the error.
• Read recent events.
• Apply one focused fix.
• Verify status after the change.

Related Guides¶

• Openshift New App Explained
• Openshift Imagestream Explained
• Openshift Application Deployment Checklist

Summary¶

OpenShift Private Registry Authentication should be verified with commands that match the OpenShift object being changed or investigated.