Chapter 2. Red Hat Quay configuration disclaimer
With both standalone and Operator-based deployments of Red Hat Quay certain features and configuration parameters are not actively used or implemented. As a result, feature flags, such as those that enable or disable certain features, and configuration parameters that are not explicitly documented or requested for documentation by Red Hat Support, should only be modified with caution. Unused features or parameters might not be fully tested, supported, or compatible with Red Hat Quay. Modifying unused features parameters might lead to unexpected issues or disruptions with your deployment.
For information about configuring Red Hat Quay in standalone deployments, see Advanced Red Hat Quay configuration
For information about configuring Red Hat Quay Operator deployments, see Configuring Red Hat Quay on OpenShift Container Platform
2.1. Configuration updates for Red Hat Quay 3.11
The following sections detail new configuration fields added in Red Hat Quay 3.11.
2.1.1. Team synchronization configuration field
The following configuration field has been added for the team synchronization via OIDC feature:
Field | Type | Description |
PREFERRED_GROUP_CLAIM_NAME | String | The key name within the OIDC token payload that holds information about the user’s group memberships. |
Team synchronization example YAML configuration
# ... PREFERRED_GROUP_CLAIM_NAME: <example_claim_name> # ...
2.1.2. Configuration fields for AWS S3 STS deployments
The following configuration fields have been added when configuring AWS STS for Red Hat Quay. These fields are used when configuring AWS S3 storage for your deployment.
Field | Type | Description |
.sts_role_arn | String | The unique Amazon Resource Name (ARN) required when configuring AWS STS for Red Hat Quay. |
.sts_user_access_key | String | The generated AWS S3 user access key required when configuring AWS STS for Red Hat Quay. |
.sts_user_secret_key | String | The generated AWS S3 user secret key required when configuring AWS STS for Red Hat Quay. |
AWS S3 STS example YAML configuration
# ... DISTRIBUTED_STORAGE_CONFIG: default: - STSS3Storage - sts_role_arn: <role_arn> s3_bucket: <s3_bucket_name> s3_region: <region> storage_path: <storage_path> sts_user_access_key: <s3_user_access_key> sts_user_secret_key: <s3_user_secret_key> # ...
2.2. Editing the configuration file
To deploy a standalone instance of Red Hat Quay, you must provide the minimal configuration information. The requirements for a minimal configuration can be found in "Red Hat Quay minimal configuration."
After supplying the required fields, you can validate your configuration. If there are any issues, they will be highlighted.
It is possible to use the configuration API to validate the configuration, but this requires starting the Quay
container in configuration mode.
To deploy the configuration tool locally, see Getting started with Red Hat Quay and follow the instructions up to "Configuring Red Hat Quay".
For changes to take effect, the registry must be restarted.
2.3. Location of configuration file in a standalone deployment
For standalone deployments of Red Hat Quay, the config.yaml
file must be specified when starting the Red Hat Quay registry. This file is located in the configuration volume. For example, the configuration file is located at $QUAY/config/config.yaml
when deploying Red Hat Quay by the following command:
$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.11.3
2.4. Minimal configuration
The following configuration options are required for a standalone deployment of Red Hat Quay:
- Server hostname
- HTTP or HTTPS
- Authentication type, for example, Database or Lightweight Directory Access Protocol (LDAP)
- Secret keys for encrypting data
- Storage for images
- Database for metadata
- Redis for build logs and user events
- Tag expiration options
2.4.1. Sample minimal configuration file
The following example shows a sample minimal configuration file that uses local storage for images:
AUTHENTICATION_TYPE: Database BUILDLOGS_REDIS: host: quay-server.example.com password: strongpassword port: 6379 ssl: false DATABASE_SECRET_KEY: 0ce4f796-c295-415b-bf9d-b315114704b8 DB_URI: postgresql://quayuser:quaypass@quay-server.example.com:5432/quay DEFAULT_TAG_EXPIRATION: 2w DISTRIBUTED_STORAGE_CONFIG: default: - LocalStorage - storage_path: /datastorage/registry DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: [] DISTRIBUTED_STORAGE_PREFERENCE: - default PREFERRED_URL_SCHEME: http SECRET_KEY: e8f9fe68-1f84-48a8-a05f-02d72e6eccba SERVER_HOSTNAME: quay-server.example.com SETUP_COMPLETE: true TAG_EXPIRATION_OPTIONS: - 0s - 1d - 1w - 2w - 4w USER_EVENTS_REDIS: host: quay-server.example.com port: 6379 ssl: false
2.4.2. Local storage
Using local storage for images is only recommended when deploying a registry for proof of concept purposes.
When configuring local storage, storage is specified on the command line when starting the registry.
The following command maps a local directory, $QUAY/storage
to the datastorage
path in the container:
$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ -v $QUAY/storage:/datastorage:Z \ registry.redhat.io/quay/quay-rhel8:v3.11.3
2.4.3. Cloud storage
Storage configuration is detailed in the Image storage section. For some users, it might be useful to compare the difference between Google Cloud Platform and local storage configurations. For example, the following YAML presents a Google Cloud Platform storage configuration:
$QUAY/config/config.yaml
DISTRIBUTED_STORAGE_CONFIG:
default:
- GoogleCloudStorage
- access_key: GOOGQIMFB3ABCDEFGHIJKLMN
bucket_name: quay_bucket
secret_key: FhDAYe2HeuAKfvZCAGyOioNaaRABCDEFGHIJKLMN
storage_path: /datastorage/registry
boto_timeout: 120 1
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
- default
- 1
- Optional. The time, in seconds, until a timeout exception is thrown when attempting to read from a connection. The default is
60
seconds. Also encompasses the time, in seconds, until a timeout exception is thrown when attempting to make a connection. The default is60
seconds.
When starting the registry using cloud storage, no configuration is required on the command line. For example:
$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \ --name=quay \ -v $QUAY/config:/conf/stack:Z \ registry.redhat.io/quay/quay-rhel8:v3.11.3