Red Hat SummitChapter 6. Appendix A: Red Hat Quay on OpenShift configuration files
The following yaml files were created to deploy Red Hat Quay on OpenShift. They are used throughout the deployment procedure in this document. We recommend you copy the files from this document into a directory, review the contents, and make any changes necessary for your deployment.
6.1. Red Hat Quay namespaces and secrets
Copy linkLink copied to clipboard!
quay-enterprise-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: quay-enterprise quay-enterprise-config-secret.yaml
apiVersion: v1
kind: Secret
metadata:
namespace: quay-enterprise
name: quay-enterprise-config-secretquay-enterprise-redhat-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
namespace: quay-enterprise
name: redhat-pull-secret
data:
.dockerconfigjson: <Add credentials>
type: kubernetes.io/dockerconfigjson- 1
- Change <Add credentials> to include the credentials shown from Accessing Red Hat Quay
6.2. Red Hat Quay storage
Copy linkLink copied to clipboard!
quay-storageclass.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: quay-storageclass
parameters:
type: gp2
provisioner: kubernetes.io/aws-ebs
reclaimPolicy: Delete- 1
- To encrypt the volume, add this to the parameters section (optionally replacing xfs with another filesystem type):
encrypted: "true"
fsType: xfs (or other fs)
kmsKeyId:6.3. Red Hat Quay database
Copy linkLink copied to clipboard!
db-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgres-storage
namespace: quay-enterprise
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
storageClassName: quay-storageclass- 1
- The 5Gi creates 5 gigabytes of storage for use by the Postgres database.
postgres-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: postgres
namespace: quay-enterprise
spec:
replicas: 1
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 5432
env:
- name: POSTGRESQL_USER
value: "username"
- name: POSTGRESQL_DATABASE
value: "quay"
- name: POSTGRESQL_PASSWORD
value: "password"
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: postgredb
serviceAccount: postgres
serviceAccountName: postgres
volumes:
- name: postgredb
persistentVolumeClaim:
claimName: postgres-storagepostgres-service.yaml
apiVersion: v1
kind: Service
metadata:
name: postgres
namespace: quay-enterprise
labels:
app: postgres
spec:
type: NodePort
ports:
- port: 5432
selector:
app: postgres6.4. Red Hat Quay authorization
Copy linkLink copied to clipboard!
quay-servicetoken-role-k8s1-6.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: quay-enterprise-serviceaccount
namespace: quay-enterprise
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- put
- patch
- update
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- patch
- update
- watchquay-servicetoken-role-binding-k8s1-6.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: quay-enterprise-secret-writer
namespace: quay-enterprise
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quay-enterprise-serviceaccount
subjects:
- kind: ServiceAccount
name: default6.5. Redis database
Copy linkLink copied to clipboard!
quay-enterprise-redis.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-redis
labels:
quay-enterprise-component: redis
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: redis
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: redis
spec:
containers:
- name: redis-master
image: registry.access.redhat.com/rhscl/redis-32-rhel7
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 6379
---
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise-redis
labels:
quay-enterprise-component: redis
spec:
ports:
- port: 6379
selector:
quay-enterprise-component: redis- 1
- Only one instance of the redis database is defined here. Adjust replicas based on demand.
6.6. Red Hat Quay configuration pod
Copy linkLink copied to clipboard!
quay-enterprise-config.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-config-app
labels:
quay-enterprise-component: config-app
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: config-app
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: config-app
spec:
containers:
- name: quay-enterprise-config-app
image: quay.io/redhat/quay:v3.3.4
ports:
- containerPort: 8443
command: ["/quay-registry/quay-entrypoint.sh"]
args: ["config", "secret"]
imagePullSecrets:
- name: redhat-pull-secretquay-enterprise-config-service-clusterip.yaml
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise-config
spec:
type: ClusterIP
ports:
- protocol: TCP
name: https
port: 443
targetPort: 8443
selector:
quay-enterprise-component: config-appquay-enterprise-config-route.yaml
apiVersion: v1
kind: Route
metadata:
name: quay-enterprise-config
namespace: quay-enterprise
spec:
to:
kind: Service
name: quay-enterprise-config
tls:
termination: passthrough6.7. Red Hat Quay application container
Copy linkLink copied to clipboard!
quay-enterprise-service-clusterip.yaml
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise-clusterip
spec:
type: ClusterIP
ports:
- protocol: TCP
name: https
port: 443
targetPort: 8443
selector:
quay-enterprise-component: appquay-enterprise-app-route.yaml
apiVersion: v1
kind: Route
metadata:
name: quay-enterprise
namespace: quay-enterprise
spec:
to:
kind: Service
name: quay-enterprise-clusterip
tls:
termination: passthroughquay-enterprise-app-rc.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-app
labels:
quay-enterprise-component: app
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: app
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: app
spec:
volumes:
- name: configvolume
secret:
secretName: quay-enterprise-config-secret
containers:
- name: quay-enterprise-app
image: quay.io/redhat/quay:v3.3.4
ports:
- containerPort: 8443
volumeMounts:
- name: configvolume
readOnly: false
mountPath: /conf/stack
imagePullSecrets:
- name: redhat-pull-secret- 1
- Only one instance of the quay container is defined here. Adjust replicas based on demand.
6.8. Clair image scanning
Copy linkLink copied to clipboard!
postgres-clair-storage.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgres-clair-storage
namespace: quay-enterprise
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: quay-storageclasspostgres-clair-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: postgres-clair
name: postgres-clair
namespace: quay-enterprise
spec:
replicas: 1
selector:
matchLabels:
app: postgres-clair
template:
metadata:
labels:
app: postgres-clair
spec:
containers:
- env:
- name: POSTGRESQL_USER
value: clair
- name: POSTGRESQL_DATABASE
value: clair
- name: POSTGRESQL_PASSWORD
value: test123
image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
imagePullPolicy: IfNotPresent
name: postgres-clair
ports:
- containerPort: 5432
protocol: TCP
volumeMounts:
- mountPath: /var/lib/pgsql/data
name: postgredb
serviceAccount: postgres
serviceAccountName: postgres
volumes:
- name: postgredb
persistentVolumeClaim:
claimName: postgres-clair-storagepostgres-clair-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: postgres-clair
name: postgres-clair
namespace: quay-enterprise
spec:
ports:
- nodePort: 30680
port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres-clair
type: NodePortclair-config.yaml
Modify source, endpoint, key_id, and registry settings to match your environment.
clair:
database:
type: pgsql
options:
source: host=172.30.87.93 port=5432 dbname=clair user=clair password=test123 sslmode=disable
cachesize: 16384
api:
# The port at which Clair will report its health status. For example, if Clair is running at
# https://clair.mycompany.com, the health will be reported at
# http://clair.mycompany.com:6061/health.
healthport: 6061
port: 6062
timeout: 900s
# paginationkey can be any random set of characters. *Must be the same across all Clair
# instances*.
paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
updater:
# interval defines how often Clair will check for updates from its upstream vulnerability databases.
interval: 6h
notifier:
attempts: 3
renotifyinterval: 1h
http:
# QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
# For example: https://myregistry.mycompany.com
endpoint: https://quay-enterprise.apps.lzha0413.qe.devcluster.openshift.com/secscan/notify
proxy: http://localhost:6063
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :6063
ca_key_file: /certificates/mitm.key # Generated internally, do not change.
ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
signer:
issuer: security_scanner
expiration_time: 5m
max_skew: 1m
nonce_length: 32
private_key:
type: preshared
options:
# The ID of the service key generated for Clair. The ID is returned when setting up
# the key in [Quay Enterprise Setup](security-scanning.md)
key_id: fc6c2b02c495c9b8fc674fcdbfdd2058f2f559d6bdd19d0ba70af26c0cb66a48
private_key_path: /clair/config/security_scanner.pem
verifier_proxies:
- enabled: true
# The port at which Clair will listen.
listen_addr: :6060
# If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
# section below for more information.
# key_file: /config/clair.key
# crt_file: /config/clair.crt
verifier:
# CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
# specified here must match the listen_addr port a few lines above this.
# Example: https://myclair.mycompany.com:6060
audience: http://clair-service:6060
upstream: http://localhost:6062
key_server:
type: keyregistry
options:
# QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
# Example: https://myregistry.mycompany.com
registry: https://quay-enterprise.apps.lzha0413.qe.devcluster.openshift.com/keys/clair-service.yaml
apiVersion: v1
kind: Service
metadata:
name: clair-service
namespace: quay-enterprise
spec:
ports:
- name: clair-api
port: 6060
protocol: TCP
targetPort: 6060
- name: clair-health
port: 6061
protocol: TCP
targetPort: 6061
selector:
quay-enterprise-component: clair-scanner
type: ClusterIPclair-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
quay-enterprise-component: clair-scanner
name: clair-scanner
namespace: quay-enterprise
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: clair-scanner
template:
metadata:
labels:
quay-enterprise-component: clair-scanner
namespace: quay-enterprise
spec:
containers:
- image: quay.io/redhat/clair-jwt:v3.3.4
imagePullPolicy: IfNotPresent
name: clair-scanner
ports:
- containerPort: 6060
name: clair-api
protocol: TCP
- containerPort: 6061
name: clair-health
protocol: TCP
volumeMounts:
- mountPath: /clair/config
name: configvolume
- mountPath: /etc/pki/ca-trust/source/anchors/ca.crt
name: quay-ssl
subPath: ca.crt
imagePullSecrets:
- name: redhat-pull-secret
restartPolicy: Always
volumes:
- name: configvolume
secret:
secretName: clair-scanner-config-secret
- name: quay-ssl
secret:
defaultMode: 420
items:
- key: ssl.cert
path: ca.crt
secretName: quay-enterprise-config-secret6.9. Repository mirroring
Copy linkLink copied to clipboard!
quay-enterprise-mirror.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-mirror
labels:
quay-enterprise-component: mirror-app
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: mirror-app
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: mirror-app
spec:
volumes:
- name: configvolume
secret:
secretName: quay-enterprise-config-secret
containers:
- name: quay-enterprise-mirror-app
image: quay.io/redhat/quay:v3.3.4
ports:
- containerPort: 8443
volumeMounts:
- name: configvolume
readOnly: false
mountPath: /conf/stack
command: ["/quay-registry/quay-entrypoint.sh"]
args: ["repomirror"]
imagePullSecrets:
- name: redhat-pull-secret
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}