Red Hat SummitChapter 6. Configuration deployment after initial setup
By default, the Red Hat Quay Config Tool pod is left running even after the initial setup process. To configure the Config Tool pod to be removed after setup, the keepConfigDeployment property within the Red Hat Quay object can can be set as false as shown below:
6.1. Superusers
Superusers in Quay have elevated rights and the ability to administer the server. By default, a superuser with the username quay will be created. Additional superusers may be desired in order to aid in managing the server. The full list of superusers can be specifed in the superusers field of the quay object as shown below:
If multiple superusers are specified, during the initial setup of Red Hat Quay, the first user specified will be configured unless specified within a secret as described earlier. After the initial setup, passwords are managed within Red Hat Quay itself and not using either the default value or the value provided in the secret.
6.2. Setting Redis password
By default, the operator-managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password in the key password. The following command can be used to create the secret:
oc create secret generic <secret_name> \ --from-literal=password=<password>
$ oc create secret generic <secret_name> \
--from-literal=password=<password>
The secret can then be specified within the redis section using the credentialsSecretName as shown below:
6.3. Enabling Clair image scanning
Clair is a vulnerability assessment tool for application containers. Support is available to automatically provision and configure both Clair and its integration with Red Hat Quay. A property called clair can be specified in the QuayEcosystem object along with enabled: true within this field in order to deploy Clair. An example is shown below:
The Red Hat Quay Operator sets the Clair database connection string with the parameter sslmode=disable if no parameters are specified in the QuayEcosystem custom resource. In case you have SSL enabled Postgres database, or want to add other parameters, provide key: value pairs as strings (for example, connect_timeout: '10') under connectionParameters object.
For example:
Supported connection string parameters:
- sslmode - Whether or not to use SSL (default is disable, this is not the default for libpq)
- connect_timeout - Maximum wait for connection, in seconds. Zero or not specified means wait indefinitely.
- sslcert - Cert file location. The file must contain PEM encoded data.
- sslkey - Key file location. The file must contain PEM encoded data.
- sslrootcert - The location of the root certificate file. The file must contain PEM encoded data.
Valid values for sslmode are:
- disable - No SSL
- require - Always SSL (skip verification)
- verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
- verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
6.3.1. Clair update interval
Clair routinely queries CVE databases in order to build its own internal database. By default, this value is set at 500m. You can modify the time interval between checks by setting the updateInterval property as shown below:
The above configuration would have Clair update every 60 minutes.
6.4. Setting common attributes
Each of the following components expose a set of similar properties that can be specified in order to customize the runtime execution:
- Red Hat Quay
- Red Hat Quay Configuration
- Red Hat Quay PostgreSQL
- Redis
- Clair
- Clair PostgreSQL
6.4.1. Image pull secret
As referenced in prior sections, an Image Pull Secret can specify the name of the secret containing credentials to an image from a protected registry using the property imagePullSecret.
6.4.2. Image
There may be a desire to make use of an alternate image or source location for each of the components in the Quay ecosystem. The most common use case is to make use of an image registry that contains all of the needed images instead of being sourced from the public internet. Each component has a property called image where the location of the related image can be referenced from.
The following is an example of how a customized image location can be specified:
6.4.3. Compute resources
Compute Resources such as memory and CPU can be specified in the same form as any other value in a PodTemplate. CPU and Memory values for requests and limits can be specified under a property called resources.
In the case of the QuayConfiguration deployment, configResources is the property which should be referenced underneath the quay property.
The following is an example of how compute resources can be specified:
6.4.4. Probes
Readiness and Liveness Probes can be specified in the same form as any other value in a PodTemplate.
The following is how a readinessProbe and livenessProbe can be specified:
If a value for either property is not specified, an opinionated default value is applied.
6.4.5. Node Selector
Components of the QuayEcosystem may need to be deployed to only a subset of available nodes in a Kubernetes cluster. This functionality can be set on each of the resources using the nodeSelector property as shown below:
6.4.6. Deployment strategy
Each of the core components consist of Kubernetes Deployments. This resource supports the method in which new versions are released. This operator supports making use of the RollingUpdate and Recreate strategies. Either value can be defined by using the deploymentStrategy property on the desired resource as shown below:
The absence of a defined value will make use of the RollingUpdate strategy.
6.4.7. Environment Variables
In addition to environment variables that are automatically configured by the operator, users can define their own set of environment variables in order to customize the managed resources. Each core component includes a property called envVars where environment variables can be defined. An example is shown below:
Environment variables for the Quay configuration pod can be managed by specifying the configEnvVars property on the quay resource.
User defined environment variables are given precedence over those managed by the operator. Undesirable results may occur if conflicting keys are used.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}