Chapter 16. Schema for Red Hat Quay configuration
Most Red Hat Quay configuration information is stored in the config.yaml file that is created using the browser-based config tool when Red Hat Quay is first deployed. This chapter describes the schema of those settings that are available to use in the`config.yaml` file.
The following fields required (all other are optional):
AUTHENTICATION_TYPE BUILDLOGS_REDIS DATABASE_SECRET_KEY DB_URI DEFAULT_TAG_EXPIRATION DISTRIBUTED_STORAGE_CONFIG DISTRIBUTED_STORAGE_PREFERENCE PREFERRED_URL_SCHEME SECRET_KEY SERVER_HOSTNAME TAG_EXPIRATION_OPTIONS USER_EVENTS_REDIS
ACTION_LOG_ARCHIVE_LOCATION [string]: If action log archiving is enabled, the storage engine in which to place the archived data.
-
Example:
s3_us_east
-
Example:
ACTION_LOG_ARCHIVE_PATH [string]: If action log archiving is enabled, the path in storage in which to place the archived data.
-
Example:
archives/actionlogs
-
Example:
ACTION_LOG_ROTATION_THRESHOLD [string]: If action log archiving is enabled, the time interval after which to rotate logs.
-
Example:
30d
-
Example:
ALLOW_PULLS_WITHOUT_STRICT_LOGGING [boolean]: If true, pulls in which the pull audit log entry cannot be written will still succeed. Useful if the database can fallback into a read-only state and it is desired for pulls to continue during that time. Defaults to False.
-
Example:
True
-
Example:
APP_SPECIFIC_TOKEN_EXPIRATION [string,
null]: The expiration for external app tokens. Defaults to None.-
Pattern:
^[0-9]+(w|m|d|h|s)$
-
Pattern:
AUTHENTICATION_TYPE [string] required: The authentication engine to use for credential authentication.
- enum: Database, LDAP, JWT, Keystone, OIDC.
-
Example:
Database
AVATAR_KIND [string]: The types of avatars to display, either generated inline (local) or Gravatar (gravatar)
- enum: local, gravatar
BITBUCKET_TRIGGER_CONFIG ['object', 'null']: Configuration for using BitBucket for build triggers.
consumer_key [string] required: The registered consumer key(client ID) for this Red Hat Quay instance.
-
Example:
0e8dbe15c4c7630b6780
-
Example:
BLACKLISTED_EMAIL_DOMAINS [array]: The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.
-
Example:
"example.com", "example.org"
-
Example:
BLACKLIST_V2_SPEC [string]: The Docker CLI versions to which Red Hat Quay will respond that V2 is unsupported. Defaults to
<1.6.0.- Reference: http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec
-
Example:
<1.8.0
BRANDING [object]: Custom branding for logos and URLs in the Red Hat Quay UI.
- Required: logo
properties:
logo [string]: Main logo image URL.
-
Example:
/static/img/quay-horizontal-color.svg
-
Example:
footer_img [string]: Logo for UI footer.
-
Example:
/static/img/RedHat.svg
-
Example:
footer_url [string]: Link for footer image.
-
Example:
https://redhat.com
-
Example:
BROWSER_API_CALLS_XHR_ONLY [boolean]: If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.
- Example: False
BUILDLOGS_REDIS [object] required: Connection information for Redis for build logs caching.
HOST [string] required: The hostname at which Redis is accessible.
-
Example:
my.redis.cluster
-
Example:
PASSWORD [string]: The password to connect to the Redis instance.
-
Example:
mypassword
-
Example:
PORT [number]: The port at which Redis is accessible.
-
Example:
1234
-
Example:
CONTACT_INFO [array]: If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly.
- Min Items: 1
Unique Items: True
- array item 0 [string]: Adds a link to send an e-mail
-
Pattern:
^mailto:(.)+$ -
Example:
mailto:support@quay.io
array item 1 [string]: Adds a link to visit an IRC chat room
-
Pattern:
^irc://(.)+$ -
Example:
irc://chat.freenode.net:6665/quay
-
Pattern:
array item 2 [string]: Adds a link to call a phone number
-
Pattern:
^tel:(.)+$ -
Example:
tel:+1-888-930-3475
-
Pattern:
array item 3 [string]: Adds a link to a defined URL
-
Pattern:
^http(s)?://(.)+$ -
Example:
https://twitter.com/quayio
-
Pattern:
DB_CONNECTION_ARGS [object]: If specified, connection arguments for the database such as timeouts and SSL.
-
threadlocals [boolean] required: Whether to use thread-local connections. Should ALWAYS be
true. -
autorollback [boolean] required: Whether to use auto-rollback connections. Should ALWAYS be
true. ssl [object]: SSL connection configuration
- ca [string] required: Absolute container path to the CA certificate to use for SSL connections.
-
Example:
conf/stack/ssl-ca-cert.pem
-
threadlocals [boolean] required: Whether to use thread-local connections. Should ALWAYS be
DATABASE_SECRET_KEY [string] required: Key used to encrypt sensitive fields within the database. It is imperative that once set, this value is never changed. The consequence of changing this is invalidating all reliant fields (repository mirror username and password configurations, for example).
-
Example:
40157269433064266822674401740626984898972632465622168464725100311621640999470
-
Example:
DB_URI [string] required: The URI at which to access the database, including any credentials.
- Reference: https://www.postgresql.org/docs/9.3/static/libpq-connect.html#AEN39495
-
Example:
mysql+pymysql://username:password@dns.of.database/quay
DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT [number,
null]: If not None, the default maximum number of builds that can be queued in a namespace.-
Example:
20
-
Example:
DEFAULT_TAG_EXPIRATION [string] required: The default, configurable tag expiration time for time machine. Defaults to
2w.-
Pattern:
^[0-9]+(w|m|d|h|s)$
-
Pattern:
DIRECT_OAUTH_CLIENTID_WHITELIST [array]: A list of client IDs of Red Hat Quay-managed applications that are allowed to perform direct OAuth approval without user approval.
- Min Items: None
- Unique Items: True
Reference: https://coreos.com/quay-enterprise/docs/latest/direct-oauth.html
- array item [string]
DISTRIBUTED_STORAGE_CONFIG [object] required: Configuration for storage engine(s) to use in Red Hat Quay. Each key represents an unique identifier for a storage engine. The value consists of a tuple of (key, value) forming an object describing the storage engine parameters.
OCS / Noobaa:
rhocsStorage: - RHOCSStorage - access_key: access_key_here secret_key: secret_key_here bucket_name: quay-datastore-9b2108a3-29f5-43f2-a9d5-2872174f9a56 hostname: s3.openshift-storage.svc.cluster.local is_secure: 'true' port: '443' storage_path: /datastorage/registryCeph / RadosGW Storage / Hitachi HCP:
radosGWStorage: - RadosGWStorage - access_key: access_key_here secret_key: secret_key_here bucket_name: bucket_name_here hostname: hostname_here is_secure: 'true' port: '443' storage_path: /datastorage/registryAWS S3 Storage:
s3Storage: - S3Storage - host: s3.ap-southeast-2.amazonaws.com s3_access_key: s3_access_key_here s3_secret_key: s3_secret_key_here s3_bucket: s3_bucket_here storage_path: /datastorage/registryAzure Storage:
azureStorage: - AzureStorage - azure_account_name: azure_account_name_here azure_account_key: azure_account_key_here azure_container: azure_container_here sas_token: some/path/ storage_path: /datastorage/registryGoogle Cloud Storage:
googleCloudStorage: - GoogleCloudStorage - access_key: access_key_here secret_key: secret_key_here bucket_name: bucket_name_here storage_path: /datastorage/registrySwift Storage:
swiftStorage: - SwiftStorage - swift_user: swift_user_here swift_password: swift_password_here swift_container: swift_container_here auth_url: https://example.org/swift/v1/quay auth_version: 1 ca_cert_path: /conf/stack/swift.cert" storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS [array]: The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose images should be fully replicated, by default, to all other storage engines.
- Min Items: None
Example:
s3_us_east, s3_us_west- array item [string]
DISTRIBUTED_STORAGE_PREFERENCE [array] required: The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to use. A preferred engine means it is first checked for pulling and images are pushed to it.
Min Items: None
-
Example:
[u’s3_us_east', u’s3_us_west'] - array item [string]
-
Example:
preferred_url_scheme [string] required: The URL scheme to use when hitting Red Hat Quay. If Red Hat Quay is behind SSL at all, this must be
https.-
enum:
http, https -
Example:
https
-
enum:
- DOCUMENTATION_ROOT [string]: Root URL for documentation links.
ENABLE_HEALTH_DEBUG_SECRET [string,
null]: If specified, a secret that can be given to health endpoints to see full debug info when not authenticated as a superuser.-
Example:
somesecrethere
-
Example:
EXPIRED_APP_SPECIFIC_TOKEN_GC [string,
null]: Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.-
pattern:
^[0-9]+(w|m|d|h|s)$
-
pattern:
EXTERNAL_TLS_TERMINATION [boolean]: If TLS is supported, but terminated at a layer before Red Hat Quay, must be true.
-
Example:
True
-
Example:
FEATURE_ACI_CONVERSION [boolean]: Whether to enable conversion to ACIs. Defaults to False.
-
Example:
False
-
Example:
FEATURE_ACTION_LOG_ROTATION [boolean]: Whether or not to rotate old action logs to storage. Defaults to False.
-
Example:
False
-
Example:
FEATURE_ADVERTISE_V2 [boolean]: Whether the v2/ endpoint is visible. Defaults to True.
-
Example:
True
-
Example:
FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL [boolean]: Whether to allow retrieval of aggregated log counts. Defaults to True.
-
Example:
True
-
Example:
FEATURE_ANONYMOUS_ACCESS [boolean]: Whether to allow anonymous users to browse and pull public repositories. Defaults to True.
-
Example:
True
-
Example:
FEATURE_APP_REGISTRY [boolean]: Whether to enable support for App repositories. Defaults to False.
-
Example:
False
-
Example:
FEATURE_APP_SPECIFIC_TOKENS [boolean]: If enabled, users can create tokens for use by the Docker CLI. Defaults to True.
- Example: False
FEATURE_BITBUCKET_BUILD [boolean]: Whether to support Bitbucket build triggers. Defaults to False.
-
Example:
False
-
Example:
- FEATURE_BLACKLISTED_EMAIL
FEATURE_BUILD_SUPPORT [boolean]: Whether to support Dockerfile build. Defaults to True.
-
Example:
True
-
Example:
FEATURE_CHANGE_TAG_EXPIRATION [boolean]: Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.
-
Example:
False
-
Example:
FEATURE_DIRECT_LOGIN [boolean]: Whether users can directly login to the UI. Defaults to True.
-
Example:
True
-
Example:
FEATURE_GARBAGE_COLLECTION [boolean]: Whether garbage collection of repositories is enabled. Defaults to True.
-
Example:
True
-
Example:
FEATURE_GITHUB_BUILD [boolean]: Whether to support GitHub build triggers. Defaults to False.
-
Example:
False
-
Example:
FEATURE_GITHUB_LOGIN [boolean]: Whether GitHub login is supported. Defaults to False.
-
Example:
False
-
Example:
FEATURE_GITLAB_BUILD[boolean]: Whether to support GitLab build triggers. Defaults to False.
-
Example:
False
-
Example:
FEATURE_GOOGLE_LOGIN [boolean]: Whether Google login is supported. Defaults to False.
-
Example:
False
-
Example:
FEATURE_INVITE_ONLY_USER_CREATION [boolean]: Whether users being created must be invited by another user. Defaults to False.
-
Example:
False
-
Example:
FEATURE_LIBRARY_SUPPORT [boolean]: Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True.
-
Example:
True
-
Example:
FEATURE_LOG_EXPORT [boolean]: Whether to allow exporting of action logs. Defaults to True.
-
Example:
True
-
Example:
FEATURE_MAILING [boolean]: Whether emails are enabled. Defaults to True.
-
Example:
True
-
Example:
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP [boolean]: If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.
-
Example:
True
-
Example:
FEATURE_PARTIAL_USER_AUTOCOMPLETE [boolean]: If set to true, autocompletion will apply to partial usernames. Defaults to True.
-
Example:
True
-
Example:
FEATURE_PERMANENT_SESSIONS [boolean]: Whether sessions are permanent. Defaults to True.
-
Example:
True
-
Example:
FEATURE_PROXY_STORAGE [boolean]: Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False.
-
Example:
False
-
Example:
FEATURE_PUBLIC_CATALOG [boolean]: If set to true, the
_catalogendpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False.-
Example:
False
-
Example:
FEATURE_RATE_LIMITS [boolean]: Whether to enable rate limits on API and registry endpoints. Defaults to False.
-
Example:
False
-
Example:
FEATURE_READER_BUILD_LOGS [boolean]: If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False.
- Example: False
FEATURE_READONLY_APP_REGISTRY [boolean]: Whether to App repositories are read-only. Defaults to False.
-
Example:
True
-
Example:
FEATURE_RECAPTCHA [boolean]: Whether Recaptcha is necessary for user login and recovery. Defaults to False.
-
Example:
False - Reference: https://www.google.com/recaptcha/intro/
-
Example:
FEATURE_REPO_MIRROR [boolean]: If set to true, enables repository mirroring. Defaults to False.
-
Example:
False
-
Example:
FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH [boolean]: Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False.
-
Example:
False
-
Example:
FEATURE_REQUIRE_TEAM_INVITE [boolean]: Whether to require invitations when adding a user to a team. Defaults to True.
-
Example:
True
-
Example:
FEATURE_RESTRICTED_V1_PUSH [boolean]: If set to true, only namespaces listed in V1_PUSH_WHITELIST support V1 push. Defaults to True.
-
Example:
True
-
Example:
FEATURE_SECURITY_NOTIFICATIONS [boolean]: If the security scanner is enabled, whether to turn on/off security notifications. Defaults to False.
-
Example:
False
-
Example:
FEATURE_SECURITY_SCANNER [boolean]: Whether to turn on/off the security scanner. Defaults to False.
FEATURE_STORAGE_REPLICATION [boolean]: Whether to automatically replicate between storage engines. Defaults to False.
-
Example:
False
-
Example:
FEATURE_SUPER_USERS [boolean]: Whether superusers are supported. Defaults to True.
-
Example:
True
-
Example:
FEATURE_TEAM_SYNCING [boolean]: Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone).
-
Example:
True
-
Example:
FEATURE_USER_CREATION [boolean]: Whether users can be created (by non-superusers). Defaults to True.
-
Example:
True
-
Example:
FEATURE_USER_LAST_ACCESSED [boolean]: Whether to record the last time a user was accessed. Defaults to True.
-
Example:
True
-
Example:
FEATURE_USER_LOG_ACCESS [boolean]: If set to true, users will have access to audit logs for their namespace. Defaults to False.
-
Example:
True
-
Example:
FEATURE_USER_METADATA [boolean]: Whether to collect and support user metadata. Defaults to False.
-
Example:
False
-
Example:
FEATURE_USERNAME_CONFIRMATION [boolean]: If set to true, users can confirm their generated usernames. Defaults to True.
-
Example:
False
-
Example:
FEATURE_USER_RENAME [boolean]: If set to true, users can rename their own namespace. Defaults to False.
-
Example:
True
-
Example:
FRESH_LOGIN_TIMEOUT [string]: The time after which a fresh login requires users to reenter their password
-
Example:
5m
-
Example:
GITHUB_LOGIN_CONFIG [object, 'null']: Configuration for using GitHub (Enterprise) as an external login provider.
- Reference: https://coreos.com/quay-enterprise/docs/latest/github-auth.html
allowed_organizations [array]: The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option.
- Min Items: None
Unique Items: True
- array item [string]
API_ENDPOINT [string]: The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com.
-
Example:
https://api.github.com/
-
Example:
CLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG.
- Reference: https://coreos.com/quay-enterprise/docs/latest/github-app.html
-
Example:
0e8dbe15c4c7630b6780
CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.
- Reference: https://coreos.com/quay-enterprise/docs/latest/github-app.html
-
Example:
e4a58ddd3d7408b7aec109e85564a0d153d3e846
GITHUB_ENDPOINT [string] required: The endpoint of the GitHub (Enterprise) being hit.
-
Example:
https://github.com/
-
Example:
- ORG_RESTRICT [boolean]: If true, only users within the organization whitelist can login using this provider.
-
Example:
True
GITHUB_TRIGGER_CONFIG [object,
null]: Configuration for using GitHub (Enterprise) for build triggers.- Reference: https://coreos.com/quay-enterprise/docs/latest/github-build.html
API_ENDPOINT [string]: The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com.
-
Example:
https://api.github.com/
-
Example:
CLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance; cannot be shared with GITHUB_LOGIN_CONFIG.
- Reference: https://coreos.com/quay-enterprise/docs/latest/github-app.html
-
Example:
0e8dbe15c4c7630b6780
CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.
- Reference: https://coreos.com/quay-enterprise/docs/latest/github-app.html
-
Example:
e4a58ddd3d7408b7aec109e85564a0d153d3e846
GITHUB_ENDPOINT [string] required: The endpoint of the GitHub (Enterprise) being hit.
-
Example:
https://github.com/
-
Example:
GITLAB_TRIGGER_CONFIG [object]: Configuration for using Gitlab (Enterprise) for external authentication.
CLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance.
-
Example:
0e8dbe15c4c7630b6780
-
Example:
CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.
-
Example:
e4a58ddd3d7408b7aec109e85564a0d153d3e846 gitlab_endpoint [string] required: The endpoint at which Gitlab(Enterprise) is running.
-
Example:
https://gitlab.com
-
Example:
-
Example:
GOOGLE_LOGIN_CONFIG [object,
null]: Configuration for using Google for external authenticationCLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance.
-
Example:
0e8dbe15c4c7630b6780
-
Example:
CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.
- Example: e4a58ddd3d7408b7aec109e85564a0d153d3e846
GPG2_PRIVATE_KEY_FILENAME [string]: The filename of the private key used to decrypte ACIs.
-
Example:
/path/to/file
-
Example:
GPG2_PRIVATE_KEY_NAME [string]: The name of the private key used to sign ACIs.
-
Example:
gpg2key
-
Example:
GPG2_PUBLIC_KEY_FILENAME [string]: The filename of the public key used to encrypt ACIs.
-
Example:
/path/to/file
-
Example:
HEALTH_CHECKER [string]: The configured health check.
-
Example:
('RDSAwareHealthCheck', {'access_key': 'foo', 'secret_key': 'bar'})
-
Example:
JWT_AUTH_ISSUER [string]: The endpoint for JWT users.
-
Example:
http://192.168.99.101:6060 -
Pattern:
^http(s)?://(.)+$
-
Example:
JWT_GETUSER_ENDPOINT [string]: The endpoint for JWT users.
-
Example:
http://192.168.99.101:6060 -
Pattern:
^http(s)?://(.)+$
-
Example:
JWT_QUERY_ENDPOINT [string]: The endpoint for JWT queries.
-
Example:
http://192.168.99.101:6060 -
Pattern:
^http(s)?://(.)+$
-
Example:
JWT_VERIFY_ENDPOINT [string]: The endpoint for JWT verification.
-
Example:
http://192.168.99.101:6060 -
Pattern:
^http(s)?://(.)+$
-
Example:
- LDAP_ADMIN_DN [string]: The admin DN for LDAP authentication.
- LDAP_ADMIN_PASSWD [string]: The admin password for LDAP authentication.
- LDAP_ALLOW_INSECURE_FALLBACK [boolean]: Whether or not to allow SSL insecure fallback for LDAP authentication.
- LDAP_BASE_DN [string]: The base DN for LDAP authentication.
- LDAP_EMAIL_ATTR [string]: The email attribute for LDAP authentication.
- LDAP_UID_ATTR [string]: The uid attribute for LDAP authentication.
- LDAP_URI [string]: The LDAP URI.
- LDAP_USER_FILTER [string]: The user filter for LDAP authentication.
- LDAP_USER_RDN [array]: The user RDN for LDAP authentication.
LOGS_MODEL [string]: Logs model for action logs.
- enum: database, transition_reads_both_writes_es, elasticsearch
-
Example:
database
LOGS_MODEL_CONFIG [object]: Logs model config for action logs
elasticsearch_config [object]: Elasticsearch cluster configuration
access_key [string]: Elasticsearch user (or IAM key for AWS ES)
-
Example:
some_string
-
Example:
host [string]: Elasticsearch cluster endpoint
-
Example:
host.elasticsearch.example
-
Example:
index_prefix [string]: Elasticsearch’s index prefix
-
Example:
logentry_
-
Example:
- index_settings [object]: Elasticsearch’s index settings
use_ssl [boolean]: Use ssl for Elasticsearch. Defaults to True
-
Example:
True
-
Example:
secret_key [string]: Elasticsearch password (or IAM secret for AWS ES)
-
Example:
some_secret_string
-
Example:
aws_region [string]: Amazon web service region
-
Example:
us-east-1
-
Example:
port [number]: Elasticsearch cluster endpoint port
-
Example:
1234
-
Example:
kinesis_stream_config [object]: AWS Kinesis Stream configuration
aws_secret_key [string]: AWS secret key
-
Example:
some_secret_key
-
Example:
stream_name [string]: Kinesis stream to send action logs to
-
Example:
logentry-kinesis-stream
-
Example:
aws_access_key [string]: AWS access key
-
Example:
some_access_key
-
Example:
retries [number]: Max number of attempts made on a single request
-
Example:
5
-
Example:
read_timeout [number]: Number of seconds before timeout when reading from a connection
-
Example:
5
-
Example:
max_pool_connections [number]: The maximum number of connections to keep in a connection pool
-
Example:
10
-
Example:
aws_region [string]: AWS region
-
Example:
us-east-1
-
Example:
connect_timeout [number]: Number of seconds before timeout when attempting to make a connection
-
Example:
5
-
Example:
producer [string]: Logs producer if logging to Elasticsearch
- enum: kafka, elasticsearch, kinesis_stream
-
Example:
kafka
kafka_config [object]: Kafka cluster configuration
topic [string]: Kafka topic to publish log entries to
-
Example:
logentry
-
Example:
- bootstrap_servers [array]: List of Kafka brokers to bootstrap the client from
max_block_seconds [number]: Max number of seconds to block during a
send(), either because the buffer is full or metadata unavailable-
Example:
10
-
Example:
LOG_ARCHIVE_LOCATION [string]: If builds are enabled, the storage engine in which to place the archived build logs.
-
Example:
s3_us_east
-
Example:
LOG_ARCHIVE_PATH [string]: If builds are enabled, the path in storage in which to place the archived build logs.
-
Example:
archives/buildlogs
-
Example:
- LOGS_MODEL [string]: Logs model for action logs.
-
enum:
database,transition_reads_both_writes_es,elasticsearch -
Example:
database MAIL_DEFAULT_SENDER [string,
null]: If specified, the e-mail address used as thefromwhen Red Hat Quay sends e-mails. If none, defaults tosupport@quay.io.-
Example:
support@myco.com
-
Example:
MAIL_PASSWORD [string,
null]: The SMTP password to use when sending e-mails.-
Example:
mypassword
-
Example:
MAIL_PORT [number]: The SMTP port to use. If not specified, defaults to 587.
-
Example:
588
-
Example:
MAIL_SERVER [string]: The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.
-
Example:
smtp.somedomain.com
-
Example:
MAIL_USERNAME [string, 'null']: The SMTP username to use when sending e-mails.
-
Example:
myuser
-
Example:
MAIL_USE_TLS [boolean]: If specified, whether to use TLS for sending e-mails.
-
Example:
True
-
Example:
MAXIMUM_LAYER_SIZE [string]: Maximum allowed size of an image layer. Defaults to 20G.
-
Pattern:
^[0-9]+(G|M)$ -
Example:
100G
-
Pattern:
PREFERRED_URL_SCHEME [string]: The URL scheme to use when hitting Red Hat Quay. If Red Hat Quay is behind SSL at all, this must be
https-
enum:
httporhttps -
Example:
https
-
enum:
PROMETHEUS_NAMESPACE [string]: The prefix applied to all exposed Prometheus metrics. Defaults to
quay.-
Example:
myregistry
-
Example:
PUBLIC_NAMESPACES [array]: If a namespace is defined in the public namespace list, then it will appear on all user’s repository list pages, regardless of whether that user is a member of the namespace. Typically, this is used by an enterprise customer in configuring a set of "well-known" namespaces.
- Min Items: None
Unique Items: True
- array item [string]
- RECAPTCHA_SECRET_KEY [string]: If recaptcha is enabled, the secret key for the Recaptcha service.
- RECAPTCHA_SITE_KEY [string]: If recaptcha is enabled, the site key for the Recaptcha service.
REGISTRY_STATE [string]: The state of the registry.
-
enum:
normalorread-only -
Example:
read-only
-
enum:
REGISTRY_TITLE [string]: If specified, the long-form title for the registry. Defaults to
Quay Enterprise.-
Example:
Corp Container Service
-
Example:
REGISTRY_TITLE_SHORT [string]: If specified, the short-form title for the registry. Defaults to
Quay Enterprise.-
Example:
CCS
-
Example:
REPO_MIRROR_INTERVAL [number]: The number of seconds between checking for repository mirror candidates. Defaults to 30.
-
Example:
30
-
Example:
REPO_MIRROR_SERVER_HOSTNAME [string]: Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset.
-
Example:
openshift-quay-service
-
Example:
REPO_MIRROR_TLS_VERIFY [boolean]: Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True.
-
Example:
True
-
Example:
SEARCH_MAX_RESULT_PAGE_COUNT [number]: Maximum number of pages the user can paginate in search before they are limited. Defaults to 10.
-
Example:
10
-
Example:
SEARCH_RESULTS_PER_PAGE [number]: Number of results returned per page by search page. Defaults to 10.
-
Example:
10
-
Example:
SECRET_KEY [string] required: Key used to encrypt sensitive fields within the database and a run time. It is imperative that once set, this value is never changed. The consequence of changing this is invalidating all reliant fields (encrypted password credentials, for example).
-
Example:
40157269433064266822674401740626984898972632465622168464725100311621640999470
-
Example:
SECURITY_SCANNER_ENDPOINT [string]: The endpoint for the security scanner.
-
Pattern:
^http(s)?://(.)+$ -
Example:
http://192.168.99.101:6060
-
Pattern:
SECURITY_SCANNER_INDEXING_INTERVAL [number]: The number of seconds between indexing intervals in the security scanner. Defaults to 30.
-
Example:
30
-
Example:
SECURITY_SCANNER_NOTIFICATIONS [boolean]: Whether or not to the security scanner notification feature
-
Example:
false
-
Example:
SECURITY_SCANNER_V4_ENDPOINT [string]: The endpoint for the V4 security scanner.
-
Pattern:
^http(s)?://(.)+$ -
Example:
http://192.168.99.101:6060
-
Pattern:
- SECURITY_SCANNER_V4_PSK [string]: The generated pre-shared key (PSK) for Clair.
SERVER_HOSTNAME [string] required: The URL at which Red Hat Quay is accessible, without the scheme.
-
Example:
quay.io
-
Example:
SESSION_COOKIE_SECURE [boolean]: Whether the
secureproperty should be set on session cookies. Defaults to False. Recommended to be True for all installations using SSL.- Example: True
- Reference: https://en.wikipedia.org/wiki/Secure_cookies
SSL_CIPHERS [array]: If specified, the nginx-defined list of SSL ciphers to enabled and disabled.
-
Example:
CAMELLIA,!3DES
-
Example:
SSL_PROTOCOLS [array]: If specified, nginx is configured to enabled a list of SSL protocols defined in the list. Removing an SSL protocol from the list disables the protocol during Red Hat Quay startup.
- SSL_PROTOCOLS: ['TLSv1','TLSv1.1','TLSv1.2']
SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD [number]: If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.
-
Example:
50
-
Example:
- SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD [number]: If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.
SUPER_USERS [array]: Red Hat Quay usernames of those users to be granted superuser privileges.
- Min Items: None
Unique Items: True
- array item [string]
TAG_EXPIRATION_OPTIONS [array] required: The options that users can select for expiration of tags in their namespace (if enabled).
- Min Items: None
- array item [string]
-
Pattern:
^[0-9]+(w|m|d|h|s)$
TEAM_RESYNC_STALE_TIME [string]: If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m).
-
Pattern:
^[0-9]+(w|m|d|h|s)$ -
Example:
2h
-
Pattern:
USERFILES_LOCATION [string]: ID of the storage engine in which to place user-uploaded files
-
Example:
s3_us_east
-
Example:
USERFILES_PATH [string]: Path under storage in which to place user-uploaded files
-
Example:
userfiles
-
Example:
USER_EVENTS_REDIS [object] required: Connection information for Redis for user event handling.
HOST [string] required: The hostname at which Redis is accessible.
-
Example:
my.redis.cluster
-
Example:
PASSWORD [string]: The password to connect to the Redis instance.
-
Example:
mypassword
-
Example:
PORT [number]: The port at which Redis is accessible.
-
Example:
1234
-
Example:
CONSUMER_SECRET [string] required: The registered consumer secret(client secret) for this Red Hat Quay instance
- Example: e4a58ddd3d7408b7aec109e85564a0d153d3e846
USERFILES_LOCATION [string]: ID of the storage engine in which to place user-uploaded files.
-
Example:
s3_us_east
-
Example:
USERFILES_PATH [string]: Path under storage in which to place user-uploaded files.
-
Example:
userfiles
-
Example:
USER_RECOVERY_TOKEN_LIFETIME [string]: The length of time a token for recovering a user accounts is valid. Defaults to 30m.
-
Example:
10m -
Pattern:
^[0-9]+(w|m|d|h|s)$
-
Example:
V1_PUSH_WHITELIST [array]: The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true.
-
Example:
some,namespaces
-
Example:
V2_PAGINATION_SIZE [number]: The number of results returned per page in V2 registry APIs.
-
Example:
100
-
Example:
WEBHOOK_HOSTNAME_BLACKLIST [array]: The set of hostnames to disallow from webhooks when validating, beyond localhost.
-
Example:
someexternaldomain.com
-
Example:
