Red Hat SummitChapter 2. Configuration fields
2.1. Required configuration fields
Required fields are covered in the following sections:
2.2. Automation options
2.3. Optional configuration fields
Optional fields are covered in the following sections:
2.4. General required fields
| Field | Type | Description |
|---|---|---|
|
AUTHENTICATION_TYPE | String |
The authentication engine to use for credential authentication |
|
PREFERRED_URL_SCHEME | String |
The URL scheme to use when accessing Red Hat Quay |
|
SERVER_HOSTNAME | String |
The URL at which Red Hat Quay is accessible, without the scheme |
|
DATABASE_SECRET_KEY | String | Key used to encrypt sensitive fields within the database. This value should never be changed once set, otherwise all reliant fields, for example, repository mirror username and password configurations, are invalidated. |
|
SECRET_KEY | String | Key used to encrypt sensitive fields within the database and at run time. his value should never be changed once set, otherwise all reliant fields, for example, encrypted password credentials, are invalidated. |
|
SETUP_COMPLETE | Boolean |
This is an artefact left over from earlier versions of the software and currently it must be specified with a value of |
2.5. Database configuration
You configure the connection to the database using the required DB_URI field and optional connection arguments in the DB_CONNECTION_ARGS structure. Some key-value pairs defined under DB_CONNECTION_ARGS are generic while others are database-specific. In particular, SSL configuration depends on the database you are deploying, and examples for PostgreSQL and MySQL are given below.
2.5.1. Database URI
| Field | Type | Description |
|---|---|---|
|
DB_URI | String | The URI for accessing the database, including any credentials |
Example:
postgresql://quayuser:quaypass@quay-server.example.com:5432/quay
postgresql://quayuser:quaypass@quay-server.example.com:5432/quay2.5.2. Database connection arguments
| Field | Type | Description |
|---|---|---|
| DB_CONNECTION_ARGS | Object | Optional connection arguments for the database, such as timeouts and SSL |
| .autorollback | Boolean |
Whether to use thread-local connections |
| .threadlocals | Boolean |
Whether to use auto-rollback connections |
2.5.2.1. PostgreSQL SSL connection arguments
A sample PostgreSQL SSL configuration is given below:
DB_CONNECTION_ARGS: sslmode: verify-ca sslrootcert: /path/to/cacert
DB_CONNECTION_ARGS:
sslmode: verify-ca
sslrootcert: /path/to/cacert
The sslmode option determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. There are six modes:
- disable: only try a non-SSL connection
- allow: first try a non-SSL connection; if that fails, try an SSL connection
- prefer: (default) first try an SSL connection; if that fails, try a non-SSL connection
- require: only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified
- verify-ca: only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA)
- verify-full: only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the requested server host name matches that in the certificate
More information on the valid arguments for PostgreSQL is available at https://www.postgresql.org/docs/current/libpq-connect.html.
2.5.2.2. MySQL SSL connection arguments
A sample MySQL SSL configuration follows:
DB_CONNECTION_ARGS:
ssl:
ca: /path/to/cacert
DB_CONNECTION_ARGS:
ssl:
ca: /path/to/cacertInformation on the valid connection arguments for MySQL is available at https://dev.mysql.com/doc/refman/8.0/en/connecting-using-uri-or-key-value-pairs.html.
2.6. Image storage
2.6.1. Image storage features
| Field | Type | Description |
|---|---|---|
| FEATURE_REPO_MIRROR | Boolean |
If set to true, enables repository mirroring |
| FEATURE_PROXY_STORAGE | Boolean |
Whether to proxy all direct download URLs in storage via the registry nginx |
| FEATURE_STORAGE_REPLICATION | Boolean |
Whether to automatically replicate between storage engines |
2.6.2. Image storage configuration fields
You specify a list of all storage engines using the DISTRIBUTED_STORAGE_CONFIG field, and choose you preferred storage engine(s) using the DISTRIBUTED_STORAGE_PREFERENCE field.
The DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS field is used to control which locations will have their images replicated by default.
| Field | Type | Description |
|---|---|---|
|
DISTRIBUTED_STORAGE_CONFIG | Object |
Configuration for storage engine(s) to use in Red Hat Quay. Each key represents an unique identifier for a storage engine. The value consists of a tuple of (key, value) forming an object describing the storage engine parameters. |
|
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS | Array of string | The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose images should be fully replicated, by default, to all other storage engines. |
|
DISTRIBUTED_STORAGE_PREFERENCE | Array of string |
The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to use. A preferred engine means it is first checked for pulling and images are pushed to it. |
| MAXIMUM_LAYER_SIZE | String |
Maximum allowed size of an image layer |
2.6.3. Local storage
2.6.4. OCS/NooBaa
2.6.5. Ceph / RadosGW Storage / Hitachi HCP
2.6.6. AWS S3 storage
2.6.7. Google cloud storage
2.6.8. Azure storage
2.6.9. Swift storage
2.7. Redis configuration fields
2.7.1. Build logs
| Field | Type | Description |
|---|---|---|
|
BUILDLOGS_REDIS | Object | Redis connection details for build logs caching |
|
.host | String |
The hostname at which Redis is accessible |
|
.port | Number |
The port at which Redis is accessible |
| .password | String |
The port at which Redis is accessible |
2.7.2. User events
| Field | Type | Description |
|---|---|---|
|
USER_EVENTS_REDIS | Object | Redis connection details for user event handling |
|
.host | String |
The hostname at which Redis is accessible |
|
.port | Number |
The port at which Redis is accessible |
| .password | String |
The port at which Redis is accessible |
2.7.3. Example redis configuration
2.8. Tag expiration options
| Field | Type | Description |
|---|---|---|
| FEATURE_GARBAGE_COLLECTION | Boolean |
Whether garbage collection of repositories is enabled |
|
|
|
|
|
TAG_EXPIRATION_OPTIONS | Array of string |
The options that users can select for expiration of tags in their namespace (if enabled) |
|
DEFAULT_TAG_EXPIRATION | String |
The default, configurable tag expiration time for time machine. |
|
|
|
|
| FEATURE_CHANGE_TAG_EXPIRATION | Boolean |
Whether users and organizations are allowed to change the tag expiration for tags in their namespace |
Example:
2.9. Pre-configuring Quay for automation
Quay has a number of configuration options that support automation. These options can be set before deployment, to minimize the need to interact with the user interface.
2.9.1. Allowing the API to create the first user
Set the config option FEATURE_USER_INITIALIZE to true, so that you can use the API /api/v1/user/initialize to create the first user. This API endpoint does not require authentication, unlike all other registry API calls which require an OAuth token which is generated by an OAuth application in an existing organization.
Once you have deployed Quay, you can use the API to create a user, for example, quayadmin, provided no other users have already been created. For more information, see the section on Creating the first user using the API
2.9.2. Enabling general API access
Set the config option BROWSER_API_CALLS_XHR_ONLY to false, to allow general access to the Quay registry API.
2.9.3. Adding a super user
While you cannot create a user until after deployment, it is convenient to ensure that first user is an administrator with full permissions. It is easier to configure this in advance, using the SUPER_USER configuration object.
2.9.4. Restricting user creation
Once you have configured a super user, you can restrict the ability to create new users to the super user group. Set the FEATURE_USER_CREATION to false to restrict user creation.
2.9.5. Suggested configuration for automation
Create a config.yaml configuration file that includes the appropriate settings:
config.yaml
2.9.6. Deploying the Operator using the initial configuration
Create a Secret using the configuration file
oc create secret generic --from-file config.yaml=./config.yaml init-config-bundle-secret
$ oc create secret generic --from-file config.yaml=./config.yaml init-config-bundle-secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a QuayRegistry YAML file
quayregistry.yaml, identifying the unmanaged components and also referencing the created Secret, for example:quayregistry.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Deploy the registry:
oc create -f quayregistry.yaml
$ oc create -f quayregistry.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Create the first user,
quayadmin, using the API
2.9.7. Using the API to create the first user
When using the API to create the first user, the following conditions must be met:
-
The config option
FEATURE_USER_INITIALIZEmust be set totrue - No users can already exist in the database
For more information on pre-configuring the deployment, see the section Pre-configuring Quay for automation
2.9.7.1. Invoking the API
Using the status.registryEndpoint URL, invoke the /api/v1/user/initialize API, passing in the username, password and email address. You can also request an OAuth token by specifying "access_token": true.
curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"quaypass123", "email": "quayadmin@example.com", "access_token": true}'
$ curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"quaypass123", "email": "quayadmin@example.com", "access_token": true}'{"access_token":"6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED", "email":"quayadmin@example.com","encrypted_password":"1nZMLH57RIE5UGdL/yYpDOHLqiNCgimb6W9kfF8MjZ1xrfDpRyRs9NUnUuNuAitW","username":"quayadmin"}
{"access_token":"6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED", "email":"quayadmin@example.com","encrypted_password":"1nZMLH57RIE5UGdL/yYpDOHLqiNCgimb6W9kfF8MjZ1xrfDpRyRs9NUnUuNuAitW","username":"quayadmin"}If successful, the method returns an object with the username, email and encrypted password. If a user already exists in the database, an error is returned:
curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayuser2", "password":"quaypass123", "email": "quayuser2@example.com"}'
$ curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayuser2", "password":"quaypass123", "email": "quayuser2@example.com"}'{"message":"Cannot initialize user in a non-empty database"}
{"message":"Cannot initialize user in a non-empty database"}The password must be at least 8 characters and contain no whitespace:
curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"pass123", "email": "quayadmin@example.com"}'
$ curl -X POST -k https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"pass123", "email": "quayadmin@example.com"}'{"message":"Failed to initialize user: Invalid password, password must be at least 8 characters and contain no whitespace."}
{"message":"Failed to initialize user: Invalid password, password must be at least 8 characters and contain no whitespace."}2.9.7.2. Using the OAuth token
You can now invoke the rest of the Quay API specifying the returned OAuth code. For example, to get a list of the current users:
curl -X GET -k -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/superuser/users/
$ curl -X GET -k -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/superuser/users/
In this instance, the details for the quayadmin user are returned as it is the only user that has been created so far.
2.9.7.2.1. Create organization
To create an organization, use a POST call to api/v1/organization/ endpoint:
curl -X POST -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/ --data '{"name": "testorg", "email": "testorg@example.com"}'
$ curl -X POST -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/ --data '{"name": "testorg", "email": "testorg@example.com"}'"Created"
"Created"2.9.7.2.2. Get organization details
To retrieve the details of the organization you created:
curl -X GET -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://min-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/testorg
$ curl -X GET -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://min-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/testorg2.10. Basic configuration
| Field | Type | Description |
|---|---|---|
| REGISTRY_TITLE | String |
If specified, the long-form title for the registry |
| REGISTRY_TITLE_SHORT | String |
If specified, the short-form title for the registry. |
|
|
|
|
| BRANDING | Object | Custom branding for logos and URLs in the Red Hat Quay UI. |
|
.logo | String |
Main logo image URL |
| .footer_img | String |
Logo for UI footer |
| .footer_url | String |
Link for footer image |
|
|
|
|
| CONTACT_INFO | Array of String | If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly. |
| [0] | String |
Adds a link to send an e-mail |
| [1] | String |
Adds a link to visit an IRC chat room |
| [2] | String |
Adds a link to call a phone number+ |
| [3] | String |
Adds a link to a defined URL |
2.11. SSL configuration fields
| Field | Type | Description |
|---|---|---|
| PREFERRED_URL_SCHEME | String |
One of |
|
SERVER_HOSTNAME | String |
The URL at which Red Hat Quay is accessible, without the scheme |
| SSL_CIPHERS | Array of String |
If specified, the nginx-defined list of SSL ciphers to enabled and disabled |
| SSL_PROTOCOLS | Array of String |
If specified, nginx is configured to enabled a list of SSL protocols defined in the list. Removing an SSL protocol from the list disables the protocol during Red Hat Quay startup. |
| SESSION_COOKIE_SECURE | Boolean |
Whether the |
2.11.1. Configuring SSL
Copy the certificate file and primary key file to your configuration directory, ensuring they are named
ssl.certandssl.keyrespectively:cp ~/ssl.cert $QUAY/config cp ~/ssl.key $QUAY/config cd $QUAY/config
$ cp ~/ssl.cert $QUAY/config $ cp ~/ssl.key $QUAY/config $ cd $QUAY/configCopy to Clipboard Copied! Toggle word wrap Toggle overflow Edit the
config.yamlfile and specify that you want Quay to handle TLS:config.yaml
... SERVER_HOSTNAME: quay-server.example.com ... PREFERRED_URL_SCHEME: https ...
... SERVER_HOSTNAME: quay-server.example.com ... PREFERRED_URL_SCHEME: https ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Stop the
Quaycontainer and restart the registry
2.12. Adding TLS Certificates to the Red Hat Quay Container
To add custom TLS certificates to Red Hat Quay, create a new directory named extra_ca_certs/ beneath the Red Hat Quay config directory. Copy any required site-specific TLS certificates to this new directory.
2.12.1. Add TLS certificates to Red Hat Quay
View certificate to be added to the container
cat storage.crt -----BEGIN CERTIFICATE----- MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV [...] -----END CERTIFICATE-----
$ cat storage.crt -----BEGIN CERTIFICATE----- MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV [...] -----END CERTIFICATE-----Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create certs directory and copy certificate there
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Obtain the
Quaycontainer’sCONTAINER IDwithpodman ps:sudo podman ps
$ sudo podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS 5a3e82c4a75f <registry>/<repo>/quay:v3.6.8 "/sbin/my_init" 24 hours ago Up 18 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 443/tcp grave_kellerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the container with that ID:
sudo podman restart 5a3e82c4a75f
$ sudo podman restart 5a3e82c4a75fCopy to Clipboard Copied! Toggle word wrap Toggle overflow Examine the certificate copied into the container namespace:
sudo podman exec -it 5a3e82c4a75f cat /etc/ssl/certs/storage.pem -----BEGIN CERTIFICATE----- MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
$ sudo podman exec -it 5a3e82c4a75f cat /etc/ssl/certs/storage.pem -----BEGIN CERTIFICATE----- MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNVCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.13. LDAP configuration fields
| Field | Type | Description |
|---|---|---|
|
AUTHENTICATION_TYPE | String |
Must be set to |
| FEATURE_TEAM_SYNCING | Boolean |
Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone) |
| FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP | Boolean |
If enabled, non-superusers can setup syncing on teams using LDAP |
|
|
|
|
| LDAP_ADMIN_DN | String | The admin DN for LDAP authentication. |
| LDAP_ADMIN_PASSWD | String | The admin password for LDAP authentication. |
| LDAP_ALLOW_INSECURE_FALLBACK | Boolean | Whether or not to allow SSL insecure fallback for LDAP authentication. |
| LDAP_BASE_DN | Array of String | The base DN for LDAP authentication. |
| LDAP_EMAIL_ATTR | String | The email attribute for LDAP authentication. |
| LDAP_UID_ATTR | String | The uid attribute for LDAP authentication. |
| LDAP_URI | String | The LDAP URI. |
| LDAP_USER_FILTER | String | The user filter for LDAP authentication. |
| LDAP_USER_RDN | Array of String | The user RDN for LDAP authentication. |
| TEAM_RESYNC_STALE_TIME | String |
If team syncing is enabled for a team, how often to check its membership and resync if necessary |
2.13.1. LDAP configuration example
$QUAY/config/config.yaml
2.14. Mirroring configuration fields
| Field | Type | Description |
|---|---|---|
| FEATURE_REPO_MIRROR | Boolean |
Enable or disable repository mirroring |
|
|
|
|
| REPO_MIRROR_INTERVAL | Number |
The number of seconds between checking for repository mirror candidates |
| REPO_MIRROR_SERVER_HOSTNAME | String |
Replaces the |
| REPO_MIRROR_TLS_VERIFY | Boolean |
Require HTTPS and verify certificates of Quay registry during mirror. |
2.15. Security scanner configuration fields
| Field | Type | Description |
|---|---|---|
| FEATURE_SECURITY_SCANNER | Boolean |
Enable or disable the security scanner |
| FEATURE_SECURITY_NOTIFICATIONS | Boolean |
If the security scanner is enabled, turn on or turn off security notifications |
| SECURITY_SCANNER_V4_REINDEX_THRESHOLD | String |
This parameter is used to determine the minimum time, in seconds, to wait before re-indexing a manifest that has either previously failed or has changed states since the last indexing. The data is calculated from the |
| SECURITY_SCANNER_V4_ENDPOINT | String |
The endpoint for the V4 security scanner |
| SECURITY_SCANNER_V4_PSK | String | The generated pre-shared key (PSK) for Clair |
| SECURITY_SCANNER_INDEXING_INTERVAL | Number |
The number of seconds between indexing intervals in the security scanner |
| SECURITY_SCANNER_ENDPOINT | String |
The endpoint for the V2 security scanner |
| SECURITY_SCANNER_INDEXING_INTERVAL | String | This parameter is used to determine the number of seconds between indexing intervals in the security scanner. When indexing is triggered, Red Hat Quay will query its database for manifests that must be indexed by Clair. These include manifests that have not yet been indexed and manifests that previously failed indexing. |
The following is a special case for re-indexing:
When Clair v4 indexes a manifest, the result should be deterministic. For example, the same manifest should produce the same index report. This is true until the scanners are changed, as using different scanners will produce different information relating to a specific manifest to be returned in the report. Because of this, Clair v4 exposes a state representation of the indexing engine (/indexer/api/v1/index_state) to determine whether the scanner configuration has been changed.
Red Hat Quay leverages this index state by saving it to the index report when parsing to Quay’s database. If this state has changed since the manifest was previously scanned, Quay will attempt to re-index that manifest during the periodic indexing process.
By default this parameter is set to 30 seconds. Users might decrease the time if they want the indexing process to run more frequently, for example, if they did not want to wait 30 seconds to see security scan results in the UI after pushing a new tag. Users can also change the parameter if they want more control over the request pattern to Clair and the pattern of database operations being performed on the Quay database.
2.16. OCI and Helm configuration
Support for Helm is now supported under the FEATURE_GENERAL_OCI_SUPPORT property. If you need to explicitly enable the feature, for example, if it has previously been disabled or if you have upgraded from a version where it is not enabled by default, you need to add two properties in the Quay configuration to enable the use of OCI artifacts:
FEATURE_GENERAL_OCI_SUPPORT: true FEATURE_HELM_OCI_SUPPORT: true
FEATURE_GENERAL_OCI_SUPPORT: true
FEATURE_HELM_OCI_SUPPORT: true| Field | Type | Description |
|---|---|---|
| FEATURE_GENERAL_OCI_SUPPORT | Boolean |
Enable support for OCI artifacts |
| FEATURE_HELM_OCI_SUPPORT | Boolean |
Enable support for Helm artifacts |
As of Red Hat Quay 3.6, FEATURE_HELM_OCI_SUPPORT has been deprecated and will be removed in a future version of Red Hat Quay. In Red Hat Quay 3.6, Helm artifacts are supported by default and included under the FEATURE_GENERAL_OCI_SUPPORT property. Users are no longer required to update their config.yaml files to enable support.
2.17. Action log configuration fields
2.17.1. Action log storage configuration
| Field | Type | Description |
|---|---|---|
| FEATURE_LOG_EXPORT | Boolean |
Whether to allow exporting of action logs |
|
|
|
|
| LOGS_MODEL | String |
Enable or disable the security scanner |
| LOGS_MODEL_CONFIG | Object | Logs model config for action logs |
LOGS_MODEL_CONFIG [object]: Logs model config for action logs
elasticsearch_config [object]: Elasticsearch cluster configuration
access_key [string]: Elasticsearch user (or IAM key for AWS ES)
-
Example:
some_string
-
Example:
host [string]: Elasticsearch cluster endpoint
-
Example:
host.elasticsearch.example
-
Example:
index_prefix [string]: Elasticsearch’s index prefix
-
Example:
logentry_
-
Example:
- index_settings [object]: Elasticsearch’s index settings
use_ssl [boolean]: Use ssl for Elasticsearch. Defaults to True
-
Example:
True
-
Example:
secret_key [string]: Elasticsearch password (or IAM secret for AWS ES)
-
Example:
some_secret_string
-
Example:
aws_region [string]: Amazon web service region
-
Example:
us-east-1
-
Example:
port [number]: Elasticsearch cluster endpoint port
-
Example:
1234
-
Example:
kinesis_stream_config [object]: AWS Kinesis Stream configuration
aws_secret_key [string]: AWS secret key
-
Example:
some_secret_key
-
Example:
stream_name [string]: Kinesis stream to send action logs to
-
Example:
logentry-kinesis-stream
-
Example:
aws_access_key [string]: AWS access key
-
Example:
some_access_key
-
Example:
retries [number]: Max number of attempts made on a single request
-
Example:
5
-
Example:
read_timeout [number]: Number of seconds before timeout when reading from a connection
-
Example:
5
-
Example:
max_pool_connections [number]: The maximum number of connections to keep in a connection pool
-
Example:
10
-
Example:
aws_region [string]: AWS region
-
Example:
us-east-1
-
Example:
connect_timeout [number]: Number of seconds before timeout when attempting to make a connection
-
Example:
5
-
Example:
producer [string]: Logs producer if logging to Elasticsearch
- enum: kafka, elasticsearch, kinesis_stream
-
Example:
kafka
kafka_config [object]: Kafka cluster configuration
topic [string]: Kafka topic to publish log entries to
-
Example:
logentry
-
Example:
- bootstrap_servers [array]: List of Kafka brokers to bootstrap the client from
max_block_seconds [number]: Max number of seconds to block during a
send(), either because the buffer is full or metadata unavailable-
Example:
10
-
Example:
2.17.2. Action log rotation and archiving configuration
| Field | Type | Description |
|---|---|---|
| FEATURE_ACTION_LOG_ROTATION | Boolean |
Enabling log rotation and archival will move all logs older than 30 days to storage |
|
|
|
|
| ACTION_LOG_ARCHIVE_LOCATION | String |
If action log archiving is enabled, the storage engine in which to place the archived data |
| ACTION_LOG_ARCHIVE_PATH | String |
If action log archiving is enabled, the path in storage in which to place the archived data |
| ACTION_LOG_ROTATION_THRESHOLD | String |
The time interval after which to rotate logs |
2.18. Build logs
| Field | Type | Description |
|---|---|---|
| FEATURE_READER_BUILD_LOGS | Boolean |
If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. |
|
|
|
|
| LOG_ARCHIVE_LOCATION | String |
The storage location, defined in DISTRIBUTED_STORAGE_CONFIG, in which to place the archived build logs |
| LOG_ARCHIVE_PATH | String |
The path under the configured storage engine in which to place the archived build logs in JSON form |
2.19. Dockerfile build triggers fields
| Field | Type | Description |
|---|---|---|
| FEATURE_BUILD_SUPPORT | Boolean |
Whether to support Dockerfile build. |
| SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD | Number |
If not None, the number of successive failures that can occur before a build trigger is automatically disabled |
| SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD | Number |
If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled |
2.19.1. GitHub build triggers
| Field | Type | Description |
|---|---|---|
| FEATURE_GITHUB_BUILD | Boolean |
Whether to support GitHub build triggers |
|
|
|
|
| GITHUB_TRIGGER_CONFIG | Object | Configuration for using GitHub (Enterprise) for build triggers |
|
.GITHUB_ENDPOINT | String |
The endpoint for GitHub (Enterprise) |
| .API_ENDPOINT | String |
The endpoint of the GitHub (Enterprise) API to use. Must be overridden for |
|
.CLIENT_ID | String | The registered client ID for this Red Hat Quay instance; this cannot be shared with GITHUB_LOGIN_CONFIG. |
|
.CLIENT_SECRET | String | The registered client secret for this Red Hat Quay instance. |
2.19.2. BitBucket build triggers
| Field | Type | Description |
|---|---|---|
| FEATURE_BITBUCKET_BUILD | Boolean |
Whether to support Bitbucket build triggers |
|
|
|
|
| BITBUCKET_TRIGGER_CONFIG | Object | Configuration for using BitBucket for build triggers |
|
.CONSUMER_KEY | String | The registered consumer key (client ID) for this Quay instance |
|
.CONSUMER_SECRET | String | The registered consumer secret (client secret) for this Quay instance |
2.19.3. GitLab build triggers
| Field | Type | Description |
|---|---|---|
| FEATURE_GITLAB_BUILD | Boolean |
Whether to support GitLab build triggers |
|
|
|
|
| GITLAB_TRIGGER_CONFIG | Object | Configuration for using Gitlab for build triggers |
|
.GITLAB_ENDPOINT | String | The endpoint at which Gitlab (Enterprise) is running |
|
.CLIENT_ID | String | The registered client ID for this Quay instance |
|
.CLIENT_SECRET | String | The registered client secret for this Quay instance |
2.20. OAuth configuration
| Field | Type | Description |
|---|---|---|
| DIRECT_OAUTH_CLIENTID_WHITELIST | Array of String | A list of client IDs for Quay-managed applications that are allowed to perform direct OAuth approval without user approval. |
2.20.1. GitHub OAuth
| Field | Type | Description |
|---|---|---|
| FEATURE_GITHUB_LOGIN | Boolean |
Whether GitHub login is supported |
| GITHUB_LOGIN_CONFIG | Object | Configuration for using GitHub (Enterprise) as an external login provider. |
| .ALLOWED_ORGANIZATIONS | Array of String | The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option. |
| .API_ENDPOINT | String |
The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com |
|
.CLIENT_ID | String |
The registered client ID for this Red Hat Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG |
|
.CLIENT_SECRET | String |
The registered client secret for this Red Hat Quay instance |
|
.GITHUB_ENDPOINT | String |
The endpoint for GitHub (Enterprise) |
| .ORG_RESTRICT | Boolean | If true, only users within the organization whitelist can login using this provider. |
2.20.2. Google OAuth
| Field | Type | Description |
|---|---|---|
| FEATURE_GOOGLE_LOGIN | Boolean |
Whether Google login is supported |
| GOOGLE_LOGIN_CONFIG | Object | Configuration for using Google for external authentication |
|
.CLIENT_ID | String |
The registered client ID for this Red Hat Quay instance |
|
.CLIENT_SECRET | String |
The registered client secret for this Red Hat Quay instance |
2.21. Configuring nested repositories
With Red Hat Quay 3.6, support for nested repository path names has been added under the FEATURE_EXTENDED_REPOSITORY_NAMES property. This optional configuration must be manually added to the config.yaml by the user to enable support. Enablement allows the use of / in repository names.
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true| Field | Type | Description |
|---|---|---|
| FEATURE_EXTENDED_REPOSITORY_NAMES | Boolean |
Enable support for nested repositories |
2.22. Adding other OCI media types to Quay
Helm, cosign, and ztsd compression scheme artifacts are built into Red Hat Quay 3.6 by default. For any other OCI media type that is not supported by default, you can add them to the ALLOWED_OCI_ARTIFACT_TYPES configuration in Quay’s config.yaml using the following format:
For example, you can add Singularity (SIF) support by adding the following to your config.yaml:
When adding OCI media types that are not configured by default, users will also need to manually add support for cosign and Helm if desired. The ztsd compression scheme is supported by default, so users will not need to add that OCI media type to their config.yaml to enable support.
2.23. Mail configuration
| Field | Type | Description |
|---|---|---|
| FEATURE_MAILING | Boolean |
Whether emails are enabled |
|
|
|
|
| MAIL_DEFAULT_SENDER | String |
If specified, the e-mail address used as the |
| MAIL_PASSWORD | String | The SMTP password to use when sending e-mails |
| MAIL_PORT | Number | The SMTP port to use. If not specified, defaults to 587. |
| MAIL_SERVER | String |
The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true. |
| MAIL_USERNAME | String | The SMTP username to use when sending e-mails |
| MAIL_USE_TLS | Boolean |
If specified, whether to use TLS for sending e-mails |
2.24. User configuration fields
| Field | Type | Description |
|---|---|---|
| FEATURE_SUPER_USERS | Boolean |
Whether superusers are supported |
| FEATURE_USER_CREATION | Boolean |
Whether users can be created (by non-superusers) |
| FEATURE_USER_LAST_ACCESSED | Boolean |
Whether to record the last time a user was accessed |
| FEATURE_USER_LOG_ACCESS | Boolean |
If set to true, users will have access to audit logs for their namespace |
| FEATURE_USER_METADATA | Boolean |
Whether to collect and support user metadata |
| FEATURE_USERNAME_CONFIRMATION | Boolean |
If set to true, users can confirm their generated usernames |
| FEATURE_USER_RENAME | Boolean |
If set to true, users can rename their own namespace |
| FEATURE_INVITE_ONLY_USER_CREATION | Boolean |
Whether users being created must be invited by another user |
|
|
|
|
| FRESH_LOGIN_TIMEOUT | String |
The time after which a fresh login requires users to re-enter their password |
| USERFILES_LOCATION | String |
ID of the storage engine in which to place user-uploaded files |
| USERFILES_PATH | String |
Path under storage in which to place user-uploaded files |
| USER_RECOVERY_TOKEN_LIFETIME | String |
The length of time a token for recovering a user accounts is valid |
2.25. Recaptcha configuration
| Field | Type | Description |
|---|---|---|
| FEATURE_RECAPTCHA | Boolean |
Whether Recaptcha is necessary for user login and recovery |
|
|
|
|
| RECAPTCHA_SECRET_KEY | String | If recaptcha is enabled, the secret key for the Recaptcha service |
| RECAPTCHA_SITE_KEY | String | If recaptcha is enabled, the site key for the Recaptcha service |
2.26. ACI configuration
| Field | Type | Description |
|---|---|---|
| FEATURE_ACI_CONVERSION | Boolean |
Whether to enable conversion to ACIs |
|
|
|
|
| GPG2_PRIVATE_KEY_FILENAME | String | The filename of the private key used to decrypte ACIs |
| GPG2_PRIVATE_KEY_NAME | String | The name of the private key used to sign ACIs |
| GPG2_PUBLIC_KEY_FILENAME | String | The filename of the public key used to encrypt ACIs |
2.27. JTW configuration
| Field | Type | Description |
|---|---|---|
| JWT_AUTH_ISSUER | String |
The endpoint for JWT users |
| JWT_GETUSER_ENDPOINT | String |
The endpoint for JWT users |
| JWT_QUERY_ENDPOINT | String |
The endpoint for JWT queries |
| JWT_VERIFY_ENDPOINT | String |
The endpoint for JWT verification |
2.28. App tokens
| Field | Type | Description |
|---|---|---|
| FEATURE_APP_SPECIFIC_TOKENS | Boolean |
If enabled, users can create tokens for use by the Docker CLI |
|
|
|
|
| APP_SPECIFIC_TOKEN_EXPIRATION | String |
The expiration for external app tokens. |
| EXPIRED_APP_SPECIFIC_TOKEN_GC | String |
Duration of time expired external app tokens will remain before being garbage collected |
2.29. Miscellaneous fields
| Field | Type | Description |
|---|---|---|
| ALLOW_PULLS_WITHOUT_STRICT_LOGGING | String |
If true, pulls will still succeed even if the pull audit log entry cannot be written . This is useful if the database is in a read-only state and it is desired for pulls to continue during that time. |
| AVATAR_KIND | String |
The types of avatars to display, either generated inline (local) or Gravatar (gravatar) |
| BROWSER_API_CALLS_XHR_ONLY | Boolean |
If enabled, only API calls marked as being made by an XHR will be allowed from browsers |
| DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT | Number |
The default maximum number of builds that can be queued in a namespace. |
| ENABLE_HEALTH_DEBUG_SECRET | String | If specified, a secret that can be given to health endpoints to see full debug info when not authenticated as a superuser |
| EXTERNAL_TLS_TERMINATION | Boolean | Set to true if TLS is supported, but terminated at a layer before Quay |
| FRESH_LOGIN_TIMEOUT | String |
The time after which a fresh login requires users to re-enter their password |
| HEALTH_CHECKER | String |
The configured health check |
| PROMETHEUS_NAMESPACE | String |
The prefix applied to all exposed Prometheus metrics |
| PUBLIC_NAMESPACES | Array of String | If a namespace is defined in the public namespace list, then it will appear on all users' repository list pages, regardless of whether the user is a member of the namespace. Typically, this is used by an enterprise customer in configuring a set of "well-known" namespaces. |
| REGISTRY_STATE | String |
The state of the registry |
| SEARCH_MAX_RESULT_PAGE_COUNT | Number |
Maximum number of pages the user can paginate in search before they are limited |
| SEARCH_RESULTS_PER_PAGE | Number |
Number of results returned per page by search page |
| V1_PUSH_WHITELIST | Array of String | The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true |
| V2_PAGINATION_SIZE | Number | The number of results returned per page in V2 registry APIs |
| WEBHOOK_HOSTNAME_BLACKLIST | Array of String | The set of hostnames to disallow from webhooks when validating, beyond localhost |
| CREATE_PRIVATE_REPO_ON_PUSH | Boolean |
Whether new repositories created by push are set to private visibility |
| CREATE_NAMESPACE_ON_PUSH | Boolean |
Whether new push to a non-existent organization creates it |
| NON_RATE_LIMITED_NAMESPACES | Array of String |
If rate limiting has been enabled using |
2.30. Legacy configuration fields
Some fields are deprecated or obsolete:
| Field | Type | Description |
|---|---|---|
| FEATURE_BLACKLISTED_EMAILS | Boolean | If set to true, no new User accounts may be created if their email domain is blacklisted |
| BLACKLISTED_EMAIL_DOMAINS | Array of String |
The list of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true |
| BLACKLIST_V2_SPEC | String |
The Docker CLI versions to which Red Hat Quay will respond that V2 is unsupported |
| DOCUMENTATION_ROOT | String | Root URL for documentation links |
| SECURITY_SCANNER_V4_NAMESPACE_WHITELIST | String | The namespaces for which the security scanner should be enabled |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}