Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Quay Bridge Operator

Red Hat Quay 3.14

Red Hat Quay

Red Hat OpenShift Documentation Team

Abstract

Quay Bridge Operator

Preface
复制链接

The Quay Bridge Operator duplicates the features of the integrated OpenShift Container Platform registry into the new Red Hat Quay registry. Using the Quay Bridge Operator, you can replace the integrated container registry in OpenShift Container Platform with a Red Hat Quay registry.

The features enabled with the Quay Bridge Operator include:

  • Synchronizing OpenShift Container Platform namespaces as Red Hat Quay organizations.
  • Creating robot accounts for each default namespace service account.
  • Creating secrets for each created robot account, and associating each robot secret to a service account as Mountable and Image Pull Secret.
  • Synchronizing OpenShift Container Platform image streams as Red Hat Quay repositories.
  • Automatically rewriting new builds making use of image streams to output to Red Hat Quay.
  • Automatically importing an image stream tag after a build completes.

By using the following procedures, you can enable bi-directional communication between your Red Hat Quay and OpenShift Container Platform clusters.

Use the following procedure to create a dedicated Red Hat Quay organization, and then generate an OAuth token to be used with the Quay Bridge Operator in OpenShift Container Platform created within that organization.

Prerequisites

  • You are logged in to Red Hat Quay as a user with administrative privileges.

Procedure

  1. Log in to Red Hat Quay through the web UI.
  2. Select the organization for which the external application will be configured.
  3. On the navigation pane, select Applications.
  4. Select Create New Application and enter a name for the new application, for example, openshift.
  5. On the OAuth Applications page, select your application, for example, openshift.
  6. On the navigation pane, select Generate Token.

  7. Select the following fields:

    • Administer Organization
    • Administer Repositories
    • Create Repositories
    • View all visible repositories
    • Read/Write to any accessible repositories
    • Super User Access
    • Administer User
    • Read User Information
  8. Review the assigned permissions.
  9. Select Authorize Application and then confirm confirm the authorization by selecting Authorize Application.

  10. Save the generated access token.

    Important

    Red Hat Quay does not offer token management. You cannot list tokens, delete tokens, or modify tokens. The generated access token is only shown once and cannot be re-obtained after closing the page.

Use the following procedure to install the Quay Bridge Operator on OpenShift Container Platform.

Prerequisites

  • You have set up Red Hat Quay and obtained an OAuth access token.
  • You are logged in to OpenShift Container Platform as a user with administrative privileges.

Procedure

  1. Open the Administrator perspective of the web console and navigate to OperatorsOperatorHub on the navigation pane.
  2. Search for Quay Bridge Operator, click the Quay Bridge Operator title, and then click Install.
  3. Select the version to install, for example, stable-3.14, and then click Install.
  4. Click View Operator when the installation finishes to go to the Quay Bridge Operator’s Details page. Alternatively, you can click Installed OperatorsRed Hat Quay Bridge Operator to go to the Details page.

Use the following procedure to add the previously obtained access token to communicate with your Red Hat Quay deployment. The access token is stored within OpenShift Container Platform as a secret.

Prerequisites

  • You have set up Red Hat Quay and obtained an access token.
  • You have deployed the Quay Bridge Operator on OpenShift Container Platform.
  • You have installed the OpenShift CLI (oc).

Procedure

  • Create a secret that contains the access token in the openshift-operators namespace: 

    $ oc create secret -n openshift-operators generic <secret_name> --from-literal=token=<access_token>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specifies the access token generated during "Setting up Red Hat Quay for the Quay Bridge Operator".

Chapter 4. Creating the QuayIntegration custom resource
复制链接

Create a QuayIntegration custom resource (CR) to connect an OpenShift Container Platform cluster to a Red Hat Quay registry. The QuayIntegration CR defines the Red Hat Quay hostname, authentication details, and configuration options that the Quay Bridge Operator uses to synchronize OpenShift Container Platform projects with Red Hat Quay organizations, robot accounts, and other features.

The QuayIntegration custom resource can be created by using the OpenShift Container Platform web console, or from the command-line interface.

Prerequisites

  • You have set up Red Hat Quay and obtained an access token.
  • You have deployed the Quay Bridge Operator on OpenShift Container Platform.
  • Optional: You have installed the OpenShift CLI (oc).

Use the following procedure to create the QuayIntegration custom resource using the command-line interface.

Procedure

  1. Create a quay-integration.yaml: 

    $ touch quay-integration.yaml
    Copy to Clipboard Toggle word wrap

  2. Use the following configuration for a minimal deployment of the QuayIntegration custom resource: 

      apiVersion: quay.redhat.com/v1
  kind: QuayIntegration
  metadata:
    name: example-quayintegration
  spec:
    clusterID: openshift
    1 
    
    credentialsSecret:
      namespace: openshift-operators
      name: quay-integration
    2 
    
    quayHostname: https://<QUAY_URL>
    3 
    
    insecureRegistry: false
    4
    Copy to Clipboard Toggle word wrap
    1
    The clusterID value should be unique across the entire ecosystem. This value is required and defaults to openshift.
    2
    The credentialsSecret property refers to the namespace and name of the secret containing the token that was previously created.
    3
    Replace the QUAY_URL with the hostname of your Red Hat Quay instance.
    4
    If Red Hat Quay is using self signed certificates, set the property to insecureRegistry: true.

For a list of all configuration fields, see "QuayIntegration configuration fields".

  1. Create the QuayIntegration custom resource: 

    $ oc create -f quay-integration.yaml
    Copy to Clipboard Toggle word wrap

Follow this procedure to create the QuayIntegration custom resource using the web console.

Procedure

  1. Open the Administrator perspective of the web console and navigate to OperatorsInstalled Operators.
  2. Click Red Hat Quay Bridge Operator.
  3. On the Details page of the Quay Bridge Operator, click Create Instance on the Quay Integration API card.

  4. On the Create QuayIntegration page, enter the following required information in either Form view or YAML view:

    • Name: The name that will refer to the QuayIntegration custom resource object.
    • Cluster ID: The ID associated with this cluster. This value should be unique across the entire ecosystem. Defaults to openshift if left unspecified.
    • Credentials secret: Refers to the namespace and name of the secret containing the token that was previously created.
    • Quay hostname: The hostname of the Quay registry.

After the QuayIntegration custom resource is created, your OpenShift Container Platform cluster is linked to your Red Hat Quay instance. Organizations within your Red Hat Quay registry should be created for the related namespace for the OpenShift Container Platform environment.

Chapter 5. Using the Quay Bridge Operator
复制链接

Use the following procedure to use the Quay Bridge Operator.

Prerequisites

  • You have installed the Red Hat Quay Operator.
  • You have logged into OpenShift Container Platform as a cluster administrator.
  • You have logged into your Red Hat Quay registry.
  • You have installed the Quay Bridge Operator.
  • You have configured the QuayIntegration custom resource.

Procedure

  1. Enter the following command to create a new OpenShift Container Platform project called e2e-demo: 

    $ oc new-project e2e-demo
    Copy to Clipboard Toggle word wrap

  2. After you have created a new project, a new Organization is created in Red Hat Quay. Navigate to the Red Hat Quay registry and confirm that you have created a new Organization named openshift_e2e-demo.

    Note

    The openshift value of the Organization might different if the clusterID in your QuayIntegration resource used a different value.

  3. On the Red Hat Quay UI, click the name of the new Organization, for example, openshift_e2e-demo.

  4. Click Robot Accounts in the navigation pane. As part of new project, the following Robot Accounts should have been created:

    • openshift_e2e-demo+deployer
    • openshift_e2e-demo+default
    • openshift_e2e-demo+builder

  5. Enter the following command to confirm three secrets containing Docker configuration associated with the applicable Robot Accounts were created: 

    $ oc get secrets builder-quay-openshift deployer-quay-openshift default-quay-openshift
    Copy to Clipboard Toggle word wrap

    Example output

    stevsmit@stevsmit ocp-quay $ oc get secrets builder-quay-openshift deployer-quay-openshift default-quay-openshift
NAME                      TYPE                             DATA   AGE
builder-quay-openshift    kubernetes.io/dockerconfigjson   1      77m
deployer-quay-openshift   kubernetes.io/dockerconfigjson   1      77m
default-quay-openshift    kubernetes.io/dockerconfigjson   1      77m
    Copy to Clipboard Toggle word wrap

  6. Enter the following command to display detailed information about builder ServiceAccount (SA), including its secrets, token expiration, and associated roles and role bindings. This ensures that the project is integrated via the Quay Bridge Operator. 

    $ oc describe sa builder default deployer
    Copy to Clipboard Toggle word wrap

    Example output

    ...
Name:                builder
Namespace:           e2e-demo
Labels:              <none>
Annotations:         <none>
Image pull secrets:  builder-dockercfg-12345
                     builder-quay-openshift
Mountable secrets:   builder-dockercfg-12345
                     builder-quay-openshift
Tokens:              builder-token-12345
Events:              <none>
...
    Copy to Clipboard Toggle word wrap

  7. Enter the following command to create and deploy a new application called httpd-template: 

    $ oc new-app --template=httpd-example
    Copy to Clipboard Toggle word wrap

    Example output

    --> Deploying template "e2e-demo/httpd-example" to project e2e-demo
...
--> Creating resources ...
    service "httpd-example" created
    route.route.openshift.io "httpd-example" created
    imagestream.image.openshift.io "httpd-example" created
    buildconfig.build.openshift.io "httpd-example" created
    deploymentconfig.apps.openshift.io "httpd-example" created
--> Success
    Access your application via route 'httpd-example-e2e-demo.apps.quay-ocp.gcp.quaydev.org'
    Build scheduled, use 'oc logs -f buildconfig/httpd-example' to track its progress.
    Run 'oc status' to view your app.
    Copy to Clipboard Toggle word wrap

    After running this command, BuildConfig, ImageStream, Service, Route, and DeploymentConfig resources are created. When the ImageStream resource is created, an associated repository is created in Red Hat Quay.

  8. The ImageChangeTrigger for the BuildConfig triggers a new Build when the Apache HTTPD image, located in the openshift namespace, is resolved. As the new Build is created, the MutatingWebhookConfiguration automatically rewriters the output to point at Red Hat Quay. You can confirm that the build is complete by querying the output field of the build by running the following command: 

    $ oc get build httpd-example-1 --template='{{ .spec.output.to.name }}'
    Copy to Clipboard Toggle word wrap

    Example output

    example-registry-quay-quay-enterprise.apps.quay-ocp.gcp.quaydev.org/openshift_e2e-demo/httpd-example:latest
    Copy to Clipboard Toggle word wrap

  9. On the Red Hat Quay UI, navigate to the openshift_e2e-demo Organization and select the httpd-example repository.
  10. Click Tags in the navigation pane and confirm that the latest tag has been successfully pushed.

  11. Enter the following command to ensure that the latest tag has been resolved: 

    $ oc describe is httpd-example
    Copy to Clipboard Toggle word wrap

    Example output

    Name:			httpd-example
Namespace:		e2e-demo
Created:		55 minutes ago
Labels:			app=httpd-example
			template=httpd-example
Description:		Keeps track of changes in the application image
Annotations:		openshift.io/generated-by=OpenShiftNewApp
			openshift.io/image.dockerRepositoryCheck=2023-10-02T17:56:45Z
Image Repository:	image-registry.openshift-image-registry.svc:5000/e2e-demo/httpd-example
Image Lookup:		local=false
Unique Images:		0
Tags:			1

latest
  tagged from example-registry-quay-quay-enterprise.apps.quay-ocp.gcp.quaydev.org/openshift_e2e-demo/httpd-example:latest
    Copy to Clipboard Toggle word wrap

  12. After the ImageStream is resolved, a new deployment should have been triggered. Enter the following command to generate a URL output: 

    $ oc get route httpd-example --template='{{ .spec.host }}'
    Copy to Clipboard Toggle word wrap

    Example output

    httpd-example-e2e-demo.apps.quay-ocp.gcp.quaydev.org
    Copy to Clipboard Toggle word wrap

  13. Navigate to the URL. If a sample webpage appears, the deployment was successful.

  14. Enter the following command to delete the resources and clean up your Red Hat Quay repository: 

    $ oc delete project e2e-demo
    Copy to Clipboard Toggle word wrap
    Note

    The command waits until the project resources have been removed. This can be bypassed by adding the --wait=false to the above command

  15. After the command completes, navigate to your Red Hat Quay repository and confirm that the openshift_e2e-demo Organization is no longer available.

Additional resources

  • Best practices dictate that all communication between a client and an image registry be facilitated through secure means. Communication should leverage HTTPS/TLS with a certificate trust between the parties. While Red Hat Quay can be configured to serve an insecure configuration, proper certificates should be utilized on the server and configured on the client. Follow the OpenShift Container Platform documentation for adding and managing certificates at the container runtime level.

Legal Notice
复制链接

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat