Project Quay is a scalable container image registry that enables you to build, organize, distribute, and deploy containers. With Quay you can create image repositories, perform image vulnerability scanning and robust access controls. We had covered installation of Quay on a Linux distribution using Docker.
In this guide, we will review how you can deploy Quay container registry on OpenShift Container Platform using Operator. The operator we’ll use is provided in the Operators Hub. If you don’t have an OpenShift / OKD cluster running and would like to try this article, checkout our guides below.
- Setup Local OpenShift 4.x Cluster with CodeReady Containers
- How to Setup OpenShift Origin (OKD) 3.11 on Ubuntu
- How To run Local Openshift Cluster with Minishift
The Project Quay is made up of several core components.
- Database: Used by Red Hat Quay as its primary metadata storage (not for image storage).
- Redis (key, value store): Stores live builder logs and the Red Hat Quay tutorial.
- Quay (container registry): Runs the quay container as a service, consisting of several components in the pod.
- Clair: Scans container images for vulnerabilities and suggests fixes.
Step 1: Create new project for Project Quay
Let’s begin by creating a new project for Quay registry.
$ oc new-project quay-enterprise
Now using project "quay-enterprise" on server "https://api.crc.testing:6443".
.....
You can also create a Project from OpenShift Web console.
Click create button and confirm the project is created and running.
Step 2: Install Red Hat Quay Setup Operator
The Red Hat Quay Setup Operator provides a simple method to deploy and manage a Red Hat Quay cluster.
Login to the OpenShift console and select Operators → OperatorHub:
Select the Red Hat Quay Operator.
Select Install then Operator Subscription page will appear.
Choose the following then select Subscribe:
- Installation Mode: Select a specific namespace to install to
- Update Channel: Choose the update channel (only one may be available)
- Approval Strategy: Choose to approve automatic or manual updates
Step 3: Deploy a Red Hat Quay ecosystem
Certain credentials are required for Accessing Quay.io registry. Create a new file with below details.
$ vim docker_quay.json
{
"auths":{
"quay.io": {
"auth": "cmVkaGF0K3F1YXk6TzgxV1NIUlNKUjE0VUFaQks1NEdRSEpTMFAxVjRDTFdBSlYxWDJDNFNEN0tPNTlDUTlOM1JFMTI2MTJYVTFIUg==",
"email": ""
}
}
}
Then create a secret on OpenShift that will be used.
oc project quay-enterprise
oc create secret generic redhat-pull-secret --from-file=".dockerconfigjson=docker_quay.json" --type='kubernetes.io/dockerconfigjson'
Create Quay Superuser credentials secret:
oc create secret generic quay-admin \
--from-literal=superuser-username=quayadmin \
--from-literal=superuser-password=StrongAdminPassword \
--from-literal=superuser-email=[email protected]
Where:
- quayadmin is the Quay admin username
- StrongAdminPassword is the password for admin user
- [email protected] is the email of Admin user to be created
Create Quay Configuration Secret
A dedicated deployment of Quay Enterprise is used to manage the configuration of Quay. Access to the configuration interface is secured and requires authentication in order for access.
oc create secret generic quay-config --from-literal=config-app-password=StrongPassword
Replace StrongPassword with your desired password.
Create Database credentials secret – PostgreSQL
oc create secret generic postgres-creds \
--from-literal=database-username=quay \
--from-literal=database-password=StrongUserPassword \
--from-literal=database-root-password=StrongRootPassword \
--from-literal=database-name=quay
These are the credentials for accessing the database server:
- quay – Database and DB username
- StrongUserPassword – quay DB user password
- StrongRootPassword – root user database password
Create Redis Password Credential
By default, the operator managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password in the key password.
oc create secret generic redis-password --from-literal=password=StrongRedisPassword
Create Quay Ecosystem Deployment Manifest
My Red Hat Quay ecosystem configuration file looks like below
apiVersion: redhatcop.redhat.io/v1alpha1
kind: QuayEcosystem
metadata:
name: quay-ecosystem
spec:
clair:
enabled: true
imagePullSecretName: redhat-pull-secret
updateInterval: "60m"
quay:
imagePullSecretName: redhat-pull-secret
superuserCredentialsSecretName: quay-admin
configSecretName: quay-config
deploymentStrategy: RollingUpdate
skipSetup: false
redis:
credentialsSecretName: redis-password
database:
volumeSize: 10Gi
credentialsSecretName: postgres-creds
registryStorage:
persistentVolumeSize: 20Gi
persistentVolumeAccessModes:
- ReadWriteMany
livenessProbe:
initialDelaySeconds: 120
httpGet:
path: /health/instance
port: 8443
scheme: HTTPS
readinessProbe:
initialDelaySeconds: 10
httpGet:
path: /health/instance
port: 8443
scheme: HTTPS
Modify it to fit you use case. When done apply the configuration:
oc apply -f quay-ecosystem.yaml
Using Custom SSL Certificates
If you want to use custom SSL certificates with Quay, you need to create a secret with the key and the certificate:
oc create secret generic custom-quay-ssl \
--from-file=ssl.key=example.key \
--from-file=ssl.cert=example.crt
Then modify your Ecosystem file to use the custom certificate secret:
quay:
imagePullSecretName: redhat-pull-secret
sslCertificatesSecretName: custom-quay-ssl
.......
Wait for few minutes then confirm deployment:
$ oc get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
quay-ecosystem-clair 1/1 1 1 2m35s
quay-ecosystem-clair-postgresql 1/1 1 1 2m57s
quay-ecosystem-quay 1/1 1 1 3m45s
quay-ecosystem-quay-postgresql 1/1 1 1 5m8s
quay-ecosystem-redis 1/1 1 1 5m57s
quay-operator 1/1 1 1 70m
$ oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
quay-ecosystem-clair ClusterIP 172.30.66.1 <none> 6060/TCP,6061/TCP 4m
quay-ecosystem-clair-postgresql ClusterIP 172.30.10.126 <none> 5432/TCP 3m58s
quay-ecosystem-quay ClusterIP 172.30.47.147 <none> 443/TCP 5m38s
quay-ecosystem-quay-postgresql ClusterIP 172.30.196.61 <none> 5432/TCP 6m15s
quay-ecosystem-redis ClusterIP 172.30.48.112 <none> 6379/TCP 6m58s
quay-operator-metrics ClusterIP 172.30.81.233 <none> 8383/TCP,8686/TCP 70m
Running pods in the project:
$ oc get pods
NAME READY STATUS RESTARTS AGE
quay-ecosystem-clair-84b4d77654-cjwcr 1/1 Running 0 2m57s
quay-ecosystem-clair-postgresql-7c47b5955-qbc4s 1/1 Running 0 3m23s
quay-ecosystem-quay-66584ccbdb-8szts 1/1 Running 0 4m8s
quay-ecosystem-quay-postgresql-74bf8db7f8-vnrx9 1/1 Running 0 5m34s
quay-ecosystem-redis-7dcd5c58d6-p7xkn 1/1 Running 0 6m23s
quay-operator-764c99dcdb-k44cq 1/1 Running 0 70m
Step 4: Access Quay Dashboard
Get a route URL for deployed Quay:
$ oc get route
quay-ecosystem-quay quay-ecosystem-quay-quay-enterprise.apps.example.com quay-ecosystem-quay 8443 passthrough/Redirect None
Open the URL on the machine with access to the cluster domain.
Use the credentials you configured to login to Quay registry.
And there you have it. You now have Quay registry running on OpenShift using Operators. Refer to below documentations for more help.
More on OpenShift / Registry:
Ceph Persistent Storage for Kubernetes with Cephfs
Persistent Storage for Kubernetes with Ceph RBD
Install Harbor Container Image Registry on CentOS / Debian / Ubuntu