Install Project Quay Registry on OpenShift With Operator

ComputingPost
6 min readOct 6, 2022

--

Project Quay is a scalable container image registry that enables you to build, organize, distribute, and deploy containers. With Quay you can create image repositories, perform image vulnerability scanning and robust access controls. We had covered installation of Quay on a Linux distribution using Docker.

How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu

In this guide, we will review how you can deploy Quay container registry on OpenShift Container Platform using Operator. The operator we’ll use is provided in the Operators Hub. If you don’t have an OpenShift / OKD cluster running and would like to try this article, checkout our guides below.

Setup Local OpenShift 4.x Cluster with CodeReady Containers

How to Setup OpenShift Origin (OKD) 3.11 on Ubuntu

How To run Local Openshift Cluster with Minishift

The Project Quay is made up of several core components.

  • Database: Used by Red Hat Quay as its primary metadata storage (not for image storage).
  • Redis (key, value store): Stores live builder logs and the Red Hat Quay tutorial.
  • Quay (container registry): Runs the quay container as a service, consisting of several components in the pod.
  • Clair: Scans container images for vulnerabilities and suggests fixes.

Step 1: Create new project for Project Quay

Let’s begin by creating a new project for Quay registry.

$ oc new-project quay-enterprise

Now using project "quay-enterprise" on server "https://api.crc.testing:6443".

.....

You can also create a Project from OpenShift Web console.

install-project-quay-openshift-01

Click create button and confirm the project is created and running.

install-project-quay-openshift-02-1024x430

Step 2: Install Red Hat Quay Setup Operator

The Red Hat Quay Setup Operator provides a simple method to deploy and manage a Red Hat Quay cluster.

Login to the OpenShift console and select OperatorsOperatorHub:

install-project-quay-openshift-03-1024x227

Select the Red Hat Quay Operator.

install-project-quay-openshift-04-1024x413

Select Install then Operator Subscription page will appear.

install-project-quay-openshift-05-1024x410

Choose the following then select Subscribe:

  • Installation Mode: Select a specific namespace to install to
  • Update Channel: Choose the update channel (only one may be available)
  • Approval Strategy: Choose to approve automatic or manual updates
install-project-quay-openshift-06-1-1024x513

Step 3: Deploy a Red Hat Quay ecosystem

Certain credentials are required for Accessing Quay.io registry. Create a new file with below details.

$ vim docker_quay.json 



"auths":

"quay.io":

"auth": "cmVkaGF0K3F1YXk6TzgxV1NIUlNKUjE0VUFaQks1NEdRSEpTMFAxVjRDTFdBSlYxWDJDNFNEN0tPNTlDUTlOM1JFMTI2MTJYVTFIUg==",

"email": ""

Then create a secret on OpenShift that will be used.

oc project quay-enterprise

oc create secret generic redhat-pull-secret --from-file=".dockerconfigjson=docker_quay.json" --type='kubernetes.io/dockerconfigjson'

Create Quay Superuser credentials secret:

oc create secret generic quay-admin \

--from-literal=superuser-username=quayadmin \

--from-literal=superuser-password=StrongAdminPassword \

--from-literal=superuser-email=admin@example.com

Where:

  • quayadmin is the Quay admin username
  • StrongAdminPassword is the password for admin user
  • admin@example.com is the email of Admin user to be created

Create Quay Configuration Secret

A dedicated deployment of Quay Enterprise is used to manage the configuration of Quay. Access to the configuration interface is secured and requires authentication in order for access.

oc create secret generic quay-config --from-literal=config-app-password=StrongPassword

Replace StrongPassword with your desired password.

Create Database credentials secret — PostgreSQL

oc create secret generic postgres-creds \

--from-literal=database-username=quay \

--from-literal=database-password=StrongUserPassword \

--from-literal=database-root-password=StrongRootPassword \

--from-literal=database-name=quay

These are the credentials for accessing the database server:

  • quay — Database and DB username
  • StrongUserPassword — quay DB user password
  • StrongRootPassword — root user database password

Create Redis Password Credential

By default, the operator managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password in the key password.

oc create secret generic redis-password  --from-literal=password=StrongRedisPassword

Create Quay Ecosystem Deployment Manifest

My Red Hat Quay ecosystem configuration file looks like below

apiVersion: redhatcop.redhat.io/v1alpha1

kind: QuayEcosystem

metadata:

name: quay-ecosystem

spec:

clair:

enabled: true

imagePullSecretName: redhat-pull-secret

updateInterval: "60m"

quay:

imagePullSecretName: redhat-pull-secret

superuserCredentialsSecretName: quay-admin

configSecretName: quay-config

deploymentStrategy: RollingUpdate

skipSetup: false

redis:

credentialsSecretName: redis-password

database:

volumeSize: 10Gi

credentialsSecretName: postgres-creds

registryStorage:

persistentVolumeSize: 20Gi

persistentVolumeAccessModes:

- ReadWriteMany

livenessProbe:

initialDelaySeconds: 120

httpGet:

path: /health/instance

port: 8443

scheme: HTTPS

readinessProbe:

initialDelaySeconds: 10

httpGet:

path: /health/instance

port: 8443

scheme: HTTPS

Modify it to fit you use case. When done apply the configuration:

oc apply -f quay-ecosystem.yaml

Using Custom SSL Certificates

If you want to use custom SSL certificates with Quay, you need to create a secret with the key and the certificate:

oc create secret generic custom-quay-ssl \

--from-file=ssl.key=example.key \

--from-file=ssl.cert=example.crt

Then modify your Ecosystem file to use the custom certificate secret:

quay:

imagePullSecretName: redhat-pull-secret

sslCertificatesSecretName: custom-quay-ssl

.......

Wait for few minutes then confirm deployment:

$ oc get deployments

NAME READY UP-TO-DATE AVAILABLE AGE

quay-ecosystem-clair 1/1 1 1 2m35s

quay-ecosystem-clair-postgresql 1/1 1 1 2m57s

quay-ecosystem-quay 1/1 1 1 3m45s

quay-ecosystem-quay-postgresql 1/1 1 1 5m8s

quay-ecosystem-redis 1/1 1 1 5m57s

quay-operator 1/1 1 1 70m



$ oc get svc

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

quay-ecosystem-clair ClusterIP 172.30.66.1 6060/TCP,6061/TCP 4m

quay-ecosystem-clair-postgresql ClusterIP 172.30.10.126 5432/TCP 3m58s

quay-ecosystem-quay ClusterIP 172.30.47.147 443/TCP 5m38s

quay-ecosystem-quay-postgresql ClusterIP 172.30.196.61 5432/TCP 6m15s

quay-ecosystem-redis ClusterIP 172.30.48.112 6379/TCP 6m58s

quay-operator-metrics ClusterIP 172.30.81.233 8383/TCP,8686/TCP 70m

Running pods in the project:

$ oc get pods

NAME READY STATUS RESTARTS AGE

quay-ecosystem-clair-84b4d77654-cjwcr 1/1 Running 0 2m57s

quay-ecosystem-clair-postgresql-7c47b5955-qbc4s 1/1 Running 0 3m23s

quay-ecosystem-quay-66584ccbdb-8szts 1/1 Running 0 4m8s

quay-ecosystem-quay-postgresql-74bf8db7f8-vnrx9 1/1 Running 0 5m34s

quay-ecosystem-redis-7dcd5c58d6-p7xkn 1/1 Running 0 6m23s

quay-operator-764c99dcdb-k44cq 1/1 Running 0 70m

Step 4: Access Quay Dashboard

Get a route URL for deployed Quay:

$ oc get route

quay-ecosystem-quay quay-ecosystem-quay-quay-enterprise.apps.example.com quay-ecosystem-quay 8443 passthrough/Redirect None

Open the URL on the machine with access to the cluster domain.

install-project-quay-openshift-07-1024x410

Use the credentials you configured to login to Quay registry.

install-project-quay-openshift-08-1024x283

And there you have it. You now have Quay registry running on OpenShift using Operators. Refer to below documentations for more help.

--

--

ComputingPost
ComputingPost

Written by ComputingPost

ComputingPost — Linux Howtos, Tutorials, Guides, News, Tips and Tricks.

No responses yet