Chapter 9. Integrate Red Hat Quay into OpenShift with the Bridge Operator

Using the Quay Bridge Operator, you can replace the integrated container registry in OpenShift with a Red Hat Quay registry. By doing this, your integrated OpenShift registry becomes a highly available, enterprise-grade Red Hat Quay registry with enhanced role based access control (RBAC) features.

The primary goals of the Bridge Operator is to duplicate the features of the integrated OpenShift registry in the new Red Hat Quay registry. The features enabled with this Operator include:

  • Synchronizing OpenShift namespaces as Red Hat Quay organizations.

    • Creating Robot accounts for each default namespace service account
    • Creating Secrets for each created Robot Account (associating each Robot Secret to a Service Account as Mountable and Image Pull Secret)
    • Synchronizing OpenShift ImageStreams as Quay Repositories
  • Automatically rewriting new Builds making use of ImageStreams to output to Red Hat Quay
  • Automatically importing an ImageStream tag once a build completes

Using this procedure with the Quay Bridge Operator, you enable bi-directional communication between your Red Hat Quay and OpenShift clusters.

9.1. Running the Quay Bridge Operator

9.1.1. Prerequisites

Before setting up the Bridge Operator, have the following in place:

  • An existing Red Hat Quay environment for which you have superuser permissions
  • A Red Hat OpenShift Container Platform environment (4.2 or later is recommended) for which you have cluster administrator permissions
  • An OpenShift command line tool (oc command)

9.1.2. Setting up and configuring OpenShift and Red Hat Quay

Both Red Hat Quay and OpenShift configuration is required:

9.1.3. Red Hat Quay setup

Create a dedicated Red Hat Quay organization, and from a new application you create within that organization, generate an OAuth token to be used with the Quay Bridge Operator in OpenShift

  1. Log in to Red Hat Quay as a user with superuser access and select the organization for which the external application will be configured.
  2. In the left navigation, select Applications.
  3. Select Create New Application and entering a name for the new application (for example, openshift).
  4. With the new application displayed, select it.
  5. In the left navigation, select Generate Token to create a new OAuth2 token.
  6. Select all checkboxes to grant the access needed for the integration.
  7. Review the assigned permissions and then select Authorize Application, then confirm it.
  8. Copy and save the generated Access Token that appears to use in the next section.

9.1.4. OpenShift Setup

Setting up OpenShift for the Quay Bridge Operator requires several steps, including:

9.1.4.1. Deploying the Operator

The fastest method for deploying the operator is to deploy from OperatorHub. From the Administrator perspective in the OpenShift Web Console, navigate to the Operators tab, and then select OperatorHub.

Search for Quay Bridge Operator and then select Install.

Select an Approval Strategy and then select Install which will deploy the operator to the cluster.

9.1.4.2. Creating an OpenShift secret for the OAuth token

The Operator will use the previously obtained Access Token to communicate with Quay. Store this token within OpenShift as a secret.

Execute the following command to create a secret called quay-integration in the openshift-operators namespace with a key called token containing the access token: 

$ oc create secret -n openshift-operators generic quay-integration --from-literal=token=<access_token>

9.1.4.3. Create the QuayIntegration Custom Resource

Finally, to complete the integration between OpenShift and Quay, a QuayIntegration custom resource needs to be created. This can be completed in the Web Console or from the command line.

quay-integration.yaml

apiVersion: quay.redhat.com/v1
kind: QuayIntegration
metadata:
  name: example-quayintegration
spec:
  clusterID: openshift  1
  credentialsSecret:
    namespace: openshift-operators
    name: quay-integration2
  quayHostname: https://<QUAY_URL>   3
  insecureRegistry: false 4

1
The clusterID value should be unique across the entire ecosystem. This value is optional and defaults to openshift.
2
The credentialsSecret property refers to the namespace and name of the secret containing the token that was previously created.
3
Replace QUAY_URL with the hostname of your Red Hat Quay instance.
4
If Quay is using self signed certificates, set the property insecureRegistry: true.

Create the QuayIntegration Custom Resource: 

$ oc create -f quay-integration.yaml

At this point a Quay integration resource is created, linking the OpenShift cluster to the Red Hat Quay instance. Organizations within Quay should be created for the related namespaces from the OpenShift environment