Chapter 15. Schema for Red Hat Quay configuration

Most Red Hat Quay configuration information is stored in the config.yaml file that is created using the browser-based config tool when Red Hat Quay is first deployed. This chapter describes the schema of those settings that are available to use in the`config.yaml` file.

The following fields required (all other are optional):

AUTHENTICATION_TYPE
BUILDLOGS_REDIS
DATABASE_SECRET_KEY
DB_URI
DEFAULT_TAG_EXPIRATION
DISTRIBUTED_STORAGE_CONFIG
DISTRIBUTED_STORAGE_PREFERENCE
PREFERRED_URL_SCHEME
SECRET_KEY
SERVER_HOSTNAME
TAG_EXPIRATION_OPTIONS
USER_EVENTS_REDIS
  • ACTION_LOG_ARCHIVE_LOCATION [string]: If action log archiving is enabled, the storage engine in which to place the archived data.

    • Example: s3_us_east
  • ACTION_LOG_ARCHIVE_PATH [string]: If action log archiving is enabled, the path in storage in which to place the archived data.

    • Example: archives/actionlogs
  • ACTION_LOG_ROTATION_THRESHOLD [string]: If action log archiving is enabled, the time interval after which to rotate logs.

    • Example: 30d
  • ALLOW_PULLS_WITHOUT_STRICT_LOGGING [boolean]: If true, pulls in which the pull audit log entry cannot be written will still succeed. Useful if the database can fallback into a read-only state and it is desired for pulls to continue during that time. Defaults to False.

    • Example: True
  • APP_SPECIFIC_TOKEN_EXPIRATION [string, null]: The expiration for external app tokens. Defaults to None.

    • Pattern: ^[0-9]+(w|m|d|h|s)$
  • AUTHENTICATION_TYPE [string] required: The authentication engine to use for credential authentication.

    • enum: Database, LDAP, JWT, Keystone, OIDC.
    • Example: Database
  • AVATAR_KIND [string]: The types of avatars to display, either generated inline (local) or Gravatar (gravatar)

    • enum: local, gravatar
  • BITBUCKET_TRIGGER_CONFIG ['object', 'null']: Configuration for using BitBucket for build triggers.

    • consumer_key [string] required: The registered consumer key(client ID) for this Red Hat Quay instance.

      • Example: 0e8dbe15c4c7630b6780
  • BLACKLISTED_EMAIL_DOMAINS [array]: The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.

    • Example: "example.com", "example.org"
  • BLACKLIST_V2_SPEC [string]: The Docker CLI versions to which Red Hat Quay will respond that V2 is unsupported. Defaults to <1.6.0.

  • BRANDING [object]: Custom branding for logos and URLs in the Red Hat Quay UI.

    • Required: logo
    • properties:

      • logo [string]: Main logo image URL.

        • Example: /static/img/quay-horizontal-color.svg
      • footer_img [string]: Logo for UI footer.

        • Example: /static/img/RedHat.svg
      • footer_url [string]: Link for footer image.

  • BROWSER_API_CALLS_XHR_ONLY [boolean]: If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.

    • Example: False
  • BUILDLOGS_REDIS [object] required: Connection information for Redis for build logs caching.

    • HOST [string] required: The hostname at which Redis is accessible.

      • Example: my.redis.cluster
    • PASSWORD [string]: The password to connect to the Redis instance.

      • Example: mypassword
    • PORT [number]: The port at which Redis is accessible.

      • Example: 1234
  • CONTACT_INFO [array]: If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly.

    • Min Items: 1
    • Unique Items: True

      • array item 0 [string]: Adds a link to send an e-mail
      • Pattern: ^mailto:(.)+$
      • Example: mailto:support@quay.io
    • array item 1 [string]: Adds a link to visit an IRC chat room

    • array item 2 [string]: Adds a link to call a phone number

      • Pattern: ^tel:(.)+$
      • Example: tel:+1-888-930-3475
    • array item 3 [string]: Adds a link to a defined URL

  • DB_CONNECTION_ARGS [object]: If specified, connection arguments for the database such as timeouts and SSL.

    • threadlocals [boolean] required: Whether to use thread-local connections. Should ALWAYS be true.
    • autorollback [boolean] required: Whether to use auto-rollback connections. Should ALWAYS be true.
    • ssl [object]: SSL connection configuration

      • ca [string] required: Absolute container path to the CA certificate to use for SSL connections.
      • Example: conf/stack/ssl-ca-cert.pem
  • DATABASE_SECRET_KEY [string] required: Key used to encrypt sensitive fields within the database. It is imperative that once set, this value is never changed. The consequence of changing this is invalidating all reliant fields (repository mirror username and password configurations, for example).

    • Example: 40157269433064266822674401740626984898972632465622168464725100311621640999470
  • DB_URI [string] required: The URI at which to access the database, including any credentials.

  • DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT [number, null]: If not None, the default maximum number of builds that can be queued in a namespace.

    • Example: 20
  • DEFAULT_TAG_EXPIRATION [string] required: The default, configurable tag expiration time for time machine. Defaults to 2w.

    • Pattern: ^[0-9]+(w|m|d|h|s)$
  • DIRECT_OAUTH_CLIENTID_WHITELIST [array]: A list of client IDs of Red Hat Quay-managed applications that are allowed to perform direct OAuth approval without user approval.

  • DISTRIBUTED_STORAGE_CONFIG [object] required: Configuration for storage engine(s) to use in Red Hat Quay. Each key represents an unique identifier for a storage engine. The value consists of a tuple of (key, value) forming an object describing the storage engine parameters.

    • OCS / Noobaa:

      rhocsStorage:
        - RHOCSStorage
        - access_key: access_key_here
          secret_key: secret_key_here
          bucket_name: quay-datastore-9b2108a3-29f5-43f2-a9d5-2872174f9a56
          hostname: s3.openshift-storage.svc.cluster.local
          is_secure: 'true'
          port: '443'
          storage_path: /datastorage/registry
    • Ceph / RadosGW Storage / Hitachi HCP:

      radosGWStorage:
        - RadosGWStorage
        - access_key: access_key_here
          secret_key: secret_key_here
          bucket_name: bucket_name_here
          hostname: hostname_here
          is_secure: 'true'
          port: '443'
          storage_path: /datastorage/registry
    • AWS S3 Storage:

      s3Storage:
        - S3Storage
        - host: s3.ap-southeast-2.amazonaws.com
          s3_access_key: s3_access_key_here
          s3_secret_key: s3_secret_key_here
          s3_bucket: s3_bucket_here
          storage_path: /datastorage/registry
    • Azure Storage:

      azureStorage:
        - AzureStorage
        - azure_account_name: azure_account_name_here
          azure_account_key: azure_account_key_here
          azure_container: azure_container_here
          sas_token: some/path/
          storage_path: /datastorage/registry
    • Google Cloud Storage:

      googleCloudStorage:
        - GoogleCloudStorage
        - access_key: access_key_here
          secret_key: secret_key_here
          bucket_name: bucket_name_here
          storage_path: /datastorage/registry
    • Swift Storage:

      swiftStorage:
        - SwiftStorage
        - swift_user: swift_user_here
          swift_password: swift_password_here
          swift_container: swift_container_here
          auth_url: https://example.org/swift/v1/quay
          auth_version: 1
          ca_cert_path: /conf/stack/swift.cert"
          storage_path: /datastorage/registry
  • DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS [array]: The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose images should be fully replicated, by default, to all other storage engines.

    • Min Items: None
    • Example: s3_us_east, s3_us_west

      • array item [string]
  • DISTRIBUTED_STORAGE_PREFERENCE [array] required: The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to use. A preferred engine means it is first checked for pulling and images are pushed to it.

    • Min Items: None

      • Example: [u’s3_us_east', u’s3_us_west']
      • array item [string]
    • preferred_url_scheme [string] required: The URL scheme to use when hitting Red Hat Quay. If Red Hat Quay is behind SSL at all, this must be https.

      • enum: http, https
      • Example: https
  • DOCUMENTATION_ROOT [string]: Root URL for documentation links.
  • ENABLE_HEALTH_DEBUG_SECRET [string, null]: If specified, a secret that can be given to health endpoints to see full debug info when not authenticated as a superuser.

    • Example: somesecrethere
  • EXPIRED_APP_SPECIFIC_TOKEN_GC [string, null]: Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.

    • pattern: ^[0-9]+(w|m|d|h|s)$
  • EXTERNAL_TLS_TERMINATION [boolean]: If TLS is supported, but terminated at a layer before Red Hat Quay, must be true.

    • Example: True
  • FEATURE_ACI_CONVERSION [boolean]: Whether to enable conversion to ACIs. Defaults to False.

    • Example: False
  • FEATURE_ACTION_LOG_ROTATION [boolean]: Whether or not to rotate old action logs to storage. Defaults to False.

    • Example: False
  • FEATURE_ADVERTISE_V2 [boolean]: Whether the v2/ endpoint is visible. Defaults to True.

    • Example: True
  • FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL [boolean]: Whether to allow retrieval of aggregated log counts. Defaults to True.

    • Example: True
  • FEATURE_ANONYMOUS_ACCESS [boolean]: Whether to allow anonymous users to browse and pull public repositories. Defaults to True.

    • Example: True
  • FEATURE_APP_REGISTRY [boolean]: Whether to enable support for App repositories. Defaults to False.

    • Example: False
  • FEATURE_APP_SPECIFIC_TOKENS [boolean]: If enabled, users can create tokens for use by the Docker CLI. Defaults to True.

    • Example: False
  • FEATURE_BITBUCKET_BUILD [boolean]: Whether to support Bitbucket build triggers. Defaults to False.

    • Example: False
  • FEATURE_BLACKLISTED_EMAIL
  • FEATURE_BUILD_SUPPORT [boolean]: Whether to support Dockerfile build. Defaults to True.

    • Example: True
  • FEATURE_CHANGE_TAG_EXPIRATION [boolean]: Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.

    • Example: False
  • FEATURE_DIRECT_LOGIN [boolean]: Whether users can directly login to the UI. Defaults to True.

    • Example: True
  • FEATURE_GARBAGE_COLLECTION [boolean]: Whether garbage collection of repositories is enabled. Defaults to True.

    • Example: True
  • FEATURE_GITHUB_BUILD [boolean]: Whether to support GitHub build triggers. Defaults to False.

    • Example: False
  • FEATURE_GITHUB_LOGIN [boolean]: Whether GitHub login is supported. Defaults to False.

    • Example: False
  • FEATURE_GITLAB_BUILD[boolean]: Whether to support GitLab build triggers. Defaults to False.

    • Example: False
  • FEATURE_GOOGLE_LOGIN [boolean]: Whether Google login is supported. Defaults to False.

    • Example: False
  • FEATURE_INVITE_ONLY_USER_CREATION [boolean]: Whether users being created must be invited by another user. Defaults to False.

    • Example: False
  • FEATURE_LIBRARY_SUPPORT [boolean]: Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True.

    • Example: True
  • FEATURE_LOG_EXPORT [boolean]: Whether to allow exporting of action logs. Defaults to True.

    • Example: True
  • FEATURE_MAILING [boolean]: Whether emails are enabled. Defaults to True.

    • Example: True
  • FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP [boolean]: If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.

    • Example: True
  • FEATURE_PARTIAL_USER_AUTOCOMPLETE [boolean]: If set to true, autocompletion will apply to partial usernames. Defaults to True.

    • Example: True
  • FEATURE_PERMANENT_SESSIONS [boolean]: Whether sessions are permanent. Defaults to True.

    • Example: True
  • FEATURE_PROXY_STORAGE [boolean]: Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False.

    • Example: False
  • FEATURE_PUBLIC_CATALOG [boolean]: If set to true, the _catalog endpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False.

    • Example: False
  • FEATURE_RATE_LIMITS [boolean]: Whether to enable rate limits on API and registry endpoints. Defaults to False.

    • Example: False
  • FEATURE_READER_BUILD_LOGS [boolean]: If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False.

    • Example: False
  • FEATURE_READONLY_APP_REGISTRY [boolean]: Whether to App repositories are read-only. Defaults to False.

    • Example: True
  • FEATURE_RECAPTCHA [boolean]: Whether Recaptcha is necessary for user login and recovery. Defaults to False.

  • FEATURE_REPO_MIRROR [boolean]: If set to true, enables repository mirroring. Defaults to False.

    • Example: False
  • FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH [boolean]: Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False.

    • Example: False
  • FEATURE_REQUIRE_TEAM_INVITE [boolean]: Whether to require invitations when adding a user to a team. Defaults to True.

    • Example: True
  • FEATURE_RESTRICTED_V1_PUSH [boolean]: If set to true, only namespaces listed in V1_PUSH_WHITELIST support V1 push. Defaults to True.

    • Example: True
  • FEATURE_SECURITY_NOTIFICATIONS [boolean]: If the security scanner is enabled, whether to turn on/off security notifications. Defaults to False.

    • Example: False
  • FEATURE_SECURITY_SCANNER [boolean]: Whether to turn on/off the security scanner. Defaults to False.

  • FEATURE_STORAGE_REPLICATION [boolean]: Whether to automatically replicate between storage engines. Defaults to False.

    • Example: False
  • FEATURE_SUPER_USERS [boolean]: Whether superusers are supported. Defaults to True.

    • Example: True
  • FEATURE_TEAM_SYNCING [boolean]: Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone).

    • Example: True
  • FEATURE_USER_CREATION [boolean]: Whether users can be created (by non-superusers). Defaults to True.

    • Example: True
  • FEATURE_USER_LAST_ACCESSED [boolean]: Whether to record the last time a user was accessed. Defaults to True.

    • Example: True
  • FEATURE_USER_LOG_ACCESS [boolean]: If set to true, users will have access to audit logs for their namespace. Defaults to False.

    • Example: True
  • FEATURE_USER_METADATA [boolean]: Whether to collect and support user metadata. Defaults to False.

    • Example: False
  • FEATURE_USERNAME_CONFIRMATION [boolean]: If set to true, users can confirm their generated usernames. Defaults to True.

    • Example: False
  • FEATURE_USER_RENAME [boolean]: If set to true, users can rename their own namespace. Defaults to False.

    • Example: True
  • FRESH_LOGIN_TIMEOUT [string]: The time after which a fresh login requires users to reenter their password

    • Example: 5m
  • GITHUB_LOGIN_CONFIG [object, 'null']: Configuration for using GitHub (Enterprise) as an external login provider.

  • GITHUB_TRIGGER_CONFIG [object, null]: Configuration for using GitHub (Enterprise) for build triggers.

  • GITLAB_TRIGGER_CONFIG [object]: Configuration for using Gitlab (Enterprise) for external authentication.

    • CLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance.

      • Example: 0e8dbe15c4c7630b6780
    • CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.

      • Example: e4a58ddd3d7408b7aec109e85564a0d153d3e846
      • gitlab_endpoint [string] required: The endpoint at which Gitlab(Enterprise) is running.

  • GOOGLE_LOGIN_CONFIG [object, null]: Configuration for using Google for external authentication

    • CLIENT_ID [string] required: The registered client ID for this Red Hat Quay instance.

      • Example: 0e8dbe15c4c7630b6780
    • CLIENT_SECRET [string] required: The registered client secret for this Red Hat Quay instance.

      • Example: e4a58ddd3d7408b7aec109e85564a0d153d3e846
  • GPG2_PRIVATE_KEY_FILENAME [string]: The filename of the private key used to decrypte ACIs.

    • Example: /path/to/file
  • GPG2_PRIVATE_KEY_NAME [string]: The name of the private key used to sign ACIs.

    • Example: gpg2key
  • GPG2_PUBLIC_KEY_FILENAME [string]: The filename of the public key used to encrypt ACIs.

    • Example: /path/to/file
  • HEALTH_CHECKER [string]: The configured health check.

    • Example: ('RDSAwareHealthCheck', {'access_key': 'foo', 'secret_key': 'bar'})
  • JWT_AUTH_ISSUER [string]: The endpoint for JWT users.

  • JWT_GETUSER_ENDPOINT [string]: The endpoint for JWT users.

  • JWT_QUERY_ENDPOINT [string]: The endpoint for JWT queries.

  • JWT_VERIFY_ENDPOINT [string]: The endpoint for JWT verification.

  • LDAP_ADMIN_DN [string]: The admin DN for LDAP authentication.
  • LDAP_ADMIN_PASSWD [string]: The admin password for LDAP authentication.
  • LDAP_ALLOW_INSECURE_FALLBACK [boolean]: Whether or not to allow SSL insecure fallback for LDAP authentication.
  • LDAP_BASE_DN [string]: The base DN for LDAP authentication.
  • LDAP_EMAIL_ATTR [string]: The email attribute for LDAP authentication.
  • LDAP_UID_ATTR [string]: The uid attribute for LDAP authentication.
  • LDAP_URI [string]: The LDAP URI.
  • LDAP_USER_FILTER [string]: The user filter for LDAP authentication.
  • LDAP_USER_RDN [array]: The user RDN for LDAP authentication.
  • LOGS_MODEL [string]: Logs model for action logs.

    • enum: database, transition_reads_both_writes_es, elasticsearch
    • Example: database
  • LOGS_MODEL_CONFIG [object]: Logs model config for action logs

    • elasticsearch_config [object]: Elasticsearch cluster configuration

      • access_key [string]: Elasticsearch user (or IAM key for AWS ES)

        • Example: some_string
      • host [string]: Elasticsearch cluster endpoint

        • Example: host.elasticsearch.example
      • index_prefix [string]: Elasticsearch’s index prefix

        • Example: logentry_
      • index_settings [object]: Elasticsearch’s index settings
      • use_ssl [boolean]: Use ssl for Elasticsearch. Defaults to True

        • Example: True
      • secret_key [string]: Elasticsearch password (or IAM secret for AWS ES)

        • Example: some_secret_string
      • aws_region [string]: Amazon web service region

        • Example: us-east-1
      • port [number]: Elasticsearch cluster endpoint port

        • Example: 1234
    • kinesis_stream_config [object]: AWS Kinesis Stream configuration

      • aws_secret_key [string]: AWS secret key

        • Example: some_secret_key
      • stream_name [string]: Kinesis stream to send action logs to

        • Example: logentry-kinesis-stream
      • aws_access_key [string]: AWS access key

        • Example: some_access_key
      • retries [number]: Max number of attempts made on a single request

        • Example: 5
      • read_timeout [number]: Number of seconds before timeout when reading from a connection

        • Example: 5
      • max_pool_connections [number]: The maximum number of connections to keep in a connection pool

        • Example: 10
      • aws_region [string]: AWS region

        • Example: us-east-1
      • connect_timeout [number]: Number of seconds before timeout when attempting to make a connection

        • Example: 5
    • producer [string]: Logs producer if logging to Elasticsearch

      • enum: kafka, elasticsearch, kinesis_stream
      • Example: kafka
    • kafka_config [object]: Kafka cluster configuration

      • topic [string]: Kafka topic to publish log entries to

        • Example: logentry
      • bootstrap_servers [array]: List of Kafka brokers to bootstrap the client from
      • max_block_seconds [number]: Max number of seconds to block during a send(), either because the buffer is full or metadata unavailable

        • Example: 10
  • LOG_ARCHIVE_LOCATION [string]: If builds are enabled, the storage engine in which to place the archived build logs.

    • Example: s3_us_east
  • LOG_ARCHIVE_PATH [string]: If builds are enabled, the path in storage in which to place the archived build logs.

    • Example: archives/buildlogs
  • LOGS_MODEL [string]: Logs model for action logs.
  • enum: database, transition_reads_both_writes_es, elasticsearch
  • Example: database
  • MAIL_DEFAULT_SENDER [string, null]: If specified, the e-mail address used as the from when Red Hat Quay sends e-mails. If none, defaults to support@quay.io.

    • Example: support@myco.com
  • MAIL_PASSWORD [string, null]: The SMTP password to use when sending e-mails.

    • Example: mypassword
  • MAIL_PORT [number]: The SMTP port to use. If not specified, defaults to 587.

    • Example: 588
  • MAIL_SERVER [string]: The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.

    • Example: smtp.somedomain.com
  • MAIL_USERNAME [string, 'null']: The SMTP username to use when sending e-mails.

    • Example: myuser
  • MAIL_USE_TLS [boolean]: If specified, whether to use TLS for sending e-mails.

    • Example: True
  • MAXIMUM_LAYER_SIZE [string]: Maximum allowed size of an image layer. Defaults to 20G.

    • Pattern: ^[0-9]+(G|M)$
    • Example: 100G
  • PREFERRED_URL_SCHEME [string]: The URL scheme to use when hitting Red Hat Quay. If Red Hat Quay is behind SSL at all, this must be https

    • enum: http or https
    • Example: https
  • PROMETHEUS_NAMESPACE [string]: The prefix applied to all exposed Prometheus metrics. Defaults to quay.

    • Example: myregistry
  • PUBLIC_NAMESPACES [array]: If a namespace is defined in the public namespace list, then it will appear on all user’s repository list pages, regardless of whether that user is a member of the namespace. Typically, this is used by an enterprise customer in configuring a set of "well-known" namespaces.

    • Min Items: None
    • Unique Items: True

      • array item [string]
  • RECAPTCHA_SECRET_KEY [string]: If recaptcha is enabled, the secret key for the Recaptcha service.
  • RECAPTCHA_SITE_KEY [string]: If recaptcha is enabled, the site key for the Recaptcha service.
  • REGISTRY_STATE [string]: The state of the registry.

    • enum: normal or read-only
    • Example: read-only
  • REGISTRY_TITLE [string]: If specified, the long-form title for the registry. Defaults to Quay Enterprise.

    • Example: Corp Container Service
  • REGISTRY_TITLE_SHORT [string]: If specified, the short-form title for the registry. Defaults to Quay Enterprise.

    • Example: CCS
  • REPO_MIRROR_INTERVAL [number]: The number of seconds between checking for repository mirror candidates. Defaults to 30.

    • Example: 30
  • REPO_MIRROR_SERVER_HOSTNAME [string]: Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset.

    • Example: openshift-quay-service
  • REPO_MIRROR_TLS_VERIFY [boolean]: Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True.

    • Example: True
  • SEARCH_MAX_RESULT_PAGE_COUNT [number]: Maximum number of pages the user can paginate in search before they are limited. Defaults to 10.

    • Example: 10
  • SEARCH_RESULTS_PER_PAGE [number]: Number of results returned per page by search page. Defaults to 10.

    • Example: 10
  • SECRET_KEY [string] required: Key used to encrypt sensitive fields within the database and a run time. It is imperative that once set, this value is never changed. The consequence of changing this is invalidating all reliant fields (encrypted password credentials, for example).

    • Example: 40157269433064266822674401740626984898972632465622168464725100311621640999470
  • SECURITY_SCANNER_ENDPOINT [string]: The endpoint for the security scanner.

  • SECURITY_SCANNER_INDEXING_INTERVAL [number]: The number of seconds between indexing intervals in the security scanner. Defaults to 30.

    • Example: 30
  • SECURITY_SCANNER_NOTIFICATIONS [boolean]: Whether or not to the security scanner notification feature

    • Example: false
  • SECURITY_SCANNER_V4_ENDPOINT [string]: The endpoint for the V4 security scanner.

  • SECURITY_SCANNER_V4_PSK [string]: The generated pre-shared key (PSK) for Clair.
  • SERVER_HOSTNAME [string] required: The URL at which Red Hat Quay is accessible, without the scheme.

    • Example: quay.io
  • SESSION_COOKIE_SECURE [boolean]: Whether the secure property should be set on session cookies. Defaults to False. Recommended to be True for all installations using SSL.

  • SSL_CIPHERS [array]: If specified, the nginx-defined list of SSL ciphers to enabled and disabled.

    • Example: CAMELLIA, !3DES
  • SSL_PROTOCOLS [array]: If specified, nginx is configured to enabled a list of SSL protocols defined in the list. Removing an SSL protocol from the list disables the protocol during Red Hat Quay startup.

    • SSL_PROTOCOLS: ['TLSv1','TLSv1.1','TLSv1.2']
  • SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD [number]: If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.

    • Example: 50
  • SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD [number]: If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.
  • SUPER_USERS [array]: Red Hat Quay usernames of those users to be granted superuser privileges.

    • Min Items: None
    • Unique Items: True

      • array item [string]
  • TAG_EXPIRATION_OPTIONS [array] required: The options that users can select for expiration of tags in their namespace (if enabled).

    • Min Items: None
    • array item [string]
    • Pattern: ^[0-9]+(w|m|d|h|s)$
  • TEAM_RESYNC_STALE_TIME [string]: If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m).

    • Pattern: ^[0-9]+(w|m|d|h|s)$
    • Example: 2h
  • USERFILES_LOCATION [string]: ID of the storage engine in which to place user-uploaded files

    • Example: s3_us_east
  • USERFILES_PATH [string]: Path under storage in which to place user-uploaded files

    • Example: userfiles
  • USER_EVENTS_REDIS [object] required: Connection information for Redis for user event handling.

    • HOST [string] required: The hostname at which Redis is accessible.

      • Example: my.redis.cluster
    • PASSWORD [string]: The password to connect to the Redis instance.

      • Example: mypassword
    • PORT [number]: The port at which Redis is accessible.

      • Example: 1234
    • CONSUMER_SECRET [string] required: The registered consumer secret(client secret) for this Red Hat Quay instance

      • Example: e4a58ddd3d7408b7aec109e85564a0d153d3e846
  • USERFILES_LOCATION [string]: ID of the storage engine in which to place user-uploaded files.

    • Example: s3_us_east
  • USERFILES_PATH [string]: Path under storage in which to place user-uploaded files.

    • Example: userfiles
  • USER_RECOVERY_TOKEN_LIFETIME [string]: The length of time a token for recovering a user accounts is valid. Defaults to 30m.

    • Example: 10m
    • Pattern: ^[0-9]+(w|m|d|h|s)$
  • V1_PUSH_WHITELIST [array]: The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true.

    • Example: some, namespaces
  • V2_PAGINATION_SIZE [number]: The number of results returned per page in V2 registry APIs.

    • Example: 100
  • WEBHOOK_HOSTNAME_BLACKLIST [array]: The set of hostnames to disallow from webhooks when validating, beyond localhost.

    • Example: someexternaldomain.com

Additional resources