Chapter 3. Configuring Red Hat Quay on OpenShift Container Platform

After deployment, you can configure the Red Hat Quay application by editing the Red Hat Quay configuration bundle secret spec.configBundleSecret. You can also change the managed status of components in the spec.components object of the QuayRegistry resource.

Alternatively, you can use the config editor UI to configure the Red Hat Quay application. For more information, see Using the config tool to reconfigure Red Hat Quay on OpenShift Container Platform.

3.1. Editing the config bundle secret in the OpenShift Container Platform console

Use the following procedure to edit the config bundle secret in the OpenShift Container Platform console.

Procedure

  1. On the Red Hat Quay Registry overview screen, click the link for the Config Bundle Secret.

    Red Hat Quay Registry overview

  2. To edit the secret, click ActionsEdit Secret.

    Edit secret

  3. Modify the configuration and save the changes.

    Save changes

  4. Monitor the deployment to ensure successful completion and that the configuration changes have taken effect.

3.2. Determining QuayRegistry endpoints and secrets

Use the following procedure to find QuayRegistry endpoints and secrets.

Procedure

  1. You can examine the QuayRegistry resource, using oc describe quayregistry or oc get quayregistry -o yaml, to find the current endpoints and secrets by entering the following command:

    $ oc get quayregistry example-registry -n quay-enterprise -o yaml

    Example output

    apiVersion: quay.redhat.com/v1
    kind: QuayRegistry
    metadata:
      ...
      name: example-registry
      namespace: quay-enterprise
      ...
    spec:
      components:
      - kind: quay
        managed: true
      ...
      - kind: clairpostgres
        managed: true
      configBundleSecret: init-config-bundle-secret 1
    status:
      configEditorCredentialsSecret: example-registry-quay-config-editor-credentials-fg2gdgtm24 2
      configEditorEndpoint: https://example-registry-quay-config-editor-quay-enterprise.apps.docs.gcp.quaydev.org 3
      currentVersion: 3.7.0
      lastUpdated: 2022-05-11 13:28:38.199476938 +0000 UTC
      registryEndpoint: https://example-registry-quay-quay-enterprise.apps.docs.gcp.quaydev.org 4

    1
    The config bundle secret, containing the config.yaml file and any SSL/TLS certificates.
    2
    The secret containing the username (typically quayconfig) and the password for the config editor tool.
    3
    The URL for the config editor tool, for browser access to the config tool, and for the configuration API.
    4
    The URL for your registry, for browser access to the registry UI, and for the registry API endpoint.

3.2.1. Locating the username and password for the config editor tool

Use the following procedure to locate the username and password for the config editor tool.

Procedure

  1. Enter the following command to retrieve the secret:

    $ oc get secret -n quay-enterprise example-registry-quay-config-editor-credentials-fg2gdgtm24 -o yaml

    Example output

    apiVersion: v1
    data:
      password: SkZwQkVKTUN0a1BUZmp4dA==
      username: cXVheWNvbmZpZw==
    kind: Secret

  2. Decode the username by entering the following command:

    $ echo 'cXVheWNvbmZpZw==' | base64 --decode

    Example output

    quayconfig

  3. Decode the password by entering the following command:

    $ echo 'SkZwQkVKTUN0a1BUZmp4dA==' | base64 --decode

    Example output

    JFpBEJMCtkPTfjxt

3.3. Downloading the existing configuration

The following procedures detail how to download the existing configuration using different strategies.

3.3.1. Using the config editor endpoint to download the existing configuration

Use the following procedure to download the existing configuration through the config editor endpoint.

Procedure

  • Enter the following command, specifying the username and password for the config editor, to download the existing configuration:

    $ curl -k -u quayconfig:JFpBEJMCtkPTfjxt https://example-registry-quay-config-editor-quay-enterprise.apps.docs.quayteam.org/api/v1/config

    Example output

    {
        "config.yaml": {
            "ALLOW_PULLS_WITHOUT_STRICT_LOGGING": false,
            "AUTHENTICATION_TYPE": "Database",
            ...
            "USER_RECOVERY_TOKEN_LIFETIME": "30m"
        },
        "certs": {
            "extra_ca_certs/service-ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJRE9kWFhuUXFjMUF3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRZek1UYzNPREV3TXpBZQpGdzB5TVRBNU1UWXdOelF4TkRKYUZ..."
        }
    }

3.3.2. Using the config bundle secret to download the existing configuration

You can use the config bundle secret to download the existing configuration.

Procedure

  1. Obtain the secret data by entering the following command:

    $ oc get secret -n quay-enterprise init-config-bundle-secret -o jsonpath='{.data}'

    Example output

    {
        "config.yaml": "RkVBVFVSRV9VU0 ... MDAwMAo="
    }

  2. Enter the following command to decode the data:

    $ echo 'RkVBVFVSRV9VU0 ... MDAwMAo=' | base64 --decode

    Example output

    FEATURE_USER_INITIALIZE: true
    BROWSER_API_CALLS_XHR_ONLY: false
    SUPER_USERS:
    - quayadmin
    FEATURE_USER_CREATION: false
    FEATURE_QUOTA_MANAGEMENT: true
    FEATURE_PROXY_CACHE: true
    FEATURE_BUILD_SUPPORT: true
    DEFAULT_SYSTEM_REJECT_QUOTA_BYTES: 102400000

3.4. Using the config bundle to configure custom SSL/TLS certs

You can configure custom SSL/TLS certificates before the initial deployment, or after Red Hat Quay is deployed on OpenShift Container Platform. This is done by creating or updating the config bundle secret.

If you are adding the certificates to an existing deployment, you must include the existing config.yaml file in the new config bundle secret, even if you are not making any configuration changes.

Use the following procedure to add custom SSL/TLS certificates.

Procedure

  1. In your QuayRegistry YAML file, set kind: tls to managed:false, for example:

      - kind: tls
        managed: false
  2. Navigate to the Events page, which should reveal that the change is blocked until you set up the appropriate config. For example:

        - lastTransitionTime: '2022-03-28T12:56:49Z'
          lastUpdateTime: '2022-03-28T12:56:49Z'
          message: >-
            required component `tls` marked as unmanaged, but `configBundleSecret`
            is missing necessary fields
          reason: ConfigInvalid
          status: 'True'
  3. Create the secret using embedded data or by using files.

    1. Embed the configuration details directly in the Secret resource YAML file. For example:

      custom-ssl-config-bundle.yaml

      apiVersion: v1
      kind: Secret
      metadata:
        name: custom-ssl-config-bundle-secret
        namespace: quay-enterprise
      data:
        config.yaml: |
          FEATURE_USER_INITIALIZE: true
          BROWSER_API_CALLS_XHR_ONLY: false
          SUPER_USERS:
          - quayadmin
          FEATURE_USER_CREATION: false
          FEATURE_QUOTA_MANAGEMENT: true
          FEATURE_PROXY_CACHE: true
          FEATURE_BUILD_SUPPORT: true
          DEFAULT_SYSTEM_REJECT_QUOTA_BYTES: 102400000
        extra_ca_cert_my-custom-ssl.crt: |
          -----BEGIN CERTIFICATE-----
          MIIDsDCCApigAwIBAgIUCqlzkHjF5i5TXLFy+sepFrZr/UswDQYJKoZIhvcNAQEL
          BQAwbzELMAkGA1UEBhMCSUUxDzANBgNVBAgMBkdBTFdBWTEPMA0GA1UEBwwGR0FM
          ....
          -----END CERTIFICATE-----

    2. Create the secret from the YAML file:

      $ oc create  -f custom-ssl-config-bundle.yaml

      ..

  4. Alternatively, you can create files containing the desired information, and then create the secret from those files.

    1. Enter the following command to create a generic Secret object that contains the config.yaml file and a custom-ssl.crt file:

      $ oc create secret generic custom-ssl-config-bundle-secret \
        --from-file=config.yaml \
        --from-file=extra_ca_cert_my-custom-ssl.crt=my-custom-ssl.crt
    2. Create or update the QuayRegistry YAML file, referencing the created Secret, for example:

      Example QuayRegistry YAML file

      apiVersion: quay.redhat.com/v1
      kind: QuayRegistry
      metadata:
        name: example-registry
        namespace: quay-enterprise
      spec:
        configBundleSecret: custom-ssl-config-bundle-secret

    3. Deploy or update the registry using the YAML file by entering the following command:

      oc apply -f quayregistry.yaml