Chapter 3. Configuring Red Hat Quay on OpenShift Container Platform
After deployment, you can configure the Red Hat Quay application by editing the Red Hat Quay configuration bundle secret spec.configBundleSecret. You can also change the managed status of components in the spec.components object of the QuayRegistry resource.
Alternatively, you can use the config editor UI to configure the Red Hat Quay application. For more information, see Using the config tool to reconfigure Red Hat Quay on OpenShift Container Platform.
3.1. Editing the config bundle secret in the OpenShift Container Platform console
Use the following procedure to edit the config bundle secret in the OpenShift Container Platform console.
Procedure
On the Red Hat Quay Registry overview screen, click the link for the Config Bundle Secret.
To edit the secret, click Actions → Edit Secret.
Modify the configuration and save the changes.
- Monitor the deployment to ensure successful completion and that the configuration changes have taken effect.
3.2. Determining QuayRegistry endpoints and secrets
Use the following procedure to find QuayRegistry endpoints and secrets.
Procedure
You can examine the
QuayRegistryresource, usingoc describe quayregistryoroc get quayregistry -o yaml, to find the current endpoints and secrets by entering the following command:$ oc get quayregistry example-registry -n quay-enterprise -o yaml
Example output
apiVersion: quay.redhat.com/v1 kind: QuayRegistry metadata: ... name: example-registry namespace: quay-enterprise ... spec: components: - kind: quay managed: true ... - kind: clairpostgres managed: true configBundleSecret: init-config-bundle-secret 1 status: configEditorCredentialsSecret: example-registry-quay-config-editor-credentials-fg2gdgtm24 2 configEditorEndpoint: https://example-registry-quay-config-editor-quay-enterprise.apps.docs.gcp.quaydev.org 3 currentVersion: 3.7.0 lastUpdated: 2022-05-11 13:28:38.199476938 +0000 UTC registryEndpoint: https://example-registry-quay-quay-enterprise.apps.docs.gcp.quaydev.org 4- 1
- The config bundle secret, containing the
config.yamlfile and any SSL/TLS certificates. - 2
- The secret containing the username (typically
quayconfig) and the password for the config editor tool. - 3
- The URL for the config editor tool, for browser access to the config tool, and for the configuration API.
- 4
- The URL for your registry, for browser access to the registry UI, and for the registry API endpoint.
3.2.1. Locating the username and password for the config editor tool
Use the following procedure to locate the username and password for the config editor tool.
Procedure
Enter the following command to retrieve the secret:
$ oc get secret -n quay-enterprise example-registry-quay-config-editor-credentials-fg2gdgtm24 -o yaml
Example output
apiVersion: v1 data: password: SkZwQkVKTUN0a1BUZmp4dA== username: cXVheWNvbmZpZw== kind: Secret
Decode the username by entering the following command:
$ echo 'cXVheWNvbmZpZw==' | base64 --decode
Example output
quayconfig
Decode the password by entering the following command:
$ echo 'SkZwQkVKTUN0a1BUZmp4dA==' | base64 --decode
Example output
JFpBEJMCtkPTfjxt
3.3. Downloading the existing configuration
The following procedures detail how to download the existing configuration using different strategies.
3.3.1. Using the config editor endpoint to download the existing configuration
Use the following procedure to download the existing configuration through the config editor endpoint.
Procedure
Enter the following command, specifying the username and password for the config editor, to download the existing configuration:
$ curl -k -u quayconfig:JFpBEJMCtkPTfjxt https://example-registry-quay-config-editor-quay-enterprise.apps.docs.quayteam.org/api/v1/config
Example output
{ "config.yaml": { "ALLOW_PULLS_WITHOUT_STRICT_LOGGING": false, "AUTHENTICATION_TYPE": "Database", ... "USER_RECOVERY_TOKEN_LIFETIME": "30m" }, "certs": { "extra_ca_certs/service-ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJRE9kWFhuUXFjMUF3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRZek1UYzNPREV3TXpBZQpGdzB5TVRBNU1UWXdOelF4TkRKYUZ..." } }
3.3.2. Using the config bundle secret to download the existing configuration
You can use the config bundle secret to download the existing configuration.
Procedure
Obtain the secret data by entering the following command:
$ oc get secret -n quay-enterprise init-config-bundle-secret -o jsonpath='{.data}'Example output
{ "config.yaml": "RkVBVFVSRV9VU0 ... MDAwMAo=" }Enter the following command to decode the data:
$ echo 'RkVBVFVSRV9VU0 ... MDAwMAo=' | base64 --decode
Example output
FEATURE_USER_INITIALIZE: true BROWSER_API_CALLS_XHR_ONLY: false SUPER_USERS: - quayadmin FEATURE_USER_CREATION: false FEATURE_QUOTA_MANAGEMENT: true FEATURE_PROXY_CACHE: true FEATURE_BUILD_SUPPORT: true DEFAULT_SYSTEM_REJECT_QUOTA_BYTES: 102400000
3.4. Using the config bundle to configure custom SSL/TLS certs
You can configure custom SSL/TLS certificates before the initial deployment, or after Red Hat Quay is deployed on OpenShift Container Platform. This is done by creating or updating the config bundle secret.
If you are adding the certificates to an existing deployment, you must include the existing config.yaml file in the new config bundle secret, even if you are not making any configuration changes.
Use the following procedure to add custom SSL/TLS certificates.
Procedure
In your
QuayRegistryYAML file, setkind: tlstomanaged:false, for example:- kind: tls managed: falseNavigate to the Events page, which should reveal that the change is blocked until you set up the appropriate config. For example:
- lastTransitionTime: '2022-03-28T12:56:49Z' lastUpdateTime: '2022-03-28T12:56:49Z' message: >- required component `tls` marked as unmanaged, but `configBundleSecret` is missing necessary fields reason: ConfigInvalid status: 'True'Create the secret using embedded data or by using files.
Embed the configuration details directly in the
Secretresource YAML file. For example:custom-ssl-config-bundle.yaml
apiVersion: v1 kind: Secret metadata: name: custom-ssl-config-bundle-secret namespace: quay-enterprise data: config.yaml: | FEATURE_USER_INITIALIZE: true BROWSER_API_CALLS_XHR_ONLY: false SUPER_USERS: - quayadmin FEATURE_USER_CREATION: false FEATURE_QUOTA_MANAGEMENT: true FEATURE_PROXY_CACHE: true FEATURE_BUILD_SUPPORT: true DEFAULT_SYSTEM_REJECT_QUOTA_BYTES: 102400000 extra_ca_cert_my-custom-ssl.crt: | -----BEGIN CERTIFICATE----- MIIDsDCCApigAwIBAgIUCqlzkHjF5i5TXLFy+sepFrZr/UswDQYJKoZIhvcNAQEL BQAwbzELMAkGA1UEBhMCSUUxDzANBgNVBAgMBkdBTFdBWTEPMA0GA1UEBwwGR0FM .... -----END CERTIFICATE-----Create the secret from the YAML file:
$ oc create -f custom-ssl-config-bundle.yaml
..
Alternatively, you can create files containing the desired information, and then create the secret from those files.
Enter the following command to create a generic
Secretobject that contains theconfig.yamlfile and acustom-ssl.crtfile:$ oc create secret generic custom-ssl-config-bundle-secret \ --from-file=config.yaml \ --from-file=extra_ca_cert_my-custom-ssl.crt=my-custom-ssl.crt
Create or update the
QuayRegistryYAML file, referencing the createdSecret, for example:Example
QuayRegistryYAML fileapiVersion: quay.redhat.com/v1 kind: QuayRegistry metadata: name: example-registry namespace: quay-enterprise spec: configBundleSecret: custom-ssl-config-bundle-secret
Deploy or update the registry using the YAML file by entering the following command:
oc apply -f quayregistry.yaml