vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

initial import for Open Source 🎉

Browse source
This commit is contained in:
Jimmy Zelinskie 2019-11-12 11:09:47 -05:00
parent 1898c361f3
commit 9c0dd3b722
2048 changed files with 218743 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
config_app/docs/img/initial-choice-screen.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 810 KiB

BIN
config_app/docs/img/load-tarball-config.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1,008 KiB

147
config_app/docs/initial_setup.md Normal file
View file

@ -0,0 +1,147 @@
# On-premises installation
Red Hat Quay requires three components to be running to begin the setup process:
- A supported database (MySQL, Postgres)
- A Redis instance (for real-time events)
- The Red Hat Quay image
**NOTE**: Please have the host and port of the database and the Redis instance ready.
## Preparing the database
A MySQL RDBMS or Postgres installation with an empty database is required, and a login with full access to said database. This login *must* be for a superuser. The schema will be created during the creation of the configuration. The database install can either be pre-existing or run via a [Docker container](mysql-container.md).
**Note**: Running your database on as a Docker container is not recommended for production workloads.
## Setting up redis
Redis stores data which must be accessed quickly but doesnt require durability guarantees. If you have an existing Redis instance, make sure to accept incoming connections on port 6379 (or change the port in the setup process) and then feel free to skip this step.
To run redis, simply pull and run the Quay.io Redis image:
```
sudo docker pull quay.io/quay/redis
sudo docker run -d -p 6379:6379 quay.io/quay/redis
```
**NOTE**: This host will have to accept incoming connections on port 6379 from the hosts on which the registry will run.
## Downloading the Red Hat Quay image
After signing up you will be able to download a pull secret file named `config.json`.
The `config.json` file will look like this:
```
{
"auths": {
"quay.io": {
"auth": "abcdefghijklmnopqrstuvwxyz...",
"email": ""
}
}
}
```
`config.json` contains your credentials for the `quay.io/coreos/quay` repository. Save this file to your machine in `/home/$USER/.docker/config.json` and `/root/.docker/config.json`. You should now be able to execute `docker pull quay.io/coreos/quay:v2.9.2` to download the container.
## Booting up the configuration tool
Now you can run the configuration setup tool to create your config bundle.
Run the following command to boot up the configuration tool:
```
sudo docker run -p 443:443 -d quay.io/coreos/quay:v3.0.0 config
```
## Creating a new configuration
Visit the image locally by going to https://yourhost/
**Note**: You will see warning about an invalid certificate authority when visiting in your browser. This is because we self sign the certificate at container load time, so you can safely bypass this warning. (On Chrome, for example, click on Advanced, then "Proceed to localhost")
<img src="img/initial-choice-screen.png" class="img-center" alt="Red Hat Quay Configuration Tool"/>
Click on "Start New Registry Setup", and follow the instructions to create your configuration, downloading and saving it when complete.
**Note**: Please keep this tarball safe, as it contains your certificates and other access credentials unencryped. You will also need it if you ever wish to update your configuration.
## Setting up the directories
Red Hat Quay requires a configuration directory (and a storage directory if using local storage):
You will need to extract the tarball you received in the previous step into a directory:
```
mkdir config && tar xzf quay-config.tar.gz -C config
```
If you are storing images locally, then you will need a storage directory (skip this step if you are storing images remotely):
```
mkdir storage
```
**Note**: storing images locally is not recommended for production workloads!
## Running the registry
If you are running with local storage, you'll have to add it as a volume to the docker command, replacing `/local/path/to/the/config/directory` and `/local/path/to/the/storage/directory` with the absolute paths to the directories created in the previous step:
```
sudo docker run --restart=always -p 443:443 -p 80:80 --privileged=true -v /local/path/to/the/config/directory:/conf/stack -v /local/path/to/the/storage/directory:/datastorage -d quay.io/coreos/quay:3.0.0
```
Otherwise, run the following command, replacing `/local/path/to/the/config/directory` with the absolute path to the directory created in the previous step:
```
sudo docker run --restart=always -p 443:443 -p 80:80 --privileged=true -v /local/path/to/the/config/directory:/conf/stack -d quay.io/coreos/quay:3.0.0
```
## Verifying the status of QE
Visit the `/health/endtoend` endpoint on the Red Hat Quay hostname and verify that the `code` is `200` and `is_testing` is `false`.
If `code` is anything other than `200`, visit http://yourhost/ and you will see instructions detailing the problems Red Hat Quay is having with the configuration.
## Logging in
### If using database authentication:
Once Red Hat Quay is running, new users can be created by clicking the `Sign Up` button. If e-mail is enabled, the sign up process will require an e-mail confirmation step, after which repositories, organizations and teams can be setup by the user.
### If using LDAP authentication:
Users should be able to login to the Red Hat Quay directly with their LDAP username and password.
## Updating your configuration
If you ever wish to change your configuration, you will need to run the configuration tool again:
```
sudo docker run -p 443:443 -d quay.io/coreos/quay:v3.0.0 config
```
Click on "Modify an existing configuration", and upload the tarball provided when initially creating the configuration.
You will be taken to the setup page, with your previous configuration values pre-populated. After you have made your changes, save the configuration and download the tarball.
<img src="img/load-tarball-config.png" class="img-center" alt="Red Hat Quay Load Configuration"/>
Extract the tarball into the config directory where your Red Hat Quay will run:
```
mkdir config && tar xzf quay-config.tar.gz -C config
```
Now run Red Hat Quay as stated in the **Running the registry** step, and your new instance will reflect the changes made in the new configuration.

14
config_app/docs/k8s_templates/config-tool-service-nodeport.yml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise-config-tool
spec:
type: NodePort
ports:
- protocol: TCP
port: 443
targetPort: 443
nodePort: 30090
selector:
quay-enterprise-component: config-tool

5
config_app/docs/k8s_templates/config-tool-serviceaccount.yml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: qe-config-tool-serviceaccount
namespace: quay-enterprise

12
config_app/docs/k8s_templates/config-tool-servicetoken-role-binding.yml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: quay-enterprise-config-tool-writer
namespace: quay-enterprise
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quay-enterprise-config-tool-role
subjects:
- kind: ServiceAccount
name: qe-config-tool-serviceaccount

32
config_app/docs/k8s_templates/config-tool-servicetoken-role.yml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: quay-enterprise-config-tool-role
namespace: quay-enterprise
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- put
- patch
- update
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- "extensions"
- "apps"
resources:
- deployments
- deployments/rollback
verbs:
- create
- get
- list
- patch

30
config_app/docs/k8s_templates/qe-config-tool.yml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-config-tool
labels:
quay-enterprise-component: config-tool
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: config-tool
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: config-tool
spec:
serviceAccountName: qe-config-tool-serviceaccount
volumes:
- name: configvolume
secret:
secretName: quay-enterprise-config-secret
containers:
- name: quay-enterprise-config-tool
image: config-app:latest # TODO: change to reference to quay image?
imagePullPolicy: IfNotPresent # enable when testing with minikube
args: ["config"]
ports:
- containerPort: 80

40
config_app/docs/k8s_templates/quay-enterprise-app-rc.yml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-app
labels:
quay-enterprise-component: app
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: app
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: app
spec:
volumes:
- name: configvolume
secret:
secretName: quay-enterprise-config-secret
containers:
- name: quay-enterprise-app
image: quay.io/coreos/quay:v2.9.3
ports:
- containerPort: 80
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 80
initialDelaySeconds: 10
periodSeconds: 5
volumeMounts:
- name: configvolume
readOnly: false
mountPath: /conf/stack
imagePullSecrets:
- name: coreos-pull-secret

5
config_app/docs/k8s_templates/quay-enterprise-config-secret.yml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Secret
metadata:
namespace: quay-enterprise
name: quay-enterprise-config-secret

4
config_app/docs/k8s_templates/quay-enterprise-namespace.yml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: quay-enterprise

36
config_app/docs/k8s_templates/quay-enterprise-redis.yml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: quay-enterprise
name: quay-enterprise-redis
labels:
quay-enterprise-component: redis
spec:
replicas: 1
selector:
matchLabels:
quay-enterprise-component: redis
template:
metadata:
namespace: quay-enterprise
labels:
quay-enterprise-component: redis
spec:
containers:
- name: redis-master
image: quay.io/quay/redis
ports:
- containerPort: 6379
---
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise-redis
labels:
quay-enterprise-component: redis
spec:
ports:
- port: 6379
selector:
quay-enterprise-component: redis

18
config_app/docs/k8s_templates/quay-enterprise-service-loadbalancer.yml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
- protocol: TCP
port: 443
targetPort: 443
name: https
selector:
quay-enterprise-component: app

14
config_app/docs/k8s_templates/quay-enterprise-service-nodeport.yml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
namespace: quay-enterprise
name: quay-enterprise
spec:
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30080
selector:
quay-enterprise-component: app

12
config_app/docs/k8s_templates/quay-servicetoken-role-binding-k8s1-6.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: quay-enterprise-secret-writer
namespace: quay-enterprise
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: quay-enterprise-serviceaccount
subjects:
- kind: ServiceAccount
name: default

21
config_app/docs/k8s_templates/quay-servicetoken-role-k8s1-6.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: quay-enterprise-serviceaccount
namespace: quay-enterprise
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- put
- patch
- update
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get

143
config_app/docs/kube_setup.md Normal file
View file

@ -0,0 +1,143 @@
# Red Hat Quay Installation on Kubernetes
This guide walks through the deployment of [Red Hat Quay][quay-enterprise-tour] onto a Kubernetes cluster.
After completing the steps in this guide, a deployer will have a functioning instance of Red Hat Quay orchestrated as a Kubernetes service on a cluster, and will be able to access the Red Hat Quay Setup tool with a browser to complete configuration of image repositories, builders, and users.
[quay-enterprise-tour]: https://quay.io/tour/enterprise
## Prerequisites
A PostgreSQL database must be available for Red Hat Quay metadata storage.
We currently recommend running this database server outside of the cluster.
## Download Kubernetes Configuration Files
Visit the [RedHat Documentation][RedHat-documentation] and download the pre-formatted pull secret, under "Account Assets". There are several formats of the secret, be sure to download the "dockercfg" format resulting in a `config.json` file. This pull secret is used to download the Red Hat Quay containers.
This will be used later in the guide.
[RedHat-documentation]: https://access.redhat.com/documentation/en-us/
Next, download each of the following files to your workstation, placing them alongside your pull secret:
- [quay-enterprise-namespace.yml](k8s_templates/quay-enterprise-namespace.yml)
- [quay-enterprise-config-secret.yml](k8s_templates/quay-enterprise-config-secret.yml)
- [quay-enterprise-redis.yml](k8s_templates/quay-enterprise-redis.yml)
- [quay-enterprise-app-rc.yml](k8s_templates/quay-enterprise-app-rc.yml)
- [quay-enterprise-service-nodeport.yml](k8s_templates/quay-enterprise-service-nodeport.yml)
- [quay-enterprise-service-loadbalancer.yml](k8s_templates/quay-enterprise-service-loadbalancer.yml)
## Role Based Access Control
Red Hat Quay has native Kubernetes integrations. These integrations require Service Account to have access to Kubernetes API. When Kubernetes RBAC is enabled, Role Based Access Control policy manifests also have to be deployed.
Kubernetes API has minor changes between versions 1.4 and 1.5, Download appropiate versions of Role Based Access Control (RBAC) Policies.
### Kubernetes v1.6.x and later RBAC Policies
- [quay-servicetoken-role.yaml](k8s_templates/quay-servicetoken-role-k8s1-6.yaml)
- [quay-servicetoken-role-binding.yaml](k8s_templates/quay-servicetoken-role-binding-k8s1-6.yaml)
## Deploy to Kubernetes
All Kubernetes objects will be deployed under the "quay-enterprise" namespace.
The first step is to create this namespace:
```sh
kubectl create -f quay-enterprise-namespace.yml
```
Next, add your pull secret to Kubernetes (make sure you specify the correct path to `config.json`):
```sh
kubectl create secret generic coreos-pull-secret --from-file=".dockerconfigjson=config.json" --type='kubernetes.io/dockerconfigjson' --namespace=quay-enterprise
```
### Kubernetes v1.6.x and later : Deploy RBAC Policies
```sh
kubectl create -f quay-servicetoken-role-k8s1-6.yaml
kubectl create -f quay-servicetoken-role-binding-k8s1-6.yaml
```
### Deploy Red Hat Quay objects
Finally, the remaining Kubernetes objects can be deployed onto Kubernetes:
```sh
kubectl create -f quay-enterprise-config-secret.yml -f quay-enterprise-redis.yml -f quay-enterprise-app-rc.yml
```
## Expose via Kubernetes Service
In order to access Red Hat Quay, a user must route to it through a Kubernetes Service.
It is up to the deployer to decide which Service type is appropriate for their use case: a [LoadBalancer](http://kubernetes.io/docs/user-guide/services/#type-loadbalancer) or a [NodePort](http://kubernetes.io/docs/user-guide/services/#type-nodeport).
A LoadBalancer is recommended if the Kubernetes cluster is integrated with a cloud provider, otherwise a NodePort will suffice.
Along with this guide are examples of this service.
### LoadBalancer
Using the sample provided, a LoadBalancer Kubernetes Service can be created like so:
```sh
kubectl create -f quay-enterprise-service-loadbalancer.yml
```
kubectl can be used to find the externally-accessible URL of the quay-enterprise service:
```sh
kubectl describe services quay-enterprise --namespace=quay-enterprise
```
### NodePort
Using the sample provided, a NodePort Kubernetes Service can be created like so:
```sh
kubectl create -f quay-enterprise-service-nodeport.yml
```
By default, the quay-enterprise service will be available on port 30080 on every node in the Kubernetes cluster.
If this port conflicts with an existing Kubernetes Service, simply modify the sample configuration file and change the value of NodePort.
## Continue with Red Hat Quay Setup
All that remains is to configure Red Hat Quay itself through the configuration tool.
Download the following files to your workstation:
- [config-tool-service-nodeport.yml](k8s_templates/config-tool-service-nodeport.yml)
- [config-tool-serviceaccount.yml](k8s_templates/config-tool-serviceaccount.yml)
- [config-tool-servicetoken-role.yml](k8s_templates/config-tool-servicetoken-role.yml)
- [config-tool-servicetoken-role-binding.yml](k8s_templates/config-tool-servicetoken-role-binding.yml)
- [qe-config-tool.yml](k8s_templates/qe-config-tool.yml)
### Configuring RBAC for the configuration tool
Apply the following policies to allow the config tool to make changes to the Q.E. deployment:
```bash
kubectl apply -f config-tool-serviceaccount.yaml
```
```bash
kubectl apply -f config-tool-servicetoken-role.yaml
```
```bash
kubectl apply -f config-tool-servicetoken-role-binding.yaml
```
### Deploy Config Tool
Deploy the configuration tool and route a service to it:
```bash
kubectl apply -f qe-config-tool.yml -f config-tool-service-nodeport.yml
```
By default, the config-tool service will be available on port 30090 on every node in the Kubernetes cluster.
Similar to the Quay application service, if this port conflicts with an existing Kubernetes Service, simply modify the sample configuration file and change the value of NodePort.
Once at the Red Hat Quay setup UI, follow the setup instructions to finalize your installation.
## Using the Configuration Tool
Click on "Start New Configuration for this Cluster", and follow the instructions to create your configuration, downloading and saving it (to load as a backup or if you ever wish to change your settings).
You will also be able to deploy the configuration to all instances by hitting "Deploy". Allow for a minute for the Quay instances to cycle the pods, and your configuration will be enacted once the pods have started.