initial import for Open Source 🎉

deploy/k8s/clair-config.yaml

@@ -0,0 +1,75 @@
+---
+clair:
+  database:
+    type: pgsql
+    options:
+      # Check that the database options match those set earlier in postgres-clair-deployment.yaml.
+      source: host=postgres-clair port=5432 dbname=clair user=clair password=test123 sslmode=disable
+      cachesize: 16384
+  api:
+    # The port at which Clair will report its health status. For example, if Clair is running at
+    # https://clair.mycompany.com, the health will be reported at
+    # http://clair.mycompany.com:6061/health.
+    healthport: 6061
+
+    port: 6062
+    timeout: 900s
+
+    # paginationkey can be any random set of characters. *Must be the same across all Clair
+    # instances*.
+    paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
+
+  updater:
+    # interval defines how often Clair will check for updates from its upstream vulnerability databases.
+    interval: 6h
+  notifier:
+    attempts: 3
+    renotifyinterval: 1h
+    http:
+      # QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
+      # For example: https://myregistry.mycompany.com
+      endpoint: http://quay-enterprise-clusterip/secscan/notify
+      proxy: http://localhost:6063
+
+jwtproxy:
+  signer_proxy:
+    enabled: true
+    listen_addr: :6063
+    ca_key_file: /certificates/mitm.key # Generated internally, do not change.
+    ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
+    signer:
+      issuer: security_scanner
+      expiration_time: 5m
+      max_skew: 1m
+      nonce_length: 32
+      private_key:
+        type: preshared
+        options:
+          # The ID of the service key generated for Clair. The ID is returned when setting up
+          # the key in [Quay Enterprise Setup](security-scanning.md)
+          key_id: cd40f1c6a63f574c68ce882258925374882fac2b2f535ae5f8157c429e0c4b2e
+          private_key_path: /clair/config/security_scanner.pem
+
+  verifier_proxies:
+  - enabled: true
+    # The port at which Clair will listen.
+    listen_addr: :6060
+
+    # If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
+    # section below for more information.
+    # key_file: /config/clair.key
+    # crt_file: /config/clair.crt
+
+    verifier:
+      # CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
+      # specified here must match the listen_addr port a few lines above this.
+      # Example: https://myclair.mycompany.com:6060
+      audience: http://clair-service:6060
+
+      upstream: http://localhost:6062
+      key_server:
+        type: keyregistry
+        options:
+          # QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
+          # Example: https://myregistry.mycompany.com
+          registry: http://quay-enterprise-clusterip/keys/

deploy/k8s/clair-deployment.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    quay-enterprise-component: clair-scanner
+  name: clair-scanner
+  namespace: quay-enterprise
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      quay-enterprise-component: clair-scanner
+  template:
+    metadata:
+      labels:
+        quay-enterprise-component: clair-scanner
+      namespace: quay-enterprise
+    spec:
+      containers:
+      - image: quay.io/redhat/clair-jwt:v3.0.4
+        imagePullPolicy: IfNotPresent
+        name: clair-scanner
+        ports:
+        - containerPort: 6060
+          name: clair-api
+          protocol: TCP
+        - containerPort: 6061
+          name: clair-health
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /clair/config
+          name: configvolume
+      imagePullSecrets:
+      - name: redhat-quay-pull-secret
+      restartPolicy: Always
+      volumes:
+      - name: configvolume
+        secret:
+          secretName: clair-scanner-config-secret

deploy/k8s/clair-service.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: clair-service
+  namespace: quay-enterprise
+spec:
+  ports:
+  - name: clair-api
+    port: 6060
+    protocol: TCP
+    targetPort: 6060
+  - name: clair-health
+    port: 6061
+    protocol: TCP
+    targetPort: 6061
+  selector:
+    quay-enterprise-component: clair-scanner
+  type: ClusterIP

deploy/k8s/db-pvc.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-storage
+  namespace: quay-enterprise
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      # The 10Gi creates 10 gigabytes of storage for use by the Postgres database.
+      storage: 10Gi
+  storageClassName: quay-storageclass

deploy/k8s/postgres-clair-deployment.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: postgres-clair
+  name: postgres-clair
+  namespace: quay-enterprise
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres-clair
+  template:
+    metadata:
+      labels:
+        app: postgres-clair
+    spec:
+      containers:
+      - env:
+        - name: POSTGRESQL_USER
+          # Set the username for the Clair postgres database (clair by default)
+          value: clair
+        - name: POSTGRESQL_DATABASE
+          # Set the name of the Clair postgres database
+          value: clair
+        - name: POSTGRESQL_PASSWORD
+          # Set the password for the Clair postgress user
+          value: test123
+        image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
+        imagePullPolicy: IfNotPresent
+        name: postgres-clair
+        ports:
+        - containerPort: 5432
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /var/lib/pgsql/data
+          name: postgredb
+        serviceAccount: postgres
+        serviceAccountName: postgres
+      volumes:
+      - name: postgredb
+        persistentVolumeClaim:
+          claimName: postgres-clair-storage

deploy/k8s/postgres-clair-service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgres-clair
+  name: postgres-clair
+  namespace: quay-enterprise
+spec:
+  ports:
+  - nodePort: 30680
+    port: 5432
+    protocol: TCP
+    targetPort: 5432
+  selector:
+    app: postgres-clair
+  type: NodePort

deploy/k8s/postgres-clair-storage.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-clair-storage
+  namespace: quay-enterprise
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: quay-storageclass

deploy/k8s/postgres-deployment.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: quay-enterprise
+spec:
+  # Only one instance of the postgres database is defined here. Adjust replicas based on demand.
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - containerPort: 5432
+          env:
+          - name: POSTGRESQL_USER
+            # Replace "username" with a name for your Postgres user
+            value: "username"
+          - name: POSTGRESQL_DATABASE
+            # Replace "password" with a password for your Postgres user
+            value: "quay"
+          - name: POSTGRESQL_PASSWORD
+            value: "password"
+          volumeMounts:
+            - mountPath: /var/lib/pgsql/data
+              name: postgredb
+          serviceAccount: postgres
+          serviceAccountName: postgres
+      volumes:
+        - name: postgredb
+          persistentVolumeClaim:
+            claimName: postgres-storage

deploy/k8s/postgres-service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: quay-enterprise
+  labels:
+    app: postgres
+spec:
+  type: NodePort
+  ports:
+   - port: 5432
+  selector:
+   app: postgres

deploy/k8s/quay-enterprise-app-rc.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-app
+  labels:
+    quay-enterprise-component: app
+spec:
+  # Only one instance of the quay container is defined here. Adjust replicas based on demand.
+  replicas: 1
+  selector:
+    matchLabels:
+      quay-enterprise-component: app
+  template:
+    metadata:
+      namespace: quay-enterprise
+      labels:
+        quay-enterprise-component: app
+    spec:
+      volumes:
+        - name: configvolume
+          secret:
+            secretName: quay-enterprise-secret
+      containers:
+      - name: quay-enterprise-app
+        # Pick the Quay version you wish to run 
+        image: quay.io/redhat/quay:v3.1.0
+        ports:
+        - containerPort: 8443
+        volumeMounts:
+        - name: configvolume
+          readOnly: false
+          mountPath: /conf/stack
+      imagePullSecrets:
+        - name: redhat-quay-pull-secret

deploy/k8s/quay-enterprise-config-secret.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-config-secret

deploy/k8s/quay-enterprise-config-service-clusterip.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-config
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      name: https
+      port: 443
+      targetPort: 8443
+  selector:
+    quay-enterprise-component: config-app

deploy/k8s/quay-enterprise-config.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-config-app
+  labels:
+    quay-enterprise-component: config-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      quay-enterprise-component: config-app
+  template:
+    metadata:
+      namespace: quay-enterprise
+      labels:
+        quay-enterprise-component: config-app
+    spec:
+      containers:
+      - name: quay-enterprise-config-app
+        image: quay.io/redhat/quay:v3.1.0
+        ports:
+        - containerPort: 8443
+        command: ["/quay-registry/quay-entrypoint.sh"]
+        args: ["config", "secret"]
+      imagePullSecrets:
+        - name: redhat-quay-pull-secret

deploy/k8s/quay-enterprise-mirror.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-mirror
+  labels:
+    quay-enterprise-component: mirror-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      quay-enterprise-component: mirror-app
+  template:
+    metadata:
+      namespace: quay-enterprise
+      labels:
+        quay-enterprise-component: mirror-app
+    spec:
+      containers:
+      - name: quay-enterprise-mirror-app
+        image: quay.io/redhat/quay:v3.1.0
+        ports:
+        - containerPort: 8443
+        command: ["/quay-registry/quay-entrypoint.sh"]
+        args: ["repomirror"]
+      imagePullSecrets:
+        - name: redhat-quay-pull-secret

deploy/k8s/quay-enterprise-namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: quay-enterprise

deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: quay-enterprise
+  name: redhat-quay-pull-secret
+data:
+  # Change <Add credentials> to include the credentials shown from https://access.redhat.com/solutions/3533201
+  .dockerconfigjson: <Add credentials>
+type: kubernetes.io/dockerconfigjson

deploy/k8s/quay-enterprise-redis.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-redis
+  labels:
+    quay-enterprise-component: redis
+spec:
+  # Only one instance of the redis database is defined here. Adjust replicas based on demand.
+  replicas: 1
+  selector:
+    matchLabels:
+      quay-enterprise-component: redis
+  template:
+    metadata:
+      namespace: quay-enterprise
+      labels:
+        quay-enterprise-component: redis
+    spec:
+      containers:
+      - name: redis-master
+        image: registry.access.redhat.com/rhscl/redis-32-rhel7
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 6379
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-redis
+  labels:
+    quay-enterprise-component: redis
+spec:
+  ports:
+    - port: 6379
+  selector:
+    quay-enterprise-component: redis

deploy/k8s/quay-enterprise-service-clusterip.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-clusterip
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      name: https
+      port: 443
+      targetPort: 8443
+  selector:
+    quay-enterprise-component: app

deploy/k8s/quay-servicetoken-role-binding-k8s1-6.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: quay-enterprise-secret-writer
+  namespace: quay-enterprise
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: quay-enterprise-serviceaccount
+subjects:
+- kind: ServiceAccount
+  name: default

deploy/k8s/quay-servicetoken-role-k8s1-6.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: quay-enterprise-serviceaccount
+  namespace: quay-enterprise
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - put
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - extensions
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch

deploy/k8s/quay-storageclass.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: quay-storageclass
+parameters:
+  type: gp2
+  # Uncomment out following lines to encrypt the volume (AWS EBS example with xfs shown)
+  #encrypted: "true"
+  #fsType: xfs
+  #kmsKeyId: <Amazon Resource Name>
+provisioner: kubernetes.io/aws-ebs
+reclaimPolicy: Delete