Merge pull request #2797 from coreos-inc/deploy_quay

CI/CD quay preview deployments

.dockerignore

@@ -25,4 +25,6 @@ coverage
 test/__pycache__
 __pycache__
 **/__pycache__
-static/build/**
+static/build/**
+.gitlab-ci/*
+.gitlab-ci.*

.gitignore

@@ -1,7 +1,7 @@
 *.pyc
 venv
 screenshots/screenshots/
-stack
+conf/stack
 */node_modules
 dist
 dest

.gitlab-ci.jsonnet

@@ -8,9 +8,11 @@ local stages_list = [
   // gitlab-ci stages
   'docker_base',
   'docker_build',
+  'deploy_preview',
   'unit_tests',
   'integration',
   'docker_release',
+  'deploy_staging',
   'teardown',
 ];
 
@@ -91,6 +93,40 @@ local jobs = {
                                    env={ [key]: dbname for key in ['MYSQL_ROOT_PASSWORD', 'MYSQL_DATABASE',
                                                                    'MYSQL_USER', 'MYSQL_PASSWORD'] }),
 
+  "deploy-preview": baseJob.QuayDeploy {
+      local _vars = self.localvars,
+      stage: stages.deploy_preview,
+      when: "manual",
+      environment+: {
+        on_stop: "stop-preview",
+      },
+   } + onlyBranch,
+
+  "stop-preview": baseJob.QuayDeployStop {
+   when: "manual",
+   stage: stages.deploy_preview,
+   script: [
+    "kubectl delete ns $K8S_NAMESPACE",
+    "kubectl get pods -o wide -n $K8S_NAMESPACE"
+    ]
+   } + onlyBranch,
+
+   "deploy-staging": baseJob.QuayDeploy {
+      local _vars = self.localvars,
+      localvars+:: {
+        image: images.release,
+        domain: "quay-staging.k8s.devtable.com",
+        namespace: "ci-staging",
+        channels: ['master' , 'beta', 'latest'],
+      },
+      stage: stages.deploy_staging,
+      script+: [],
+      environment+: {
+        name: "staging",
+      },
+      only: ['master']
+   },
+
 };
 
 {

.gitlab-ci.yml

@@ -47,6 +47,57 @@ container-release:
   variables:
     DOCKER_DRIVER: overlay
     DOCKER_HOST: tcp://docker-host.gitlab-runner.svc.cluster.local:2375
+deploy-preview:
+  before_script:
+  - appr login -u $DOCKER_USER -p $DOCKER_PASS quay.io
+  - cd deploy/quay-ci-app
+  - echo -n 1.0.0-${CI_COMMIT_REF_SLUG} > VERSION
+  - 'echo "{\"domain\": \"$QUAY_DOMAIN\", \"image\": \"quay.io/quay/quay-ci:${CI_COMMIT_REF_SLUG}\", \"tag\": \"${CI_COMMIT_REF_SLUG}\"}" > params.json'
+  - cat params.json
+  environment:
+    name: review/${CI_COMMIT_REF_SLUG}
+    on_stop: stop-preview
+    url: https://quay-${CI_COMMIT_REF_SLUG}.k8s.devtable.com
+  image: quay.io/appr/appr:kubectl
+  only:
+  - branches
+  script:
+  - appr push quay.io/quay/quay-ci-app -f
+  - appr deploy quay.io/quay/quay-ci-app@1.0.0-${CI_COMMIT_REF_SLUG} --namespace ci-quay-${CI_COMMIT_REF_SLUG} -x docker_user=$DOCKER_USER -x docker_pass=$DOCKER_PASS
+  - kubectl get ingresses -n ci-quay-${CI_COMMIT_REF_SLUG} -o wide
+  stage: deploy_preview
+  tags:
+  - kubernetes
+  variables:
+    K8S_NAMESPACE: ci-quay-${CI_COMMIT_REF_SLUG}
+    QUAY_DOMAIN: quay-${CI_COMMIT_REF_SLUG}.k8s.devtable.com
+  when: manual
+deploy-staging:
+  before_script:
+  - appr login -u $DOCKER_USER -p $DOCKER_PASS quay.io
+  - cd deploy/quay-ci-app
+  - echo -n 1.0.0-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA} > VERSION
+  - 'echo "{\"domain\": \"$QUAY_DOMAIN\", \"image\": \"quay.io/quay/quay:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}\", \"tag\": \"${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}\"}" > params.json'
+  - cat params.json
+  environment:
+    name: staging
+    url: https://quay-staging.k8s.devtable.com
+  image: quay.io/appr/appr:kubectl
+  only:
+  - master
+  script:
+  - appr push quay.io/quay/quay-ci-app -f
+  - appr push quay.io/quay/quay-ci-app -c master
+  - appr push quay.io/quay/quay-ci-app -c beta
+  - appr push quay.io/quay/quay-ci-app -c latest
+  - appr deploy quay.io/quay/quay-ci-app@1.0.0-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA} --namespace ci-staging -x docker_user=$DOCKER_USER -x docker_pass=$DOCKER_PASS
+  - kubectl get ingresses -n ci-staging -o wide
+  stage: deploy_staging
+  tags:
+  - kubernetes
+  variables:
+    K8S_NAMESPACE: ci-staging
+    QUAY_DOMAIN: quay-staging.k8s.devtable.com
 karma-tests:
   before_script:
   - cd $QUAYDIR
@@ -132,10 +183,32 @@ registry-tests:
 stages:
 - docker_base
 - docker_build
+- deploy_preview
 - unit_tests
 - integration
 - docker_release
+- deploy_staging
 - teardown
+stop-preview:
+  before_script: []
+  environment:
+    action: stop
+    name: review/${CI_COMMIT_REF_SLUG}
+    url: https://quay-${CI_COMMIT_REF_SLUG}.k8s.devtable.com
+  image: quay.io/appr/appr:kubectl
+  only:
+  - branches
+  script:
+  - kubectl delete ns $K8S_NAMESPACE
+  - kubectl get pods -o wide -n $K8S_NAMESPACE
+  stage: deploy_preview
+  tags:
+  - kubernetes
+  variables:
+    GIT_STRATEGY: none
+    K8S_NAMESPACE: ci-quay-${CI_COMMIT_REF_SLUG}
+    QUAY_DOMAIN: quay-${CI_COMMIT_REF_SLUG}.k8s.devtable.com
+  when: manual
 unit-tests:
   before_script:
   - cd $QUAYDIR

.gitlab-ci/base_jobs.libsonnet

@@ -35,6 +35,72 @@ function(vars={})
       ],
     },
 
+
+    QuayDeploy: {
+      local this = self,
+      local _vars = self.localvars,
+      localvars:: {
+                   appversion: "1.0.0-%s" % self.image.tag,
+                   apprepo: "quay.io/quay/%s" % self.appname,
+                   appname: "quay-ci-app",
+                   domain: "quay-%s.k8s.devtable.com" % self.image.tag,
+                   namespace: "ci-quay-%s" % self.image.tag,
+                   image: vars.images.quayci,
+                   channels: [],
+                   pushargs: ["-f"],
+
+                   buildParams(extra_params={}):: (
+                     local params = {image: _vars.image.name,
+                                     tag: _vars.image.tag,
+                                     domain: "$QUAY_DOMAIN"} + extra_params;
+                     [
+                     "echo -n %s > VERSION" % _vars.appversion,
+                     'echo %s > params.json' % std.escapeStringJson(params),
+                     "cat params.json"
+                     ]),
+
+                    pushApp(repo="quay.io/quay", extra_args=['-f'], channels=[]):: (
+                      ["appr push %s %s" % [repo, std.join(" ", extra_args)]] +
+                      ["appr push %s -c %s" % [repo, channel] for channel in channels]
+                    ),
+                   },
+
+      variables: {K8S_NAMESPACE: _vars.namespace,
+                  QUAY_DOMAIN: _vars.domain},
+      image: "quay.io/appr/appr:kubectl",
+      environment: {
+        name: "review/%s" % _vars.image.tag,
+        url: "https://%s" % _vars.domain,
+      },
+      tags: [
+        "kubernetes",
+      ],
+
+      before_script: [
+       "appr login -u $DOCKER_USER -p $DOCKER_PASS quay.io",
+       "cd deploy/%s" % _vars.appname,
+       ] + _vars.buildParams(),
+
+      script:
+       _vars.pushApp(_vars.apprepo, _vars.pushargs, _vars.channels) +
+       [
+       "appr deploy %s@%s --namespace %s -x docker_user=$DOCKER_USER -x docker_pass=$DOCKER_PASS" % [
+        _vars.apprepo,
+        _vars.appversion,
+        _vars.namespace],
+       "kubectl get ingresses -n %s -o wide" % _vars.namespace,
+      ],
+    },
+
+    QuayDeployStop: self.QuayDeploy {
+      variables+: {GIT_STRATEGY: "none"},
+      environment+: {
+        action: "stop"
+      },
+      before_script: [],
+      script: [],
+    },
+
     dbTest(scheme, image, env):: self.QuayTest {
       variables+: {
         SKIP_DB_SCHEMA: 'true',

.gitlab-ci/vars.libsonnet

@@ -8,12 +8,11 @@ local utils = import "utils.libsonnet";
 
   // internal variables
   images: {
-    // Quay initial image, used in the FROM clause
+    // Quay initial image, used in the Dockerfile FROM clause
     base: { repo: "quay.io/quay/quay-base", tag: "latest",
             name: utils.containerName(self.repo, self.tag),
     },
 
-    // @TODO(ant31) release should use quay/quay
     // release is a copy of the quayci image to the 'prod' repository
     release: { repo: "quay.io/quay/quay",
                tag: "${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}",

deploy/postgres/.kpmignore

@@ -0,0 +1 @@
+variables.yaml

deploy/postgres/README.md

@@ -0,0 +1,8 @@
+
+postgres/postgres
+===========
+
+# Install
+
+kpm deploy postgres/postgres
+

deploy/postgres/manifest.yaml

@@ -0,0 +1,29 @@
+---
+package:
+  name: quay/postgres-app
+  author: Antoine Legrand
+  version: 9.6.1-1
+  description: postgres
+  license: MIT
+
+variables:
+  image: postgres:9.6.1
+  dbname: quay
+  user: quay
+  password: quay
+  data_volumes:
+    - name: postgres-data
+      emptyDir:
+        medium: ""
+
+resources:
+  - file: postgres-deployment.yaml
+    name: postgres
+    type: deployment
+
+  - file: postgres-service.yaml
+    name: postgres
+    type: service
+
+deploy:
+  - name: $self

deploy/postgres/templates/postgres-deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: postgres
+  labels:
+    k8s-app: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: postgres
+  template:
+    metadata:
+      labels:
+        k8s-app: postgres
+    spec:
+      containers:
+        - image: {{image}}
+          name: postgres
+          env:
+            - name: POSTGRES_PASSWORD
+              value: "{{password}}"
+            - name: PGPASSWORD
+              value: "{{password}}"
+            - name: POSTGRES_USER
+              value: "{{user}}"
+            - name: POSTGRES_DB
+              value: "{{dbname}}"
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+          ports:
+            - containerPort: 5432
+              name: postgres
+          volumeMounts:
+            - name: postgres-data
+              mountPath: /var/lib/postgresql/data
+          # livenessProbe:
+          #   tcpSocket:
+          #     port: "postgres"
+          #   initialDelaySeconds: 5
+          #   timeoutSeconds: 1
+          # readinessProbe:
+          #   initialDelaySeconds: 600
+          #   exec:
+          #     command: ["psql", "-h", "localhost", "-U", "postgres"]
+      volumes: {{data_volumes}}

deploy/postgres/templates/postgres-service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: postgres
+  name: postgres
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5432
+      name: postgres
+  selector:
+    k8s-app: postgres

deploy/postgres/variables.yaml

@@ -0,0 +1,7 @@
+user: quay
+password: quay
+dbname: quay
+data_volumes:
+   - name: "postgres-data"
+     persistentVolumeClaim:
+       claimName: pvc-postgres-master

deploy/quay-app/.apprignore

@@ -0,0 +1 @@
+stack/

deploy/quay-app/Chart.jsonnet

@@ -0,0 +1,8 @@
+{
+  name: 'quay/quay-app',
+  author: 'Antoine Legrand',
+  version: std.split(importstr "VERSION", "\n")[0],
+  description: 'quay',
+  license: 'MIT',
+  expander: 'jinja2'
+}

deploy/quay-app/README.md

@@ -0,0 +1,9 @@
+# Configure
+##
+- The package reads automatically ./stack/* and use every files there in configuration.
+- if a `./stack/config.yaml` exists, the file is merged with the variable `config`.
+ Config precedence order:
+  1. Default defined in the package level
+  2. file content in `stack/*`
+  3. value variables.stack_files
+Except for `config.yaml`, precedence is a strict replacement, for config.yaml is a mergePatch.

deploy/quay-app/lib/quay.libsonnet

@@ -0,0 +1,16 @@
+local appr = import 'appr.libsonnet';
+
+{
+# Read all files in a directory
+# @todo(ant31): replace walk by listdir
+load_stack_files(path):: (
+  if appr.path_exists(path)
+  then {[appr.path.basename(file)]: appr.readfile(file, encode=true) for file in appr.walkdir(path)}
+  else {}
+),
+
+# Create a patch to add/update annotation with a rand value.
+# Use to force a Deployment rolling-update
+rand_label():: {metadata+: {annotations+: {'resource.appr/rand': appr.randAlphaNum()}}},
+
+}

deploy/quay-app/manifest.jsonnet

@@ -0,0 +1,155 @@
+local appr = import 'appr.libsonnet';
+local quaylib = import 'lib/quay.libsonnet';
+
+function(
+  params={}
+)
+
+
+appr.package({
+  package: import "Chart.jsonnet",
+
+variables: {
+  namespace: 'default',
+  cluster_domain_name: 'cluster.local',
+
+  # Minimum configuration
+  base_config: (import "templates/conf/config.libsonnet")($.variables),
+
+  # Additional values stack/config.yaml values
+  config: {},
+
+  # path to the local stack configuration directory
+  stack_path: "stack",
+
+  # load local `stack` directory if exists
+  stack_files: {
+   "syslog-ng-extra.conf": appr.b64encode(importstr "templates/conf/syslog-ng-extra.conf")} +
+    if $.variables.license != null then {"license": appr.b64encode($.variables.license) } else {} +
+    quaylib.load_stack_files($.variables.stack_path),
+
+  # load license
+  license: null,
+
+  # Image tag and repo
+  tag: $.package.version,
+  image: 'quay.io/quay/quay:%s' % self.tag,
+
+  # Used in the pull secret
+  docker_user: 'changeme',
+  docker_pass: 'changeme',
+
+  # Redis configuration
+  redis_host: 'quay-redis.%s.svc.%s:6379' % [$.variables.namespace, $.variables.cluster_domain_name],
+  redisconf: {redis_parts:: std.split($.variables.redis_host, ":"),
+              "host": self.redis_parts[0], port: self.redis_parts[1]},
+
+  # Configure the ingress with the ingress controller class and domain to use
+  domain: 'quay.%s.example.com' % $.variables.namespace,
+  ingress: {
+    class: 'nginx',
+    tls: "kubernetes.io/tls-acme",
+    domains: std.split($.variables.domain, ','),
+    annotations: {}
+  },
+
+  # Force to reload the secret/configuration
+  reconfigure: "false",
+
+  # Deploy a postgres (don't use it for prod)
+  deploy_db: 'false',
+
+  # Postgres deployment configuratio
+  db: {
+    user: 'quay',
+    password: 'quay',
+    name: 'quay',
+  },
+
+  # Quay DB_URI
+  db_uri: 'postgresql://%s:%s@postgres.%s.svc.%s/%s' % [$.variables.db.user,
+                                                       $.variables.db.password,
+                                                       $.variables.namespace,
+                                                       $.variables.cluster_domain_name,
+                                                       $.variables.db.name],
+
+},
+
+
+  # ServiceAccount to attach Rbac rules
+resources: appr.compact([ #  + appr.importResourceDir('templates/')
+  {
+    value: {apiVersion: 'v1', kind: 'ServiceAccount',
+            metadata: {name: 'quay-enterprise'}}
+  },
+
+  # Grant secret read/write permission inside the namespace
+  {
+    value: (import 'templates/quay-enterprise-role.libsonnet')($.variables),
+  },
+
+  # Bind role to the Service account
+  {
+    value: (import 'templates/quay-enterprise-rolebinding.libsonnet')($.variables),
+  },
+
+  # Quay.io robot / user account. Protected from default values
+  {
+    value: (import 'templates/quay-enterprise-pullsecret.libsonnet')($.variables),
+    protected: if $.variables.docker_user == "changeme" || $.variables.docker_pass == "changeme"
+               then true else false
+  },
+
+  # Quay configuration files (quay/conf/stack), automatically read local the "./stack" directory to load values.
+  # Values can also be loaded from $.variables.stack_files
+  # Protected unless explicitly requested (reconfigure == "true").
+  {
+    value: (import 'templates/quay-enterprise-secret.libsonnet')($.variables),
+    protected: if $.variables.reconfigure == "true" then false else true
+  },
+
+  # Quay-registry deployment
+  # Force a rollout when the secret is reconfigured by updating a label (see randLabel)
+  {
+    value: appr.loadObject(appr.jinja2(importstr 'templates/quay-enterprise-app-dp.yaml', $.variables)) +
+           if $.variables.reconfigure == "true" then
+             # trigger a rollout
+             quaylib.rand_label()
+           else {}
+  }, # + {value+: if $.variables.reconfigure == "true" then randLabel() else {},},
+
+  {
+    template: (importstr 'templates/quay-enterprise-service.yaml'),
+  },
+
+  # Redis
+  {
+    template: (importstr 'templates/quay-enterprise-redis-service.yaml'),
+  },
+
+  {
+    template: (importstr 'templates/quay-enterprise-redis.yaml'),
+  },
+
+
+  # Ingress, assumes usage of kube-lego and an ingress controller.
+  # see variables.ingress for configuration
+  {
+    value: (import 'templates/quay-enterprise-ingress.libsonnet')($.variables.ingress),
+  },
+
+
+]),
+
+
+deploy: appr.compact([
+ if $.variables.deploy_db == 'true' then
+  {name: 'quay/postgres-app',
+    variables: {
+      user: $.variables.db.user,
+      dbname: $.variables.db.name,
+      password: $.variables.db.password
+      }},
+  {name: '$self'},
+]),
+}, params)

deploy/quay-app/templates/conf/config.libsonnet

@@ -0,0 +1,53 @@
+function(vars)
+{
+    BUILDLOGS_REDIS: vars.redisconf,
+    USER_EVENTS_REDIS: vars.redisconf,
+    DB_URI: vars.db_uri,
+    SETUP_COMPLETE: true,
+    # Not deployed, features forced turn off
+    FEATURE_SECURITY_SCANNER: false,
+    FEATURE_BUILD_SUPPORT: false,
+    FEATURE_ACI_CONVERSION: false,
+    FEATURE_GITHUB_BUILD: false,
+    FEATURE_BITBUCKET_BUILD: false,
+    FEATURE_GITLAB_BUILD: false,
+    GITHUB_TRIGGER_CONFIG: null,
+    GITLAB_TRIGGER_KIND: {},
+    AUTHENTICATION_TYPE: "Database",
+    PREFERRED_URL_SCHEME: "https",
+    SERVER_HOSTNAME: vars.ingress.domains[0],
+    EXTERNAL_TLS_TERMINATION: true,
+    INSTANCE_SERVICE_KEY_KID_LOCATION: 'conf/quay.kid',
+    INSTANCE_SERVICE_KEY_LOCATION: 'conf/quay.pem',
+}
+
+# local s3_storage = {  local_us: ["S3Storage",
+#              {storage_path: "",
+#               s3_access_key: vars.storage.s3.access_key,
+#               s3_secret_key: vars.storage.s3.secret_key,
+#               s3_bucket: vars.storage.s3.bucket},
+#             ]
+# };
+
+# extra: {
+#     REGISTRY_TITLE: "Quay (%s)" % vars.ingress.host,
+#     REGISTRY_TITLE_SHORT: "Quay (%s)" % vars.ingress.host,
+#     TESTING: true,
+#     DEBUGGING: true,
+#     USE_CDN: false,
+#     FEATURE_ANONYMOUS_ACCESS: true,
+#     FEATURE_MAILING: false,
+#     AUTHENTICATION_TYPE: "Database",
+#     ENTERPRISE_LOGO_URL: "/static/img/quay-logo.png",
+#     LOG_ARCHIVE_LOCATION: "default",
+#     TAG_EXPIRATION_OPTIONS: ["2d"],
+#     DISTRIBUTED_STORAGE_CONFIG: {
+#       default: [
+#          "LocalStorage",
+#          {storage_path: "/datastorage/registry"}]},
+#      DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: [],
+#      DISTRIBUTED_STORAGE_PREFERENCE: ["default"],
+#      USERFILES_LOCATION: "default",
+#      USERFILES_PATH: "userfiles/",
+# }
+# }

deploy/quay-app/templates/conf/syslog-ng-extra.conf

@@ -0,0 +1,7 @@
+destination d_stdout {
+  pipe("/dev/stdout");
+};
+
+log {
+  source(s_src); destination(d_stdout);
+};

deploy/quay-app/templates/quay-enterprise-app-dp.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-app
+  labels:
+    quay-enterprise-component: app
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        quay-enterprise-component: app
+    spec:
+      serviceAccountName: "quay-enterprise"
+      containers:
+        - name: quay-enterprise-app
+          livenessProbe:
+            httpGet:
+              path: /status
+              port: 80
+            initialDelaySeconds: 300
+            periodSeconds: 30
+            failureThreshold: 3
+            successThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /status
+              port: 80
+            initialDelaySeconds: 45
+            failureThreshold: 6
+            periodSeconds: 20
+          env:
+            - name: QE_K8S_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          image: {{image}}
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: configvolume
+              readOnly: false
+              mountPath: /conf/stack
+          resources:
+            limits:
+              cpu: 1
+              memory: 2Gi
+      imagePullSecrets:
+        - name: coreos-pull-secret
+      volumes:
+        - name: configvolume
+          secret:
+            secretName: quay-enterprise-config-secret

deploy/quay-app/templates/quay-enterprise-ingress.libsonnet

@@ -0,0 +1,31 @@
+function(ingress={ class: 'none', tls: "true", domains: ['quay.example.com'] })
+
+{
+apiVersion: "extensions/v1beta1",
+kind: "Ingress",
+metadata: {
+ annotations: {
+  "kubernetes.io/ingress.class": ingress.class,
+   [if std.type(ingress.tls) == "string" then ingress.tls]: "true"} +
+   if std.objectHas(ingress, "annotations") then ingress.annotations else {},
+ name: "quay-enterprise",
+},
+
+spec: {
+ rules: [{
+   host: domain,
+   http: {
+    paths: [{
+      backend: {
+      serviceName: "quay-enterprise",
+      servicePort: 80,},
+    path: "/"}]},
+  } for domain in ingress.domains],
+} +
+
+if std.type(ingress.tls) == "string" then
+ {tls: [{
+   hosts: ingress.domains,
+   secretName: "quay-enterprise-tls",
+  }]} else {},
+}

deploy/quay-app/templates/quay-enterprise-pullsecret.libsonnet

@@ -0,0 +1,14 @@
+local appr = import "appr.libsonnet";
+function(variables={})
+{
+local docker_login = [variables.docker_user, variables.docker_pass],
+data: {
+   ".dockercfg": appr.b64encode('{"quay.io": {"username": "%s", "password": "%s","email":"toto@toto.com","auth": "%s"}}' % (docker_login + [appr.b64encode("%s:%s" % docker_login)])),
+   },
+kind: "Secret",
+metadata: {
+  name: "coreos-pull-secret",
+  },
+
+type: "kubernetes.io/dockercfg"
+}

deploy/quay-app/templates/quay-enterprise-redis-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: quay-redis
+  name: quay-redis
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379
+  selector:
+    quay-enterprise-component: redis

deploy/quay-app/templates/quay-enterprise-redis.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise-redis
+  labels:
+    quay-enterprise-component: redis
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        quay-enterprise-component: redis
+    spec:
+      containers:
+      - name: redis-master
+        image: quay.io/quay/redis
+        ports:
+          - containerPort: 6379
+        resources:
+          limits:
+            cpu: 100m
+            memory: 500Mi

deploy/quay-app/templates/quay-enterprise-role.libsonnet

@@ -0,0 +1,21 @@
+local appr = import "appr.libsonnet";
+function(vars={})
+{
+kind: "Role",
+apiVersion: 'rbac.authorization.k8s.io/v1beta1',
+metadata: {
+  name: "quay-enterprise",
+  },
+rules: [
+  {
+   apiGroups: [""],
+   resources: ["secrets"],
+   verbs: ["get", "update", "patch"],
+  },
+  {
+    apiGroups: [""],
+    resources: ["namespaces"],
+    verbs: ["get"],
+  },
+],
+}

deploy/quay-app/templates/quay-enterprise-rolebinding.libsonnet

@@ -0,0 +1,21 @@
+function(vars={})
+{
+apiVersion: "rbac.authorization.k8s.io/v1beta1",
+kind: "RoleBinding",
+metadata: {
+  name: "quay-enterprise-binding",
+  namespace: vars.namespace,
+},
+roleRef: {
+  apiGroup: "rbac.authorization.k8s.io",
+  kind: "Role",
+  name: "quay-enterprise",
+  },
+subjects: [
+  {
+   kind: "ServiceAccount",
+   name: "quay-enterprise",
+   namespace: vars.namespace,
+  }
+]
+}

deploy/quay-app/templates/quay-enterprise-secret.libsonnet

@@ -0,0 +1,34 @@
+local appr = import "appr.libsonnet";
+local b64e = appr.b64decode;
+
+function(vars={})
+
+# Deserialize config.yaml if exists
+local local_stack_config = (
+  local confpath = "config.yaml";
+  if std.objectHasAll(vars.stack_files, confpath)
+    then appr.loadObject(appr.b64decode(vars.stack_files[confpath]))
+    else {}
+);
+
+# Merge all config together
+# Precedence: local stack/config.yaml < package-config (vars.config)  < base-config (vars.base-config)
+local config_yaml = {'config.yaml': appr.b64encode(appr.to_yaml(
+                                                   local_stack_config +
+                                                   vars.config +
+                                                   vars.base_config))};
+
+# Merge stack files
+local stack_files = vars.stack_files + config_yaml;
+
+{
+apiVersion: "v1",
+kind: "Secret",
+metadata: {
+  namespace: "quay-enterprise",
+  name: "quay-enterprise-config-secret"},
+
+# base64 encode all files
+data: { [file]: stack_files[file]
+        for file in std.objectFields(stack_files) if stack_files[file] != null}
+}

deploy/quay-app/templates/quay-enterprise-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: quay-enterprise
+  name: quay-enterprise
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  selector:
+    quay-enterprise-component: app

deploy/quay-ci-app/README.md

@@ -0,0 +1,8 @@
+
+quay/quay
+===========
+
+# Install
+
+kpm deploy quay/quay
+

deploy/quay-ci-app/VERSION

@@ -0,0 +1 @@
+2.4.0-1

deploy/quay-ci-app/ci_stack/config.yaml

@@ -0,0 +1,176 @@
+---
+# Uncomment to use a real mysql db running in docker
+# DB_URI: mysql+pymysql://root:password@192.168.59.103/quay
+# DB_CONNECTION_ARGS:
+#   threadlocals: true
+#   autorollback: true
+
+SECRET_KEY: a36c9d7d-25a9-4d3f-a586-3d2f8dc40a83
+
+REGISTRY_TITLE: Quay.io (local)
+REGISTRY_TITLE_SHORT: Quay.io (local)
+
+GITHUB_LOGIN_CONFIG:
+  GITHUB_ENDPOINT: https://github.com/
+  API_ENDPOINT: https://api.github.com/
+  CLIENT_ID: 0e8dbe15c4c7630b5480
+  CLIENT_SECRET: d4a58ddd3dbe08b7fec109e85564a0d153d3e256
+  ORG_RESTRICT: true
+  ALLOWED_ORGANIZATIONS:
+  - DevTables
+  - cOREOS
+
+#GITHUB_LOGIN_CONFIG:
+#  GITHUB_ENDPOINT: http://192.168.59.104
+#  CLIENT_ID: dc6468ad8690e5aad485
+#  CLIENT_SECRET: 78ed1f22b1cce0aafbe363b7cb38258874dbdca6
+
+GITHUB_TRIGGER_CONFIG:
+  GITHUB_ENDPOINT: https://github.com/
+  API_ENDPOINT: https://api.github.com/
+  CLIENT_ID: cfbc4aca88e5c1b40679
+  CLIENT_SECRET: 334cd66a7868259697726e2a1980c6869dbdef49
+
+GOOGLE_LOGIN_CONFIG:
+  CLIENT_ID: 342710155188-onh8ko4uge0mu4odl4vchios4m92ncuu.apps.googleusercontent.com
+  CLIENT_SECRET: PWgfDNB0RAP4Nrqu9pZT37n9
+
+BITBUCKET_TRIGGER_CONFIG:
+  CONSUMER_KEY: xKcfYn9tjKTq8pELgp
+  CONSUMER_SECRET: E6ewPUDwvFxY7HUPUsGpMvXHPKDkR8Ur
+
+GITLAB_TRIGGER_CONFIG:
+  GITLAB_ENDPOINT: https://gitlab.com
+  CLIENT_ID: 5f12a8b50aafcf9f3dc1394eeb00d1ccb217d07f0c7f85bb9cb3ffb2d836043f
+  CLIENT_SECRET: f8dd18718bd2cbd35196eaca62ae56785d947ddd45fbcd7963353c25fcc27ea3
+
+FEATURE_BILLING: true
+BILLING_TYPE: Stripe
+STRIPE_SECRET_KEY: sk_test_PEbmJCYrLXPW0VRLSnWUiZ7Y
+STRIPE_PUBLISHABLE_KEY: pk_test_uEDHANKm9CHCvVa2DLcipGRh
+
+MAIL_SERVER: email-smtp.us-east-1.amazonaws.com
+MAIL_USE_TLS: true
+MAIL_PORT: 587
+MAIL_USERNAME: AKIAIXV5SDGCPVMU3N4Q
+MAIL_PASSWORD: AhmX/vWE91uQ2RtcEKTkfNrzZehEjPNXOXeOXgQNfLao
+MAIL_DEFAULT_SENDER: support@quay.io
+MAIL_FAIL_SILENTLY: false
+
+AVATAR_KIND: gravatar
+
+TESTING: false
+DEBUGGING: true
+USE_CDN: true
+
+# Feature Flag: Whether to display the support chat.
+FEATURE_SUPPORT_CHAT: true
+
+# Feature Flag: Whether GitHub login is supported.
+FEATURE_GITHUB_LOGIN: true
+
+# Feature Flag: Whether Google login is supported.
+FEATURE_GOOGLE_LOGIN: true
+
+# Analytics
+ANALYTICS_TYPE: Mixpanel
+MIXPANEL_KEY: 38014a0f27e7bdc3ff8cc7cc29c869f9
+
+# Uncomment this to enable Marketo for dev
+# USER_ANALYTICS_TYPE: Marketo
+# MARKETO_MUNCHKIN_ID: 231-DAD-511
+# MARKETO_MUNCHKIN_PRIVATE_KEY: corechella16!
+# MARKETO_CLIENT_ID: 873e9474-367c-42ee-9f53-af43d895c956
+# MARKETO_CLIENT_SECRET: qqvYC1slFvEJkiye5X3J8fsgEKMu8Dlt
+# MARKETO_LEAD_SOURCE: Quay Hosted - Test
+
+# Build logs
+BUILDLOGS_REDIS:
+  host: 192.168.59.103
+BUILDLOGS_OPTIONS:
+- devtable
+- building
+- deadbeef-dead-beef-dead-beefdeadbeef
+- true
+BUILDLOGS_MODULE_AND_CLASS:
+- test.testlogs
+- testlogs.TestBuildLogs
+
+# User events
+USER_EVENTS_REDIS:
+  host: 192.168.59.103
+
+FEATURE_GITHUB_BUILD: true
+FEATURE_BITBUCKET_BUILD: true
+FEATURE_GITLAB_BUILD: true
+
+FEATURE_SUPER_USERS: true
+SUPER_USERS:
+- devtable
+
+SIGNING_ENGINE: gpg2
+
+GPG2_PRIVATE_KEY_NAME: EEB32221
+GPG2_PRIVATE_KEY_FILENAME: signing-private.gpg
+GPG2_PUBLIC_KEY_FILENAME: signing-public.gpg
+
+FEATURE_ACI_CONVERSION: true
+
+SETUP_COMPLETE: true
+
+# Uncomment to test LDAP.
+# Information: http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
+# AUTHENTICATION_TYPE: 'LDAP'
+# LDAP_URI: 'ldap://ldap.forumsys.com'
+# LDAP_BASE_DN: ['dc=example', 'dc=com']
+# LDAP_ADMIN_DN: 'cn=read-only-admin,dc=example,dc=com'
+# LDAP_ADMIN_PASSWD: 'password'
+# LDAP_USER_RDN: []
+
+# Uncomment to test S3 Uploads to an ephemeral bucket
+# DISTRIBUTED_STORAGE_CONFIG:
+#   local_us:
+#   - S3Storage
+#   - storage_path: ""
+#     s3_access_key: AKIAJDF3UKLGZJ7RLJ2A
+#     s3_secret_key: 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
+#     s3_bucket: quay-registry-test
+
+# Uncomment to test swift storage
+# DISTRIBUTED_STORAGE_CONFIG:
+#   local_us:
+#    - SwiftStorage
+#    - swift_container: container_name
+#      storage_path: /datastorage/registry
+#      auth_url: http://192.168.59.103:32768/auth/v1.0
+#      swift_user: test:tester
+#      swift_password: testing
+#      auth_version: 1
+#      simple_path_concat: true
+
+#FEATURE_ANONYMOUS_ACCESS: False
+
+# CloudWatch AWS Keys
+#CLOUDWATCH_AWS_ACCESS_KEY: AKIAJUSUTJ3TGBAC2LMQ
+#CLOUDWATCH_AWS_SECRET_KEY: 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
+#CLOUDWATCH_NAMESPACE: Quay/Local
+
+# Security scanner
+FEATURE_SECURITY_SCANNER: true
+FEATURE_SECURITY_NOTIFICATIONS: true
+SECURITY_SCANNER:
+  ENDPOINT: https://192.168.99.100:6060
+  ENGINE_VERSION_TARGET: 1
+  API_VERSION: v1
+  API_TIMEOUT_SECONDS: 10
+
+INSTANCE_SERVICE_KEY_KID_LOCATION: 'conf/stack/quay.kid'
+INSTANCE_SERVICE_KEY_LOCATION: 'conf/stack/quay.pem'
+
+PROMETHEUS_AGGREGATOR_URL: null
+
+STAGGER_WORKERS: false
+
+STATIC_SITE_BUCKET: 'https://s3.amazonaws.com/prod-s3.quay.io/'
+
+FEATURE_APP_REGISTRY: true

deploy/quay-ci-app/ci_stack/license

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiJ9.eyJzY2hlbWFWZXJzaW9uIjoidjIiLCJ2ZXJzaW9uIjoiMjciLCJjcmVhdGlvbkRhdGUiOiIyMDE2LTEwLTI1VDAwOjA2OjQzWiIsImV4cGlyYXRpb25EYXRlIjoiMjAxNy0xMC0yNVQwMDowNjo0M1oiLCJsaWNlbnNlIjoie1wic2NoZW1hVmVyc2lvblwiOlwidjJcIixcInZlcnNpb25cIjpcIjI3XCIsXCJhY2NvdW50SURcIjpcIkFDQy02ODY0N0FCRC03REI3LTQ4QzItQjZDNS0yMjEzOEQ5RFwiLFwiYWNjb3VudFNlY3JldFwiOlwiMGIyMjk4ZTAtZDRmOC00M2M4LTk3NDUtNjY5Y2I2NDc2MzA5XCIsXCJjcmVhdGlvbkRhdGVcIjpcIjIwMTYtMTAtMjVUMDA6MDY6NDMuMTgzMzIzWlwiLFwiZXhwaXJhdGlvbkRhdGVcIjpcIjIwMTctMTAtMjVUMDA6MDY6NDMuMTgzMzIzWlwiLFwic3Vic2NyaXB0aW9uc1wiOntcIlNVQi0yMkVDRjk4RS00QUVFLTQzNjktODgwQy0zMjg3ODEyM1wiOntcInBsYW5OYW1lXCI6XCJ0ZWN0b25pYy1lbnRlcnByaXNlLXBvY1wiLFwicHVibGljUGxhbk5hbWVcIjpcIlRlY3RvbmljIEVudGVycHJpc2UgUE9DXCIsXCJwbGFuSURcIjpcIlBSUC1EMzkwN0ZDQS1FM0ExLTQxNUEtQUJBRS1CNEEwMkI1OVwiLFwicHJvZHVjdE5hbWVcIjpcInRlY3RvbmljLWVudGVycHJpc2VcIixcInB1YmxpY1Byb2R1Y3ROYW1lXCI6XCJUZWN0b25pYyBFbnRlcnByaXNlXCIsXCJwcm9kdWN0SURcIjpcIlBSTy04NDU4RUJGRS00NDZDLTQwQUUtQjU3OC1DQjU1QUMyN1wiLFwic2VydmljZVN0YXJ0XCI6XCIyMDE2LTA0LTIwVDIwOjQ0OjAwWlwiLFwic2VydmljZUVuZFwiOlwiMjAxNy0wNC0yMFQyMDo0NDowMFpcIixcImluVHJpYWxcIjpmYWxzZSxcInRyaWFsT25seVwiOmZhbHNlLFwiZHVyYXRpb25cIjo2MCxcImR1cmF0aW9uUGVyaW9kXCI6XCJkYXlzXCIsXCJlbnRpdGxlbWVudHNcIjp7XCJzb2Z0d2FyZS5jb3JldXBkYXRlXCI6MSxcInNvZnR3YXJlLnF1YXlcIjoxLFwic29mdHdhcmUucXVheS5idWlsZGVyc1wiOjk5OTksXCJzb2Z0d2FyZS5xdWF5LmRlcGxveW1lbnRzXCI6MSxcInNvZnR3YXJlLnF1YXkucmVnaW9uc1wiOjEsXCJzb2Z0d2FyZS50ZWN0b25pY1wiOjEsXCJzb2Z0d2FyZS50ZWN0b25pYy5yYW1cIjoxMDI0LFwic3VwcG9ydC5jb3Jlb3NsaW51eC5wcmVtaXVtXCI6MSxcInN1cHBvcnQuY29yZXVwZGF0ZS5wcmVtaXVtXCI6MSxcInN1cHBvcnQucXVheS5wcmVtaXVtXCI6MSxcInN1cHBvcnQudGVjdG9uaWMucHJlbWl1bVwiOjF9fSxcIlNVQi00NjI3QjRDOC0zOUU3LTQ5QTQtODFCRS01OEQ0MUM1NlwiOntcInBsYW5OYW1lXCI6XCJ0ZWN0b25pYy1zdGFydGVyXCIsXCJwdWJsaWNQbGFuTmFtZVwiOlwiVGVjdG9uaWMgU3RhcnRlciBQbGFuXCIsXCJwbGFuSURcIjpcIlBSUC1DNEE0MEQ1NS1CODVGLTREQTAtQTVCNS1BMzQ1QkEwNlwiLFwicHJvZHVjdE5hbWVcIjpcInRlY3RvbmljLXN0YXJ0ZXJcIixcInB1YmxpY1Byb2R1Y3ROYW1lXCI6XCJUZWN0b25pYyBTdGFydGVyXCIsXCJwcm9kdWN0SURcIjpcIlBSTy01ODk0QTE4Qy1FQTIxLTRFRTctOTc3My1COUI2MDBBNVwiLFwic2VydmljZVN0YXJ0XCI6XCIyMDE2LTEwLTAyVDE3OjAxOjM4WlwiLFwic2VydmljZUVuZFwiOlwiMjAxNi0xMS0wMlQxNzowMTozOFpcIixcImluVHJpYWxcIjpmYWxzZSxcInRyaWFsT25seVwiOmZhbHNlLFwiZHVyYXRpb25cIjoxLFwiZHVyYXRpb25QZXJpb2RcIjpcIm1vbnRoc1wiLFwiZW50aXRsZW1lbnRzXCI6e1wiY29zdFwiOjEsXCJzb2Z0d2FyZS50ZWN0b25pY2NvbnNvbGVcIjoxfX0sXCJTVUItOUIxRTA2RTMtMkEyMC00M0E5LTlFQUMtRDJCODEwN0JcIjp7XCJwbGFuTmFtZVwiOlwicHJlbWl1bS1jdXN0b21cIixcInB1YmxpY1BsYW5OYW1lXCI6XCJQcmVtaXVtIC0gQ3VzdG9tXCIsXCJwbGFuSURcIjpcIlBSUC05NjRBQUM4Qi01NjhBLTQwMEMtOTEzQS1CMzQ2NDRGRVwiLFwicHJvZHVjdE5hbWVcIjpcInF1YXktZW50ZXJwcmlzZVwiLFwicHVibGljUHJvZHVjdE5hbWVcIjpcIlF1YXkgRW50ZXJwcmlzZVwiLFwicHJvZHVjdElEXCI6XCJQUk8tNDNFNEQ4QTYtOEQ1MS00NDZFLUIyNjMtRDBBNjVDOUZcIixcInNlcnZpY2VTdGFydFwiOlwiMjAxNi0xMC0xM1QxODowOTowMFpcIixcInNlcnZpY2VFbmRcIjpcIjIwMTctMTAtMTNUMTg6MDk6MDBaXCIsXCJpblRyaWFsXCI6ZmFsc2UsXCJ0cmlhbE9ubHlcIjpmYWxzZSxcImR1cmF0aW9uXCI6MSxcImR1cmF0aW9uUGVyaW9kXCI6XCJ5ZWFyc1wiLFwiZW50aXRsZW1lbnRzXCI6e1wiY29zdFwiOjAsXCJzb2Z0d2FyZS5xdWF5XCI6MSxcInNvZnR3YXJlLnF1YXkuYnVpbGRlcnNcIjo5OTk5OTksXCJzb2Z0d2FyZS5xdWF5LmRlcGxveW1lbnRzXCI6MSxcInNvZnR3YXJlLnF1YXkucmVnaW9uc1wiOjEsXCJzdXBwb3J0LnF1YXkucHJlbWl1bVwiOjF9fSxcIlNVQi1ERjAwNTdENC1CMEEwLTRFQjktOTQ0QS05RTAzQzZCQ1wiOntcInBsYW5OYW1lXCI6XCJxdWF5LWVudGVycHJpc2UtYW5udWFsLWN1c3RvbVwiLFwicHVibGljUGxhbk5hbWVcIjpcIlF1YXkgRW50ZXJwcmlzZVwiLFwicGxhbklEXCI6XCJQUlAtQzNFNkU5NTktMkZGRi00QkI3LTgxMjItRDNFOTdFNkFcIixcInByb2R1Y3ROYW1lXCI6XCJxdWF5LWVudGVycHJpc2VcIixcInB1YmxpY1Byb2R1Y3ROYW1lXCI6XCJRdWF5IEVudGVycHJpc2VcIixcInByb2R1Y3RJRFwiOlwiUFJPLTQzRTREOEE2LThENTEtNDQ2RS1CMjYzLUQwQTY1QzlGXCIsXCJzZXJ2aWNlU3RhcnRcIjpcIjIwMTYtMTAtMjVUMDA6MDU6MDBaXCIsXCJzZXJ2aWNlRW5kXCI6XCIyMDE3LTEwLTI0VDAwOjA1OjAwWlwiLFwiaW5UcmlhbFwiOmZhbHNlLFwidHJpYWxPbmx5XCI6ZmFsc2UsXCJkdXJhdGlvblwiOjEsXCJkdXJhdGlvblBlcmlvZFwiOlwieWVhcnNcIixcImVudGl0bGVtZW50c1wiOntcImNvc3RcIjowLFwic29mdHdhcmUucXVheVwiOjEsXCJzb2Z0d2FyZS5xdWF5LmRlcGxveW1lbnRzXCI6OTk5OTk5LFwic3VwcG9ydC5xdWF5LnByZW1pdW1cIjoxfX19fSJ9.XwPbWiyIthfXKhKj5YEO76kCErEmRyjIK5wMhRz8d6bC7spROyrNC0aikP7UuGOA94I-ZdL-bnrrD8Ijc4hNzvA5SwglmBoJ7uYsqm492DNf3AimXPBX8aMolfjvnBVWs4UaCbzwX2ow95GVPxz6M8DdgypzuPWahpR12jkQ63Ryc6jnDh_9DmtUrQXy0y2xcZmRGsgBMQoC9kJANOQ0jmbAuhhZCG15mTmsEC4S12RnJy7wP_tfYoGikRe01FW-_GsRpPV5BXqP55cSR17PvTGsg3l_dNtmKDa_hrhk3F9u2DNE3h-onbezYUa5J4szJfnZU9hcSK0GurpK4H34Sw

deploy/quay-ci-app/ci_stack/license_key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwJYjuXSCqTAEdSz2lv7GtkT2dXkwTS+wE8sj0+k8QEBK8xQb
+gkaDGzXSn22mAO2e5cND8wWj8sWeplOFqa7LA/kU+AA/HGV04xrS122yCRJ2D49J
+k9gn8RJv7fnzSahK3v+ZhKeXWaPtA+kwl4u3AkEYiG6w38+vl4HCcg3GFY64iaRw
+Us2vRs3OaaCS0vkJ2sgZAAl5x5Tke+FKOC3ubqojDs5g2hfLT5QMIpj158YdKNaP
+sztRBzh8Dm6mt8UsHECDde2e4VZwlx3ebEoQCcfsY8s5i6OyUphprZYr0P2/E0qM
+7dvhbGOBN4eAw2ZJ3el33anQCdWnFzS4gycpawIDAQABAoIBAGjd2FoVzUgfM24y
+q5uQ49dAOgvBj8GX5AMDLGEpsXszBxzRqCEKED3y0tupMylyOoHWD9v3CE0busXK
+2Q+KdFWXfgmE6NinjjxT0NcpjjZObScP2Pq+SxGD/prQ7d7/2rUO7SNEtq9DCb6F
+bcY3d9GsbJVt4LYeOvj+2UiNo3z8pixIVIYBEIAJbiFUf8ImNy18aI2YsgcIKKx3
+XRcZrQc3lJQO4SgzLEflovl11B8Nvw5XXwXaFn35wmp31L5CtKlPeDT6CDNydTqw
+T2ri0xPu4vyvuVidDcVJOh3Bpw5FSI9fwBr9PDjOLi2YgjRtQBQhnvvtPpk7vSeU
+bVhNN4ECgYEA5C5v1AHURu5tRj7o9I0Po2DLpt1zszd2ly7ED190Ko9qmZqfTyLz
+uBzSk86r2+NMxPhp+uMY2LR0c6LiPAbSVpTOSWL2eatfy/9td9TlK5fVcg6N9vH5
+LYrzuelxSnypm6H300t6CvycrfrscOP4Vs2fdx1yZI0wEngTxL5+sgsCgYEA2BDI
+OY+eJ53KRVEp5stbUryW7HJC6HBlH2ZHeMCLese6fsvdTyhL0/2OanXdxG3bOK6F
+Ilr3UzTK1Krj7U8W0zRnGMVJfaMoEJOwgBtUqm7rjksP2bujRT9OuLKR+MJbLVLC
+0ycoS8iOJWCDIczeL21rgqe1pOp839It/MI+YiECgYBZi9u48IrU10as9Y1IQ39q
+l1b0gh2grFhu1hx9B/G3rhagdyyjysyoaS8+cDHDlj0PY4l7utmKWa8Fnlt4QRkU
+f0tBQ4QElXt/vBrClxrkc66BFzMhQS6Pb+NcBz+9gpSxDewK0KjxXNdD86AMYXqY
+3hMBlN3KlhnSdasUX8mqpwKBgDmAFdkDuIIwguD5nZ4XJmGZYMziB55WMwMtM/4V
+t8jgGGigFnB3d96dzuXUIkWhOsMV5sZi0QkqtoPsSqYf8yIYAwvbjRhLcGEg/MrK
++zg0NqnynfBC+Et4cpnCpAhAqQUhzkllVVr9r56Q1bUMEWErzH3D5hpScRMbmzN1
++iYhAoGACxsSOXRHUMOC3tdcErAsfjc04v13MuuiglH29Ap5e/WoGcr++fCWBnCD
+9IGnHZvY+th/vkuaefZqE6oDYMa4TvyJJnU/tx+h1+jbuCwpdqGkKp9z0xjIvUJ5
+L6imBl4Dwl5DjJLL1HhbzF3C7DHWTbHsRF/HWwNjbV9nCIii4AY=
+-----END RSA PRIVATE KEY-----

deploy/quay-ci-app/ci_stack/license_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAliO5dIKpMAR1LPaW/sa2RPZ1eTBNL7ATyyPT6TxAQErzFBuCRoMbNdKfbaYA7Z7lw0PzBaPyxZ6mU4WprssD+RT4AD8cZXTjGtLXbbIJEnYPj0mT2CfxEm/t+fNJqEre/5mEp5dZo+0D6TCXi7cCQRiIbrDfz6+XgcJyDcYVjriJpHBSza9Gzc5poJLS+QnayBkACXnHlOR74Uo4Le5uqiMOzmDaF8tPlAwimPXnxh0o1o+zO1EHOHwObqa3xSwcQIN17Z7hVnCXHd5sShAJx+xjyzmLo7JSmGmtlivQ/b8TSozt2+FsY4E3h4DDZknd6XfdqdAJ1acXNLiDJylr jake@coreserver

deploy/quay-ci-app/ci_stack/registry_v2_auth.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjwCCQDNYtlT1+tGbzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJV
+UzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRQwEgYDVQQK
+EwtDb3JlT1MsIEluYzENMAsGA1UECxMEUXVheTESMBAGA1UEAxMJMTI3LjAuMC4x
+MB4XDTE2MDUyMzE1MjUxOVoXDTI2MDUyMTE1MjUxOVowbDELMAkGA1UEBhMCVVMx
+ETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhOZXcgWW9yazEUMBIGA1UEChML
+Q29yZU9TLCBJbmMxDTALBgNVBAsTBFF1YXkxEjAQBgNVBAMTCTEyNy4wLjAuMTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRvOt/XGNIovlr1BWxl2oqs
+KDlgnESj6bFENDjs9+YLrB3mSWX6w4Dk2IdNU0EKHeVnnsAuBs83jaFsIVJxrC99
+ndv0PaejBovUbWyYN3zCMur8iNGse/FT4WRqks2m0Wr0jmEAX5piX/eWo/7OQdea
+wNAGyH7wE0voMpyVSZMBmxRw07zWnwWBihvhOiiCnXZh32GQMplq0wxk4DkBf3hC
+SEaAqsFHKfEFPxVXfdPGeiKKK+P2SAh+uN4miJpGf7Xkuj/Mmzxr1ajNczhPT6OM
+pw0R3h/mok1S8zcp8lN/eDdKwjMeP4Rx+Lc0cRluZNa8otq9qYPNSCIkvsSz5b8C
+AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZaaD8fLWEh4RGZ7X38IM/ocwDKaXWpDp
+0EC3KMEuar1MET3MtVIXy/k/BLr0HmLRQ2KSV3wFfyOInseVeCvIcKZZo/JF28gR
+LJVBcjExSIr6X8RoPgmKt7AdjlUjPV5XpRzDpfYcMaqpjJa75x6RoxC2ybh5Apyk
+EzL3Naysk6TVPi5ckUYMLfw3JEbCeaEY4KNwVgsNcs447EcBxwGHTBqGOYtpIfku
+SMas81oniMo9LMKv19Bn1oOforaqh8P2c57yregDsCDmP6j0gqkYjhJFCj5JNAKK
+KT35QIfTbVFeCXAoLw0+o9Ma1Q+j7LfwdxnikUHNVZmlmjQmTBMwqg==
+-----END CERTIFICATE-----

deploy/quay-ci-app/ci_stack/registry_v2_auth_private.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApG8639cY0ii+WvUFbGXaiqwoOWCcRKPpsUQ0OOz35gusHeZJ
+ZfrDgOTYh01TQQod5WeewC4GzzeNoWwhUnGsL32d2/Q9p6MGi9RtbJg3fMIy6vyI
+0ax78VPhZGqSzabRavSOYQBfmmJf95aj/s5B15rA0AbIfvATS+gynJVJkwGbFHDT
+vNafBYGKG+E6KIKddmHfYZAymWrTDGTgOQF/eEJIRoCqwUcp8QU/FVd908Z6Ioor
+4/ZICH643iaImkZ/teS6P8ybPGvVqM1zOE9Po4ynDRHeH+aiTVLzNynyU394N0rC
+Mx4/hHH4tzRxGW5k1ryi2r2pg81IIiS+xLPlvwIDAQABAoIBAANdV0oPP63FMafw
+zYybRO6DeUs7Q9dPt09uQtdLWgM2B+6QsL3KdMelZxzVozd4eoYgKaprBq6kx1wf
+N0tVkh1ip6FBjSVp+49O6HJJZxFBdANE6ZPIwLx+Z+VDHP/iQvS6TlODy3EARFBv
+n6luFQDRZNKc4OtgBDUQakCz+U5tuJLqoR8wk/WGQP4FJiZlVwJqNPXMA1A2Mrri
+n6WkhfpB30Z5dl9zsR+zJRbwRBjgJCYN37YC7zdHRfIhBPBvDT+8ApR50BGvPGN3
+sLQuH2FsskbgPsIrWMfCxtWr2xbw028GOe7TSjEG63EG7oGAT0O2eQmAcuPc4Dqj
+Urn8saECgYEA2LkCe6MysmOtattC/gi3B/rIoOCd+4l9yTnW7S7nk/hdeOzxyqX1
+P7OgVeoYLLk3UJy3qTrNDnc0eGTJz0XyPhLlX0f9lduiSMH92XpNsBG7ngnyMCQF
+eAZz8ZlDZC39I8y9CzdcHSLxuHKmQ9jhgUm+EIuf8OlrkjchPdE06i8CgYEAwjxG
+cDA5X1hKYgQTObq245vR3txkvETmLVB7hWkjWLzR//a4hXHJT1fg2LxD5EMtCKZ2
+WXKhcy3tbja+c/IEI1L1wA2v/aWlEvi9n354EQ1QzkvCBDFP5enLnItAUzJQ0IgE
+dtSUskK+li8aY2LB0EPt0eJmYU0cZUJXbl/ZKXECgYAAtttjPO512A5CQ+a8n5q6
+1ADFRvg+U/2uJBqpPXZV7oOgWmeRm2prg1QL9HGP9CxSf7G7RQ5X9dyeaPahUEG0
+IqvO3JXhYI/wXXNQvC51XhmYM8AwmG3ML3lCWpb2RZCIBay51Lzg+7SAPyB9KMHV
+g0C1HUCxspNAMB5T7dSW0QKBgGkxRaCarWeypE4jENpyAXyRNf8xcyj3U4V1EgB1
+qVv0nvK2BsbWkgTzfeVDSK2FqA0IQg49Y6zCUdUfttOKXa1Xz5ocj5SaMiVtKx0G
+3DW39WxUYRXuMuw8SzZTwBmOpW/aSjik9ob4WMlzZyIuKPMG5vSFXZcSsO8yF7HC
+HRUxAoGBAKtCRLT9I5Ap37gWT8W6AAZygoUqhlYO9qygQrBDaJsHj0ZSHM0TO3ig
+Bwq/UxDHBKFV3hmqx5Zmpoa9ZrURb4cBw/+TLq2ppXPLEU+XmEVmqL2323Vyr/Ih
+CAIVWFsY3EGQL7TArOfag+v0Nxq3pypOhjweqIWEMDg+gV2+GHhQ
+-----END RSA PRIVATE KEY-----

deploy/quay-ci-app/ci_stack/signing-public.gpg

@@ -0,0 +1,19 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFTVMzABCAC8jcnCrNHKk0LgyZTdTFtf9Qm2bK27Y0EyyI8tWefUt4LhQRCA
+14dksJVzqWBtpHJnqkYUwfoXZmdz4e9fSS1mmoiHlDwzkuNXx2J1HAnXSxgNMV1D
+JQmfxhKQzFTgkTEN03txPZrOMrDNIZSw0gkAbiBGuQXk9/HNGbzdjkd3vk1GF7Vk
+v1vITmWQG+QQi7H8zR1NYYuFQb5cdDDuOoQWHXNMIZmK27StZ6MUot3NlquZbs1q
+5Gr1HHog0qx+0uYn441zghZ9R1JqaAig0V3eJ8UAbTIMZPO09UUBQKC7O7OgOX/H
+92zGWGwkTMUqJNJUr/dj5ocQbpFk8X3yz+d9ABEBAAG0RFF1YXkuaW8gQUNJIENv
+bnZlcnRlciAoQUNJIGNvbnZlcnNpb24gc2lnbmluZyBrZXkpIDxzdXBwb3J0QHF1
+YXkuaW8+iQE5BBMBAgAjBQJU1TMwAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgEC
+F4AACgkQRjIEfu6zIiHo9Af+MCE4bUOrQ6yrHSPHebHwSARULaTB0Rlj4BAXlv+A
+nUJDaaYaYExo8SHZMWF5X4d4mh57DJOsIXMjIWNKpf9/0hpxRu+P8p77YtXOOeRS
+3xFdq7cOK1yQ8h/iRoXyLaxAFgWvVH+Ttmx4DLr+NsyzEQBjADeBCcF4YR9OZ7fj
+ZYsoq68hH0W7zgZTSrCgvyGxdpu+UWWk/eV/foktxKBMV8K2GmAwyOlsAm59PgUI
+EhfFH0WAEx6+jsMFLkn7USPWomFeyMwJJEiMKYCwALWIbNz1/1dtrZZs2QmBcjAu
+AMFQhx8fykH4ON8a6fpS3TOEzf0HV1NX295O8wb8vS9B7w==
+=aImY
+-----END PGP PUBLIC KEY BLOCK-----

deploy/quay-ci-app/manifest.jsonnet

@@ -0,0 +1,67 @@
+local appr = import "appr.libsonnet";
+
+function(
+  params={}
+)
+
+appr.package({
+  package: {
+  name: "quay/quay-ci-app",
+  author: "Antoine Legrand",
+  version: std.split(importstr "VERSION", "\n")[0],
+  description: "quay",
+  license: "MIT",
+  expander: "jinja2"
+},
+
+variables: {
+  stack_path: "ci_stack",
+  config: (import "templates/config.libsonnet")($.variables),
+  namespace: "default",
+  tag: "master",
+  image: "quay.io/quay/quay-ci:%s" % $.variables.tag,
+  docker_user: 'changeme',
+  docker_pass: 'changeme',
+  domain: 'quay-%s.k8s.devtable.com' % $.variables.tag,
+  ingress: {
+    class: 'nginx',
+    tls: "kubernetes.io/tls-acme-stg",
+    domains: std.split($.variables.domain, ","),
+    annotations: {}
+  },
+
+  license: null,
+  db: {
+    user: 'quay',
+    password: 'quay',
+    name: 'quay',
+  },
+} + (import "params.json"),
+
+resources: appr.compact([
+  {
+    template: (importstr "templates/quay-dev-initdb-job.yaml"),
+  },
+]),
+
+deploy: [
+  {
+    name: "quay/postgres-app",
+    variables: {
+      user: $.variables.db.user,
+      dbname: $.variables.db.name,
+      password: $.variables.db.password
+      }
+   },
+
+   {
+    name: "quay/quay-app",
+    variables: $.variables,
+    version: ":stable"
+   },
+
+   # Deploy the initdb script
+   {name: "$self"},
+
+  ],
+}, params)

deploy/quay-ci-app/params.json

@@ -0,0 +1 @@
+{"image": "quay.io/quay/quay-ci:master", "tag": "master"}

deploy/quay-ci-app/templates/config.libsonnet

@@ -0,0 +1,23 @@
+function(vars={})
+{
+    REGISTRY_TITLE: "Quay (%s)" % vars.domain,
+    REGISTRY_TITLE_SHORT: "Quay (%s)" % vars.domain,
+    TESTING: true,
+    DEBUGGING: true,
+    USE_CDN: false,
+    FEATURE_ANONYMOUS_ACCESS: true,
+    FEATURE_MAILING: false,
+    ENTERPRISE_LOGO_URL: "/static/img/quay-logo.png",
+    LOG_ARCHIVE_LOCATION: "default",
+    SERVER_HOSTNAME: vars.domain,
+    EXTERNAL_TLS_TERMINATION: true,
+    TAG_EXPIRATION_OPTIONS: ["2d"],
+    DISTRIBUTED_STORAGE_CONFIG: {
+      default: [
+         "LocalStorage",
+         {storage_path: "/datastorage/registry"}]},
+     DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: [],
+     DISTRIBUTED_STORAGE_PREFERENCE: ["default"],
+     USERFILES_LOCATION: "default",
+     USERFILES_PATH: "userfiles/",
+}

deploy/quay-ci-app/templates/quay-dev-initdb-job.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: quay-dev-initdb
+spec:
+  activeDeadlineSeconds: 600
+  template:
+    metadata:
+      name: quay-dev-initdb
+    spec:
+      containers:
+        - name: quay
+          image: quay.io/quay/quay-ci:master
+          env:
+            - name: TEST_DATABASE_URI
+              value: "postgres://"
+            - name: SKIP_DB_SCHEMA
+              value: "true"
+          command:
+            - venv/bin/python
+            - initdb.py
+          volumeMounts:
+            - name: configvolume
+              readOnly: false
+              mountPath: /conf/stack
+          resources:
+            limits:
+              cpu: 500m
+              memory: 500Mi
+      imagePullSecrets:
+        - name: coreos-pull-secret
+      volumes:
+        - name: configvolume
+          secret:
+            secretName: quay-enterprise-config-secret
+      restartPolicy: Never