934 lines
		
	
	
	
		
			33 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			934 lines
		
	
	
	
		
			33 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| # INTERNAL_ONLY_PROPERTIES defines the properties in the config that, while settable, should
 | |
| # not be documented for external users. These will generally be used for internal test or only
 | |
| # given to customers when they have been briefed on the side effects of using them.
 | |
| INTERNAL_ONLY_PROPERTIES = {
 | |
|   '__module__',
 | |
|   '__doc__',
 | |
|   'create_transaction',
 | |
| 
 | |
|   'TESTING',
 | |
|   'SEND_FILE_MAX_AGE_DEFAULT',
 | |
| 
 | |
|   'REPLICATION_QUEUE_NAME',
 | |
|   'DOCKERFILE_BUILD_QUEUE_NAME',
 | |
|   'CHUNK_CLEANUP_QUEUE_NAME',
 | |
|   'SECSCAN_NOTIFICATION_QUEUE_NAME',
 | |
|   'SECURITY_SCANNER_ISSUER_NAME',
 | |
|   'NOTIFICATION_QUEUE_NAME',
 | |
|   'NAMESPACE_GC_QUEUE_NAME',
 | |
| 
 | |
|   'FEATURE_BILLING',
 | |
|   'BILLING_TYPE',
 | |
| 
 | |
|   'INSTANCE_SERVICE_KEY_LOCATION',
 | |
|   'INSTANCE_SERVICE_KEY_REFRESH',
 | |
|   'INSTANCE_SERVICE_KEY_SERVICE',
 | |
|   'INSTANCE_SERVICE_KEY_KID_LOCATION',
 | |
|   'INSTANCE_SERVICE_KEY_EXPIRATION',
 | |
|   'UNAPPROVED_SERVICE_KEY_TTL_SEC',
 | |
|   'EXPIRED_SERVICE_KEY_TTL_SEC',
 | |
|   'REGISTRY_JWT_AUTH_MAX_FRESH_S',
 | |
| 
 | |
|   'BITTORRENT_FILENAME_PEPPER',
 | |
|   'BITTORRENT_WEBSEED_LIFETIME',
 | |
| 
 | |
|   'SERVICE_LOG_ACCOUNT_ID',
 | |
|   'BUILDLOGS_OPTIONS',
 | |
|   'LIBRARY_NAMESPACE',
 | |
|   'STAGGER_WORKERS',
 | |
|   'QUEUE_WORKER_METRICS_REFRESH_SECONDS',
 | |
|   'PUSH_TEMP_TAG_EXPIRATION_SEC',
 | |
|   'GARBAGE_COLLECTION_FREQUENCY',
 | |
|   'PAGE_TOKEN_KEY',
 | |
|   'BUILD_MANAGER',
 | |
|   'JWTPROXY_AUDIENCE',
 | |
|   'SYSTEM_SERVICE_BLACKLIST',
 | |
|   'JWTPROXY_SIGNER',
 | |
|   'SECURITY_SCANNER_INDEXING_MIN_ID',
 | |
|   'STATIC_SITE_BUCKET',
 | |
|   'LABEL_KEY_RESERVED_PREFIXES',
 | |
|   'TEAM_SYNC_WORKER_FREQUENCY',
 | |
|   'DOCUMENTATION_METADATA',
 | |
|   'DOCUMENTATION_LOCATION',
 | |
|   'JSONIFY_PRETTYPRINT_REGULAR',
 | |
|   'SYSTEM_LOGS_FILE',
 | |
|   'SYSTEM_LOGS_PATH',
 | |
|   'SYSTEM_SERVICES_PATH',
 | |
|   'TUF_GUN_PREFIX',
 | |
|   'LOGGING_LEVEL',
 | |
|   'SIGNED_GRANT_EXPIRATION_SEC',
 | |
|   'PROMETHEUS_AGGREGATOR_URL',
 | |
|   'DB_TRANSACTION_FACTORY',
 | |
|   'NOTIFICATION_SEND_TIMEOUT',
 | |
|   'QUEUE_METRICS_TYPE',
 | |
|   'MAIL_FAIL_SILENTLY',
 | |
|   'LOCAL_OAUTH_HANDLER',
 | |
|   'USE_CDN',
 | |
|   'ANALYTICS_TYPE',
 | |
|   'LAST_ACCESSED_UPDATE_THRESHOLD_S',
 | |
| 
 | |
|   'EXCEPTION_LOG_TYPE',
 | |
|   'SENTRY_DSN',
 | |
|   'SENTRY_PUBLIC_DSN',
 | |
| 
 | |
|   'BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT',
 | |
|   'THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT',
 | |
|   'IP_DATA_API_KEY',
 | |
| 
 | |
|   'SECURITY_SCANNER_ENDPOINT_BATCH',
 | |
|   'SECURITY_SCANNER_API_TIMEOUT_SECONDS',
 | |
|   'SECURITY_SCANNER_API_TIMEOUT_POST_SECONDS',
 | |
|   'SECURITY_SCANNER_ENGINE_VERSION_TARGET',
 | |
|   'SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS',
 | |
|   'SECURITY_SCANNER_API_VERSION',
 | |
| 
 | |
|   'DATA_MODEL_CACHE_CONFIG',
 | |
| 
 | |
|   # TODO: move this into the schema once we support signing in QE.
 | |
|   'FEATURE_SIGNING',
 | |
|   'TUF_SERVER',
 | |
| }
 | |
| 
 | |
| CONFIG_SCHEMA = {
 | |
|   'type': 'object',
 | |
|   'description': 'Schema for Quay configuration',
 | |
|   'required': [
 | |
|     'PREFERRED_URL_SCHEME',
 | |
|     'SERVER_HOSTNAME',
 | |
|     'DB_URI',
 | |
|     'AUTHENTICATION_TYPE',
 | |
|     'DISTRIBUTED_STORAGE_CONFIG',
 | |
|     'BUILDLOGS_REDIS',
 | |
|     'USER_EVENTS_REDIS',
 | |
|     'DISTRIBUTED_STORAGE_PREFERENCE',
 | |
|     'DEFAULT_TAG_EXPIRATION',
 | |
|     'TAG_EXPIRATION_OPTIONS',
 | |
|   ],
 | |
|   'properties': {
 | |
|     # Hosting.
 | |
|     'PREFERRED_URL_SCHEME': {
 | |
|       'type': 'string',
 | |
|       'description': 'The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https`',
 | |
|       'enum': ['http', 'https'],
 | |
|       'x-example': 'https',
 | |
|     },
 | |
|     'SERVER_HOSTNAME': {
 | |
|       'type': 'string',
 | |
|       'description': 'The URL at which Quay is accessible, without the scheme.',
 | |
|       'x-example': 'quay.io',
 | |
|     },
 | |
|     'EXTERNAL_TLS_TERMINATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If TLS is supported, but terminated at a layer before Quay, must be true.',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # User-visible configuration.
 | |
|     'REGISTRY_TITLE': {
 | |
|       'type': 'string',
 | |
|       'description': 'If specified, the long-form title for the registry. Defaults to `Quay Enterprise`.',
 | |
|       'x-example': 'Corp Container Service',
 | |
|     },
 | |
|     'REGISTRY_TITLE_SHORT': {
 | |
|       'type': 'string',
 | |
|       'description': 'If specified, the short-form title for the registry. Defaults to `Quay Enterprise`.',
 | |
|       'x-example': 'CCS',
 | |
|     },
 | |
|     'CONTACT_INFO': {
 | |
|       'type': 'array',
 | |
|       'minItems': 1,
 | |
|       'uniqueItems': True,
 | |
|       'description': 'If specified, contact information to display on the contact page. ' +
 | |
|                      'If only a single piece of contact information is specified, the contact footer will link directly.',
 | |
|       'items': [
 | |
|         {
 | |
|           'type': 'string',
 | |
|           'pattern': '^mailto:(.)+$',
 | |
|           'x-example': 'mailto:support@quay.io',
 | |
|           'description': 'Adds a link to send an e-mail',
 | |
|         },
 | |
|         {
 | |
|           'type': 'string',
 | |
|           'pattern': '^irc://(.)+$',
 | |
|           'x-example': 'irc://chat.freenode.net:6665/quay',
 | |
|           'description': 'Adds a link to visit an IRC chat room',
 | |
|         },
 | |
|         {
 | |
|           'type': 'string',
 | |
|           'pattern': '^tel:(.)+$',
 | |
|           'x-example': 'tel:+1-888-930-3475',
 | |
|           'description': 'Adds a link to call a phone number',
 | |
|         },
 | |
|         {
 | |
|           'type': 'string',
 | |
|           'pattern': '^http(s)?://(.)+$',
 | |
|           'x-example': 'https://twitter.com/quayio',
 | |
|           'description': 'Adds a link to a defined URL',
 | |
|         },
 | |
|       ],
 | |
|     },
 | |
|     'SEARCH_RESULTS_PER_PAGE' : {
 | |
|         'type': 'number',
 | |
|         'description': 'Number of results returned per page by search page. Defaults to 10',
 | |
|         'x-example': 10,
 | |
|     },
 | |
|     'SEARCH_MAX_RESULT_PAGE_COUNT' : {
 | |
|         'type': 'number',
 | |
|         'description': 'Maximum number of pages the user can paginate in search before they are limited. Defaults to 10',
 | |
|         'x-example': 10,
 | |
|     },
 | |
| 
 | |
|     # E-mail.
 | |
|     'FEATURE_MAILING': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether emails are enabled. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
|     'MAIL_SERVER': {
 | |
|       'type': 'string',
 | |
|       'description': 'The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.',
 | |
|       'x-example': 'smtp.somedomain.com',
 | |
|     },
 | |
|     'MAIL_USE_TLS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If specified, whether to use TLS for sending e-mails.',
 | |
|       'x-example': True,
 | |
|     },
 | |
|     'MAIL_PORT': {
 | |
|       'type': 'number',
 | |
|       'description': 'The SMTP port to use. If not specified, defaults to 587.',
 | |
|       'x-example': 588,
 | |
|     },
 | |
|     'MAIL_USERNAME': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'The SMTP username to use when sending e-mails.',
 | |
|       'x-example': 'myuser',
 | |
|     },
 | |
|     'MAIL_PASSWORD': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'The SMTP password to use when sending e-mails.',
 | |
|       'x-example': 'mypassword',
 | |
|     },
 | |
|     'MAIL_DEFAULT_SENDER': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`.',
 | |
|       'x-example': 'support@myco.com',
 | |
|     },
 | |
| 
 | |
|     # Database.
 | |
|     'DB_URI': {
 | |
|       'type': 'string',
 | |
|       'description': 'The URI at which to access the database, including any credentials.',
 | |
|       'x-example': 'mysql+pymysql://username:password@dns.of.database/quay',
 | |
|       'x-reference': 'https://www.postgresql.org/docs/9.3/static/libpq-connect.html#AEN39495',
 | |
|     },
 | |
|     'DB_CONNECTION_ARGS': {
 | |
|       'type': 'object',
 | |
|       'description': 'If specified, connection arguments for the database such as timeouts and SSL.',
 | |
|       'properties': {
 | |
|         'threadlocals': {
 | |
|           'type': 'boolean',
 | |
|           'description': 'Whether to use thread-local connections. Should *ALWAYS* be `true`'
 | |
|         },
 | |
|         'autorollback': {
 | |
|           'type': 'boolean',
 | |
|           'description': 'Whether to use auto-rollback connections. Should *ALWAYS* be `true`'
 | |
|         },
 | |
|         'ssl': {
 | |
|           'type': 'object',
 | |
|           'description': 'SSL connection configuration',
 | |
|           'properties': {
 | |
|             'ca': {
 | |
|               'type': 'string',
 | |
|               'description': '*Absolute container path* to the CA certificate to use for SSL connections',
 | |
|               'x-example': 'conf/stack/ssl-ca-cert.pem',
 | |
|             },
 | |
|           },
 | |
|           'required': ['ca'],
 | |
|         },
 | |
|       },
 | |
|       'required': ['threadlocals', 'autorollback'],
 | |
|     },
 | |
|     'ALLOW_PULLS_WITHOUT_STRICT_LOGGING': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If true, pulls in which the pull audit log entry cannot be written will ' +
 | |
|                      'still succeed. Useful if the database can fallback into a read-only state ' +
 | |
|                      'and it is desired for pulls to continue during that time. Defaults to False.',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Storage.
 | |
|     'FEATURE_STORAGE_REPLICATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to automatically replicate between storage engines. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'FEATURE_PROXY_STORAGE': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'MAXIMUM_LAYER_SIZE': {
 | |
|       'type': 'string',
 | |
|       'description': 'Maximum allowed size of an image layer. Defaults to 20G',
 | |
|       'x-example': '100G',
 | |
|       'pattern': '^[0-9]+(G|M)$',
 | |
|     },
 | |
|     'DISTRIBUTED_STORAGE_CONFIG': {
 | |
|       'type': 'object',
 | |
|       'description': 'Configuration for storage engine(s) to use in Quay. Each key is a unique ID' +
 | |
|                      ' for a storage engine, with the value being a tuple of the type and ' +
 | |
|                      ' configuration for that engine.',
 | |
|       'x-example': {
 | |
|         'local_storage': ['LocalStorage', {'storage_path': 'some/path/'}],
 | |
|       },
 | |
|       'items': {
 | |
|         'type': 'array',
 | |
|       },
 | |
|     },
 | |
|     'DISTRIBUTED_STORAGE_PREFERENCE': {
 | |
|       'type': 'array',
 | |
|       'description': 'The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to ' +
 | |
|                      'use. A preferred engine means it is first checked for pullig and images are ' +
 | |
|                      'pushed to it.',
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|         'uniqueItems': True,
 | |
|       },
 | |
|       'x-example': ['s3_us_east', 's3_us_west'],
 | |
|     },
 | |
|     'DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS': {
 | |
|       'type': 'array',
 | |
|       'description': 'The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose ' +
 | |
|                      'images should be fully replicated, by default, to all other storage engines.',
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|         'uniqueItems': True,
 | |
|       },
 | |
|       'x-example': ['s3_us_east', 's3_us_west'],
 | |
|     },
 | |
|     'USERFILES_LOCATION': {
 | |
|       'type': 'string',
 | |
|       'description': 'ID of the storage engine in which to place user-uploaded files',
 | |
|       'x-example': 's3_us_east',
 | |
|     },
 | |
|     'USERFILES_PATH': {
 | |
|       'type': 'string',
 | |
|       'description': 'Path under storage in which to place user-uploaded files',
 | |
|       'x-example': 'userfiles',
 | |
|     },
 | |
|     'ACTION_LOG_ARCHIVE_LOCATION': {
 | |
|       'type': 'string',
 | |
|       'description': 'If action log archiving is enabled, the storage engine in which to place the ' +
 | |
|                      'archived data.',
 | |
|       'x-example': 's3_us_east',
 | |
|     },
 | |
|     'ACTION_LOG_ARCHIVE_PATH': {
 | |
|       'type': 'string',
 | |
|       'description': 'If action log archiving is enabled, the path in storage in which to place the ' +
 | |
|                      'archived data.',
 | |
|       'x-example': 'archives/actionlogs',
 | |
|     },
 | |
|     'ACTION_LOG_ROTATION_THRESHOLD': {
 | |
|         'type': 'string',
 | |
|         'description': 'If action log archiving is enabled, the time interval after which to ' +
 | |
|                        'archive data.',
 | |
|         'x-example': '30d',
 | |
|     },
 | |
|     'LOG_ARCHIVE_LOCATION': {
 | |
|       'type': 'string',
 | |
|       'description': 'If builds are enabled, the storage engine in which to place the ' +
 | |
|                      'archived build logs.',
 | |
|       'x-example': 's3_us_east',
 | |
|     },
 | |
|     'LOG_ARCHIVE_PATH': {
 | |
|       'type': 'string',
 | |
|       'description': 'If builds are enabled, the path in storage in which to place the ' +
 | |
|                      'archived build logs.',
 | |
|       'x-example': 'archives/buildlogs',
 | |
|     },
 | |
| 
 | |
|     # Authentication.
 | |
|     'AUTHENTICATION_TYPE': {
 | |
|       'type': 'string',
 | |
|       'description': 'The authentication engine to use for credential authentication.',
 | |
|       'x-example': 'Database',
 | |
|       'enum': ['Database', 'LDAP', 'JWT', 'Keystone', 'OIDC'],
 | |
|     },
 | |
|     'SUPER_USERS': {
 | |
|       'type': 'array',
 | |
|       'description': 'Quay usernames of those users to be granted superuser privileges',
 | |
|       'uniqueItems': True,
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|       },
 | |
|     },
 | |
|     'DIRECT_OAUTH_CLIENTID_WHITELIST': {
 | |
|       'type': 'array',
 | |
|       'description': 'A list of client IDs of *Quay-managed* applications that are allowed ' +
 | |
|                      'to perform direct OAuth approval without user approval.',
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/direct-oauth.html',
 | |
|       'uniqueItems': True,
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|       },
 | |
|     },
 | |
| 
 | |
|     # Redis.
 | |
|     'BUILDLOGS_REDIS': {
 | |
|       'type': 'object',
 | |
|       'description': 'Connection information for Redis for build logs caching',
 | |
|       'required': ['host'],
 | |
|       'properties': {
 | |
|         'host': {
 | |
|           'type': 'string',
 | |
|           'description': 'The hostname at which Redis is accessible',
 | |
|           'x-example': 'my.redis.cluster',
 | |
|         },
 | |
|         'port': {
 | |
|           'type': 'number',
 | |
|           'description': 'The port at which Redis is accessible',
 | |
|           'x-example': 1234,
 | |
|         },
 | |
|         'password': {
 | |
|           'type': 'string',
 | |
|           'description': 'The password to connect to the Redis instance',
 | |
|           'x-example': 'mypassword',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
|     'USER_EVENTS_REDIS': {
 | |
|       'type': 'object',
 | |
|       'description': 'Connection information for Redis for user event handling',
 | |
|       'required': ['host'],
 | |
|       'properties': {
 | |
|         'host': {
 | |
|           'type': 'string',
 | |
|           'description': 'The hostname at which Redis is accessible',
 | |
|           'x-example': 'my.redis.cluster',
 | |
|         },
 | |
|         'port': {
 | |
|           'type': 'number',
 | |
|           'description': 'The port at which Redis is accessible',
 | |
|           'x-example': 1234,
 | |
|         },
 | |
|         'password': {
 | |
|           'type': 'string',
 | |
|           'description': 'The password to connect to the Redis instance',
 | |
|           'x-example': 'mypassword',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
| 
 | |
|     # OAuth configuration.
 | |
|     'GITHUB_LOGIN_CONFIG': {
 | |
|       'type': ['object', 'null'],
 | |
|       'description': 'Configuration for using GitHub (Enterprise) as an external login provider',
 | |
|       'required': ['CLIENT_ID', 'CLIENT_SECRET'],
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-auth.html',
 | |
|       'properties': {
 | |
|         'GITHUB_ENDPOINT': {
 | |
|           'type': 'string',
 | |
|           'description': 'The endpoint of the GitHub (Enterprise) being hit',
 | |
|           'x-example': 'https://github.com/',
 | |
|         },
 | |
|         'API_ENDPOINT': {
 | |
|           'type': 'string',
 | |
|           'description': 'The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com',
 | |
|           'x-example': 'https://api.github.com/',
 | |
|         },
 | |
|         'CLIENT_ID': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client ID for this Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG',
 | |
|           'x-example': '0e8dbe15c4c7630b6780',
 | |
|           'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
 | |
|         },
 | |
|         'CLIENT_SECRET': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client secret for this Quay instance',
 | |
|           'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
 | |
|           'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
 | |
|         },
 | |
|         'ORG_RESTRICT': {
 | |
|           'type': 'boolean',
 | |
|           'description': 'If true, only users within the organization whitelist can login using this provider',
 | |
|           'x-example': True,
 | |
|         },
 | |
|         'ALLOWED_ORGANIZATIONS': {
 | |
|           'type': 'array',
 | |
|           'description': 'The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option',
 | |
|           'uniqueItems': True,
 | |
|           'items': {
 | |
|               'type': 'string',
 | |
|           },
 | |
|         },
 | |
|       },
 | |
|     },
 | |
|     'BITBUCKET_TRIGGER_CONFIG': {
 | |
|       'type': ['object', 'null'],
 | |
|       'description': 'Configuration for using BitBucket for build triggers',
 | |
|       'required': ['CONSUMER_KEY', 'CONSUMER_SECRET'],
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/bitbucket-build.html',
 | |
|       'properties': {
 | |
|         'CONSUMER_KEY': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered consumer key (client ID) for this Quay instance',
 | |
|           'x-example': '0e8dbe15c4c7630b6780',
 | |
|         },
 | |
|         'CONSUMER_SECRET': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered consumer secret (client secret) for this Quay instance',
 | |
|           'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
|     'GITHUB_TRIGGER_CONFIG': {
 | |
|       'type': ['object', 'null'],
 | |
|       'description': 'Configuration for using GitHub (Enterprise) for build triggers',
 | |
|       'required': ['GITHUB_ENDPOINT', 'CLIENT_ID', 'CLIENT_SECRET'],
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-build.html',
 | |
|       'properties': {
 | |
|         'GITHUB_ENDPOINT': {
 | |
|           'type': 'string',
 | |
|           'description': 'The endpoint of the GitHub (Enterprise) being hit',
 | |
|           'x-example': 'https://github.com/',
 | |
|         },
 | |
|         'API_ENDPOINT': {
 | |
|           'type': 'string',
 | |
|           'description': 'The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com',
 | |
|           'x-example': 'https://api.github.com/',
 | |
|         },
 | |
|         'CLIENT_ID': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client ID for this Quay instance; cannot be shared with GITHUB_LOGIN_CONFIG',
 | |
|           'x-example': '0e8dbe15c4c7630b6780',
 | |
|           'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
 | |
|         },
 | |
|         'CLIENT_SECRET': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client secret for this Quay instance',
 | |
|           'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
 | |
|           'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
|     'GOOGLE_LOGIN_CONFIG': {
 | |
|       'type': ['object', 'null'],
 | |
|       'description': 'Configuration for using Google for external authentication',
 | |
|       'required': ['CLIENT_ID', 'CLIENT_SECRET'],
 | |
|       'properties': {
 | |
|         'CLIENT_ID': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client ID for this Quay instance',
 | |
|           'x-example': '0e8dbe15c4c7630b6780',
 | |
|         },
 | |
|         'CLIENT_SECRET': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client secret for this Quay instance',
 | |
|           'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
|     'GITLAB_TRIGGER_CONFIG': {
 | |
|       'type': ['object', 'null'],
 | |
|       'description': 'Configuration for using Gitlab (Enterprise) for external authentication',
 | |
|       'required': ['GITLAB_ENDPOINT', 'CLIENT_ID', 'CLIENT_SECRET'],
 | |
|       'properties': {
 | |
|         'GITLAB_ENDPOINT': {
 | |
|           'type': 'string',
 | |
|           'description': 'The endpoint at which Gitlab(Enterprise) is running',
 | |
|           'x-example': 'https://gitlab.com',
 | |
|         },
 | |
|         'CLIENT_ID': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client ID for this Quay instance',
 | |
|           'x-example': '0e8dbe15c4c7630b6780',
 | |
|         },
 | |
|         'CLIENT_SECRET': {
 | |
|           'type': 'string',
 | |
|           'description': 'The registered client secret for this Quay instance',
 | |
|           'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
 | |
|         },
 | |
|       },
 | |
|     },
 | |
| 
 | |
|     # Health.
 | |
|     'HEALTH_CHECKER': {
 | |
|       'description': 'The configured health check.',
 | |
|       'x-example': ('RDSAwareHealthCheck', {'access_key': 'foo', 'secret_key': 'bar'}),
 | |
|     },
 | |
| 
 | |
|     # Metrics.
 | |
|     'PROMETHEUS_NAMESPACE': {
 | |
|       'type': 'string',
 | |
|       'description': 'The prefix applied to all exposed Prometheus metrics. Defaults to `quay`',
 | |
|       'x-example': 'myregistry',
 | |
|     },
 | |
| 
 | |
|     # Misc configuration.
 | |
|     'BLACKLIST_V2_SPEC': {
 | |
|       'type': 'string',
 | |
|       'description': 'The Docker CLI versions to which Quay will respond that V2 is *unsupported*. Defaults to `<1.6.0`',
 | |
|       'x-reference': 'http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec',
 | |
|       'x-example': '<1.8.0',
 | |
|     },
 | |
|     'USER_RECOVERY_TOKEN_LIFETIME': {
 | |
|       'type': 'string',
 | |
|       'description': 'The length of time a token for recovering a user accounts is valid. Defaults to 30m.',
 | |
|       'x-example': '10m',
 | |
|       'pattern': '^[0-9]+(w|m|d|h|s)$',
 | |
|     },
 | |
|     'SESSION_COOKIE_SECURE': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether the `secure` property should be set on session cookies. ' + 
 | |
|                      'Defaults to False. Recommended to be True for all installations using SSL.',
 | |
|       'x-example': True,
 | |
|       'x-reference': 'https://en.wikipedia.org/wiki/Secure_cookies',
 | |
|     },
 | |
|     'PUBLIC_NAMESPACES': {
 | |
|       'type': 'array',
 | |
|       'description': 'If a namespace is defined in the public namespace list, then it will appear on *all*' +
 | |
|                      ' user\'s repository list pages, regardless of whether that user is a member of the namespace.' +
 | |
|                      ' Typically, this is used by an enterprise customer in configuring a set of "well-known"' +
 | |
|                      ' namespaces.',
 | |
|       'uniqueItems': True,
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|       },
 | |
|     },
 | |
|     'AVATAR_KIND': {
 | |
|       'type': 'string',
 | |
|       'description': 'The types of avatars to display, either generated inline (local) or Gravatar (gravatar)',
 | |
|       'enum': ['local', 'gravatar'],
 | |
|     },
 | |
|     'V2_PAGINATION_SIZE': {
 | |
|       'type': 'number',
 | |
|       'description': 'The number of results returned per page in V2 registry APIs',
 | |
|       'x-example': 100,
 | |
|     },
 | |
|     'ENABLE_HEALTH_DEBUG_SECRET': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'If specified, a secret that can be given to health endpoints to see full debug info when' +
 | |
|                      'not authenticated as a superuser',
 | |
|       'x-example': 'somesecrethere',
 | |
|     },
 | |
|     'BROWSER_API_CALLS_XHR_ONLY': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Time machine and tag expiration settings.
 | |
|     'FEATURE_CHANGE_TAG_EXPIRATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'DEFAULT_TAG_EXPIRATION': {
 | |
|       'type': 'string',
 | |
|       'description': 'The default, configurable tag expiration time for time machine. Defaults to `2w`.',
 | |
|       'pattern': '^[0-9]+(w|m|d|h|s)$',
 | |
|     },
 | |
|     'TAG_EXPIRATION_OPTIONS': {
 | |
|       'type': 'array',
 | |
|       'description': 'The options that users can select for expiration of tags in their namespace (if enabled)',
 | |
|       'items': {
 | |
|         'type': 'string',
 | |
|         'pattern': '^[0-9]+(w|m|d|h|s)$',
 | |
|       },
 | |
|     },
 | |
| 
 | |
|     # Team syncing.
 | |
|     'FEATURE_TEAM_SYNCING': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone)',
 | |
|       'x-example': True,
 | |
|     },
 | |
|     'TEAM_RESYNC_STALE_TIME': {
 | |
|       'type': 'string',
 | |
|       'description': 'If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m)',
 | |
|       'x-example': '2h',
 | |
|       'pattern': '^[0-9]+(w|m|d|h|s)$',
 | |
|     },
 | |
|     'FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Security scanning.
 | |
|     'FEATURE_SECURITY_SCANNER': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to turn of/off the security scanner. Defaults to False',
 | |
|       'x-example': False,
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/security-scanning.html',
 | |
|     },
 | |
|     'FEATURE_SECURITY_NOTIFICATIONS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If the security scanner is enabled, whether to turn of/off security notificaitons. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'SECURITY_SCANNER_ENDPOINT' : {
 | |
|       'type': 'string',
 | |
|       'pattern': '^http(s)?://(.)+$',
 | |
|       'description': 'The endpoint for the security scanner',
 | |
|       'x-example': 'http://192.168.99.101:6060' ,
 | |
|     },
 | |
|     'SECURITY_SCANNER_INDEXING_INTERVAL': {
 | |
|       'type': 'number',
 | |
|       'description': 'The number of seconds between indexing intervals in the security scanner. Defaults to 30.',
 | |
|       'x-example': 30,
 | |
|     },
 | |
| 
 | |
|     # Bittorrent support.
 | |
|     'FEATURE_BITTORRENT': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to allow using Bittorrent-based pulls. Defaults to False',
 | |
|       'x-example': False,
 | |
|       'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/bittorrent.html',
 | |
|     },
 | |
|     'BITTORRENT_PIECE_SIZE': {
 | |
|        'type': 'number',
 | |
|        'description': 'The bittorent piece size to use. If not specified, defaults to 512 * 1024.',
 | |
|        'x-example': 512 * 1024,
 | |
|     },
 | |
|     'BITTORRENT_ANNOUNCE_URL': {
 | |
|        'type': 'string',
 | |
|        'pattern': '^http(s)?://(.)+$',
 | |
|        'description': 'The URL of the announce endpoint on the bittorrent tracker',
 | |
|        'x-example': 'https://localhost:6881/announce',
 | |
|     },
 | |
| 
 | |
|     # Build
 | |
|     'FEATURE_GITHUB_BUILD': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to support GitHub build triggers. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'FEATURE_BITBUCKET_BUILD': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to support Bitbucket build triggers. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'FEATURE_GITLAB_BUILD': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to support GitLab build triggers. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'FEATURE_BUILD_SUPPORT': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to support Dockerfile build. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
|     'DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT': {
 | |
|       'type': ['number', 'null'],
 | |
|       'description': 'If not None, the default maximum number of builds that can be queued in a namespace.',
 | |
|       'x-example': 20,
 | |
|     },
 | |
|     'SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD': {
 | |
|       'type': ['number', 'null'],
 | |
|       'description': 'If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.',
 | |
|       'x-example': 10,
 | |
|     },
 | |
|     'SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD': {
 | |
|       'type': ['number', 'null'],
 | |
|       'description': 'If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.',
 | |
|       'x-example': 50,
 | |
|     },
 | |
| 
 | |
|     # Login
 | |
|     'FEATURE_GITHUB_LOGIN': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether GitHub login is supported. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
|     'FEATURE_GOOGLE_LOGIN': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether Google login is supported. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Recaptcha
 | |
|     'FEATURE_RECAPTCHA': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether Recaptcha is necessary for user login and recovery. Defaults to False',
 | |
|       'x-example': False,
 | |
|       'x-reference': 'https://www.google.com/recaptcha/intro/',
 | |
|     },
 | |
|     'RECAPTCHA_SITE_KEY': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'If recaptcha is enabled, the site key for the Recaptcha service',
 | |
|     },
 | |
|     'RECAPTCHA_SECRET_KEY': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'If recaptcha is enabled, the secret key for the Recaptcha service',
 | |
|     },
 | |
| 
 | |
|     # External application tokens.
 | |
|     'FEATURE_APP_SPECIFIC_TOKENS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If enabled, users can create tokens for use by the Docker CLI. Defaults to True',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     'APP_SPECIFIC_TOKEN_EXPIRATION': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'The expiration for external app tokens. Defaults to None.',
 | |
|       'pattern': '^[0-9]+(w|m|d|h|s)$',      
 | |
|     },
 | |
| 
 | |
|     'EXPIRED_APP_SPECIFIC_TOKEN_GC': {
 | |
|       'type': ['string', 'null'],
 | |
|       'description': 'Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.',
 | |
|       'pattern': '^[0-9]+(w|m|d|h|s)$',
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Permanent Sessions.
 | |
|     'FEATURE_PERMANENT_SESSIONS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether sessions are permanent. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Super User Support.
 | |
|     'FEATURE_SUPER_USERS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether super users are supported. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Anonymous Users.
 | |
|     'FEATURE_ANONYMOUS_ACCESS': {
 | |
|       'type': 'boolean',
 | |
|       'description': ' Whether to allow anonymous users to browse and pull public repositories. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: User Creation.
 | |
|     'FEATURE_USER_CREATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether users can be created (by non-super users). Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Invite Only User Creation.
 | |
|     'FEATURE_INVITE_ONLY_USER_CREATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether users being created must be invited by another user. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Encrypted Basic Auth.
 | |
|     'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Direct Login.
 | |
|     'FEATURE_DIRECT_LOGIN': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether users can directly login to the UI. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Advertising V2.
 | |
|     'FEATURE_ADVERTISE_V2': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether the v2/ endpoint is visible. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Log Rotation.
 | |
|     'FEATURE_ACTION_LOG_ROTATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether or not to rotate old action logs to storage. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: ACI Conversion.
 | |
|     'FEATURE_ACI_CONVERSION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to enable conversion to ACIs. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Library Support.
 | |
|     'FEATURE_LIBRARY_SUPPORT': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Require Team Invite.
 | |
|     'FEATURE_REQUIRE_TEAM_INVITE': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to require invitations when adding a user to a team. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Collecting and Supporting Metadata.
 | |
|     'FEATURE_USER_METADATA': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to collect and support user metadata. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Support App Registry.
 | |
|     'FEATURE_APP_REGISTRY': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to enable support for App repositories. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Read only app registry.
 | |
|     'FEATURE_READONLY_APP_REGISTRY': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'Whether to App repositories are read-only. Defaults to False',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Public Reposiotires in _catalog Endpoint.
 | |
|     'FEATURE_PUBLIC_CATALOG': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, the _catalog endpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Reader Build Logs.
 | |
|     'FEATURE_READER_BUILD_LOGS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False',
 | |
|       'x-example': False,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Usernames Autocomplete.
 | |
|     'FEATURE_PARTIAL_USER_AUTOCOMPLETE': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, autocompletion will apply to partial usernames. Defaults to True',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: User log access.
 | |
|     'FEATURE_USER_LOG_ACCESS': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, users will have access to audit logs for their namespace. Defaults to False',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: User renaming.
 | |
|     'FEATURE_USER_RENAME': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, users can rename their own namespace. Defaults to False',
 | |
|       'x-example': True,
 | |
|     },
 | |
| 
 | |
|     # Feature Flag: Username confirmation.
 | |
|     'FEATURE_USERNAME_CONFIRMATION': {
 | |
|       'type': 'boolean',
 | |
|       'description': 'If set to true, users can confirm their generated usernames. Defaults to True',
 | |
|       'x-example': False,
 | |
|     },
 | |
|  },
 | |
| }
 | |
| 
 |