redhat_quay
Red Hat Quay All-in-One
Configures a RHEL host with Red Hat Quay, using a container-based installation with podman.
Requirements
Python dependencies:
- jmespath
- (for the
json_query
filter)
- (for the
- cryptography
- (for advanced X.509 certificate work)
Role Variables
redhat_username: <some username>
redhat_password: <some password>
Undefaulted variables for logging in to registry.redhat.io, required for the official Red Hat Quay images.
registry_admin:
username: quay
password: password
email: [email protected]
The username, password, and email of the admin user to be created for the registry.
registry_hostname: registry.example.com
The public hostname of the registry (important for certificates!)
password_dir: '{{ playbook_dir }}/.passwords'
The directory in which to save generated passwords.
registry_s3_region: us-east-2
The AWS S3 region to use for object storage. Optional if overriding registry_storage_details below.
registry_s3_bucket: quay
The name of the existing S3 bucket to use for object storage. Optional if overriding registry_storage_details below.
registry_storage_type: S3Storage
registry_storage_details:
host: s3.{{ registry_s3_region }}.amazonaws.com
s3_bucket: '{{ registry_s3_bucket }}'
registry_storage_path: /datastorage/registry
The storage configuration for the instance. For more information on how this might impact the storage configuration of your Quay instance, please use the config validator (or at least browse the code for the appropriate version to understand the constraints). Note that this configuration assumes an instanceprofile that enables the instance to access the bucket!
deploy_clair: true
Whether or not to deploy the Clair image scanner.
do_redhat_login: true
Whether to log in to registry.redhat.io, as required for official Red Hat Quay release images.
cert_style: letsencrypt
Which cert style to use for the registry, options from:
- letsencrypt
- byo
- selfsigned
registry_certificate: ""
registry_certificate_key: ""
When using BYO cert style, the PEM-encoded certificate and private key respectively.
quay_version: "3.6.2"
The version of Red Hat Quay to deploy - note, only tested on the 3.6 release.
quay_image: registry.redhat.io/quay/quay-rhel8:v{{ quay_version }}
clair_image: registry.redhat.io/quay/clair-rhel8:v{{ quay_version }}
redis_image: registry.redhat.io/rhel8/redis-5:1
postgres_image: registry.redhat.io/rhel8/postgresql-10:1
The container images to use. Note that registry.redhat.io requires login.
Dependencies
- ansible.posix - Needed to set sysctls for unprivileged ports
- containers.podman - Needed to manage container instances and logins
- community.crypto - Needed to generate x509 certificates and requests for LetsEncrypt
Example Playbook
---
- name: Configure registry host with a Quay registry
hosts: registry
roles:
- role: jharmison_redhat/redhat_quay
vars:
redhat_username: jharmison
redhat_password: some super secure password
registry_admin:
username: james
password: a different super secure password
email: [email protected]
registry_hostname: quay.jharmison.net
registry_s3_region: us-east-1
registry_s3_bucket: registry
License
BSD-2-Clause
TODO
- enable disconnected execution with (e.g. containers.podman.podman_load)
- dogtag certs aka ipa-getcert
- modularize backend to enable local storage instead of s3 if you want it, without understanding quay_config
- add disconnected clair loading (current recommendation is turn it off, but should be able to load the db as documented
Install and configure Red Hat Quay on a single node using rootless podman containers
ansible-galaxy install jharmison-redhat/redhat_quay