redhat_quay

Red Hat Quay All-in-One

Configures a RHEL host with Red Hat Quay, using a container-based installation with podman.

Requirements

Python dependencies:

  • jmespath
    • (for the json_query filter)
  • cryptography
    • (for advanced X.509 certificate work)

Role Variables

redhat_username: <some username>
redhat_password: <some password>

Undefaulted variables for logging in to registry.redhat.io, required for the official Red Hat Quay images.


registry_admin:
  username: quay
  password: password
  email: [email protected]

The username, password, and email of the admin user to be created for the registry.


registry_hostname: registry.example.com

The public hostname of the registry (important for certificates!)


password_dir: '{{ playbook_dir }}/.passwords'

The directory in which to save generated passwords.


registry_s3_region: us-east-2

The AWS S3 region to use for object storage. Optional if overriding registry_storage_details below.


registry_s3_bucket: quay

The name of the existing S3 bucket to use for object storage. Optional if overriding registry_storage_details below.


registry_storage_type: S3Storage
registry_storage_details:
  host: s3.{{ registry_s3_region }}.amazonaws.com
  s3_bucket: '{{ registry_s3_bucket }}'
registry_storage_path: /datastorage/registry

The storage configuration for the instance. For more information on how this might impact the storage configuration of your Quay instance, please use the config validator (or at least browse the code for the appropriate version to understand the constraints). Note that this configuration assumes an instanceprofile that enables the instance to access the bucket!


deploy_clair: true

Whether or not to deploy the Clair image scanner.


do_redhat_login: true

Whether to log in to registry.redhat.io, as required for official Red Hat Quay release images.


cert_style: letsencrypt

Which cert style to use for the registry, options from:

  • letsencrypt
  • byo
  • selfsigned

registry_certificate: ""
registry_certificate_key: ""

When using BYO cert style, the PEM-encoded certificate and private key respectively.


quay_version: "3.6.2"

The version of Red Hat Quay to deploy - note, only tested on the 3.6 release.


quay_image: registry.redhat.io/quay/quay-rhel8:v{{ quay_version }}
clair_image: registry.redhat.io/quay/clair-rhel8:v{{ quay_version }}
redis_image: registry.redhat.io/rhel8/redis-5:1
postgres_image: registry.redhat.io/rhel8/postgresql-10:1

The container images to use. Note that registry.redhat.io requires login.

Dependencies

See meta/requirements.yml.

  • ansible.posix - Needed to set sysctls for unprivileged ports
  • containers.podman - Needed to manage container instances and logins
  • community.crypto - Needed to generate x509 certificates and requests for LetsEncrypt

Example Playbook

---
- name: Configure registry host with a Quay registry
  hosts: registry
  roles:
     - role: jharmison_redhat/redhat_quay
       vars:
         redhat_username: jharmison
         redhat_password: some super secure password
         registry_admin:
           username: james
           password: a different super secure password
           email: [email protected]
         registry_hostname: quay.jharmison.net
         registry_s3_region: us-east-1
         registry_s3_bucket: registry

License

BSD-2-Clause

TODO

  • enable disconnected execution with (e.g. containers.podman.podman_load)
  • dogtag certs aka ipa-getcert
  • modularize backend to enable local storage instead of s3 if you want it, without understanding quay_config
  • add disconnected clair loading (current recommendation is turn it off, but should be able to load the db as documented
About

Install and configure Red Hat Quay on a single node using rootless podman containers

Install
ansible-galaxy install jharmison-redhat/redhat_quay
GitHub repository
License
bsd-2-clause
Downloads
43