Last active
June 14, 2022 08:00
-
-
Save ralvares/709fef3673bfffd526dfbec2ef02cd8f to your computer and use it in GitHub Desktop.
Quay - All in One - Using podman pod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
podman login registry.redhat.io | |
export domain=quay.ralvares.local | |
export QUAY=/data/quay | |
mkdir -p $QUAY/postgres-quay | |
mkdir $QUAY/clair | |
mkdir -p $QUAY/config/extra_ca_certs | |
mkdir $QUAY/storage | |
setfacl -m u:26:-wx $QUAY/postgres-quay | |
setfacl -m u:1001:-wx $QUAY/storage | |
## Generate Quay Config file | |
cat > $QUAY/config/config.yaml << EOF | |
AUTHENTICATION_TYPE: Database | |
AVATAR_KIND: local | |
BITTORRENT_FILENAME_PEPPER: 5ca4aae5-cd68-4c2e-a8a8-3e39ac835d85 | |
BUILDLOGS_REDIS: | |
host: localhost | |
password: strongpassword | |
port: 6379 | |
DATABASE_SECRET_KEY: 1534741d-eae4-4e25-b1cc-862994e077ae | |
DB_CONNECTION_ARGS: | |
autorollback: true | |
threadlocals: true | |
DB_URI: postgresql://quayuser:quaypass@localhost/quay | |
DEFAULT_TAG_EXPIRATION: 2w | |
DISTRIBUTED_STORAGE_CONFIG: | |
default: | |
- LocalStorage | |
- storage_path: /datastorage/registry | |
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: [] | |
DISTRIBUTED_STORAGE_PREFERENCE: | |
- default | |
FEATURE_ACI_CONVERSION: false | |
FEATURE_ACTION_LOG_ROTATION: false | |
FEATURE_ANONYMOUS_ACCESS: true | |
FEATURE_APP_REGISTRY: true | |
FEATURE_APP_SPECIFIC_TOKENS: true | |
FEATURE_BITBUCKET_BUILD: false | |
FEATURE_BLACKLISTED_EMAILS: false | |
FEATURE_BUILD_SUPPORT: false | |
FEATURE_CHANGE_TAG_EXPIRATION: true | |
FEATURE_DIRECT_LOGIN: true | |
FEATURE_GITHUB_BUILD: false | |
FEATURE_GITHUB_LOGIN: false | |
FEATURE_GITLAB_BUILD: false | |
FEATURE_GOOGLE_LOGIN: false | |
FEATURE_INVITE_ONLY_USER_CREATION: false | |
FEATURE_MAILING: false | |
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false | |
FEATURE_PARTIAL_USER_AUTOCOMPLETE: true | |
FEATURE_PROXY_STORAGE: false | |
FEATURE_REPO_MIRROR: true | |
FEATURE_REQUIRE_TEAM_INVITE: true | |
FEATURE_RESTRICTED_V1_PUSH: true | |
FEATURE_SECURITY_NOTIFICATIONS: false | |
FEATURE_SECURITY_SCANNER: true | |
FEATURE_SIGNING: false | |
FEATURE_STORAGE_REPLICATION: false | |
FEATURE_TEAM_SYNCING: false | |
FEATURE_USER_CREATION: true | |
FEATURE_USER_LAST_ACCESSED: true | |
FEATURE_USER_LOG_ACCESS: false | |
FEATURE_USER_METADATA: false | |
FEATURE_USER_RENAME: false | |
FEATURE_USERNAME_CONFIRMATION: true | |
FRESH_LOGIN_TIMEOUT: 10m | |
GITHUB_LOGIN_CONFIG: {} | |
GITHUB_TRIGGER_CONFIG: {} | |
GITLAB_TRIGGER_KIND: {} | |
GPG2_PRIVATE_KEY_FILENAME: signing-private.gpg | |
GPG2_PUBLIC_KEY_FILENAME: signing-public.gpg | |
LDAP_ALLOW_INSECURE_FALLBACK: false | |
LDAP_EMAIL_ATTR: mail | |
LDAP_UID_ATTR: uid | |
LDAP_URI: ldap://localhost | |
LOG_ARCHIVE_LOCATION: default | |
LOGS_MODEL: database | |
LOGS_MODEL_CONFIG: {} | |
MAIL_DEFAULT_SENDER: [email protected] | |
MAIL_PORT: 587 | |
MAIL_USE_AUTH: false | |
MAIL_USE_TLS: false | |
PREFERRED_URL_SCHEME: https | |
REGISTRY_TITLE: Project Quay | |
REGISTRY_TITLE_SHORT: Project Quay | |
REPO_MIRROR_INTERVAL: 30 | |
REPO_MIRROR_TLS_VERIFY: true | |
SEARCH_MAX_RESULT_PAGE_COUNT: 10 | |
SEARCH_RESULTS_PER_PAGE: 10 | |
SECRET_KEY: f5c5c332-df37-48d4-8d0a-b4e955da70a8 | |
SECURITY_SCANNER_INDEXING_INTERVAL: 30 | |
SECURITY_SCANNER_V4_ENDPOINT: http://localhost:9091 | |
SECURITY_SCANNER_V4_PSK: Y2JpMGVlZTM0Zmgy | |
SERVER_HOSTNAME: ${domain}:8443 | |
SETUP_COMPLETE: true | |
SUPER_USERS: | |
- admin | |
TAG_EXPIRATION_OPTIONS: | |
- 0s | |
- 1d | |
- 1w | |
- 2w | |
- 4w | |
TEAM_RESYNC_STALE_TIME: 30m | |
TESTING: false | |
USE_CDN: false | |
USER_EVENTS_REDIS: | |
host: localhost | |
password: strongpassword | |
port: 6379 | |
USER_RECOVERY_TOKEN_LIFETIME: 30m | |
USERFILES_LOCATION: default | |
EOF | |
## Generate Self-Signed Certificate | |
openssl req -newkey rsa:4096 \ | |
-x509 \ | |
-sha256 \ | |
-days 3650 \ | |
-nodes \ | |
-out $QUAY/config/ssl.cert \ | |
-keyout $QUAY/config/ssl.key \ | |
-subj "/C=AE/ST=Dubai/L=Dubai/O=Quay/OU=IT Department/CN=${domain}" | |
chmod 750 $QUAY/config/ssl.* | |
cp -rf $QUAY/config/ssl.cert $QUAY/config/extra_ca_certs/quay.crt | |
chmod -R 750 $QUAY/config/extra_ca_certs | |
unalias cp | |
cp -rf $QUAY/config/ssl.cert /etc/pki/ca-trust/source/anchors/quay.crt | |
update-ca-trust | |
## Create a POD - Shared network stack | |
podman pod create --name quay-all-in-one -p 8443:8443 | |
## Run postgres container and create pod named quay-all-in-one | |
podman run -d --pod quay-all-in-one --name postgresql-quay \ | |
-e POSTGRESQL_USER=quayuser \ | |
-e POSTGRESQL_PASSWORD=quaypass \ | |
-e POSTGRESQL_DATABASE=quay \ | |
-e POSTGRESQL_ADMIN_PASSWORD=adminpass \ | |
-v $QUAY/postgres-quay:/var/lib/pgsql/data:Z \ | |
registry.redhat.io/rhel8/postgresql-10:1 | |
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm" | psql -d quay -U postgres' | |
## Run Redis on quay-all-in-one POD - use the same network namespace | |
podman run -d --pod quay-all-in-one --name redis \ | |
-e REDIS_PASSWORD=strongpassword \ | |
registry.redhat.io/rhel8/redis-5:1 | |
## Run Clair | |
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE DATABASE clair" | psql -U postgres' | |
podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\"" | psql -d clair -U postgres' | |
cat > $QUAY/clair/config.yaml << EOF | |
http_listen_addr: :9091 | |
introspection_addr: :9099 | |
log_level: debug | |
indexer: | |
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable | |
scanlock_retry: 10 | |
layer_scan_concurrency: 5 | |
migrations: true | |
matcher: | |
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable | |
max_conn_pool: 100 | |
run: "" | |
migrations: true | |
indexer_addr: clair-indexer | |
notifier: | |
connstring: host=localhost port=5432 dbname=clair user=quayuser password=quaypass sslmode=disable | |
delivery_interval: 1m | |
poll_interval: 5m | |
migrations: true | |
auth: | |
psk: | |
key: "Y2JpMGVlZTM0Zmgy" | |
iss: ["quay"] | |
EOF | |
podman run -d --pod quay-all-in-one --name clairv4 \ | |
-e CLAIR_CONF=/config/config.yaml -e CLAIR_MODE=combo \ | |
-e GODEBUG=x509ignoreCN=0 \ | |
-v $QUAY/clair:/config:Z \ | |
-v /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:z \ | |
-v /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:z \ | |
registry.redhat.io/quay/clair-rhel8:v3.4.3 | |
## Run Quay on quay-all-in-one POD - use the same network namespace | |
podman run -d --pod quay-all-in-one \ | |
--name=quay \ | |
-e GODEBUG=x509ignoreCN=0 \ | |
-v $QUAY/config:/conf/stack:Z \ | |
-v $QUAY/storage:/datastorage:Z \ | |
registry.redhat.io/quay/quay-rhel8:v3.4.3 | |
## Enable mirror | |
podman run -d --pod quay-all-in-one --name mirroring-worker \ | |
-e GODEBUG=x509ignoreCN=0 \ | |
-v $QUAY/config:/conf/stack:Z \ | |
registry.redhat.io/quay/quay-rhel8:v3.4.3 repomirror |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Exposing registry on port (https) 8443