Skip to content

Latest commit

 

History

History
105 lines (71 loc) · 3.72 KB

quay.md

File metadata and controls

105 lines (71 loc) · 3.72 KB
Raw

Quay.io Configurations

Configuring a Push Secret for the Build Pipeline

After the build-pipeline builds an image, it will try to push it to a container registry. If using a registry that requires authentication, the namespace where the pipeline is running should be configured with a push secret for the registry.

Tekton provides a way to inject push secrets into pipelines by attaching them to a service account.

The service account used for running the pipelines is the namespace's appstudio-pipeline service account.

  1. ⚙️ Create the secret in the pipeline's namespace (see the example below for extracting the secret):

Replace $NS with the correct namespace. For example:

  • for user1, specify 'user-ns1'
  • for user2, specify 'user-ns2'
  • for managed1, specify 'managed-ns1'
  • for managed2, specify 'managed-ns2'
kubectl create -n $NS secret generic regcred \
 --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
 --type=kubernetes.io/dockerconfigjson
  1. ⚙️ Add the secret to the namespace's appstudio-pipeline service account
kubectl patch -n $NS serviceaccount appstudio-pipeline -p '{"secrets": [{"name": "regcred"}]}'

Example - Extract Quay Push Secret:

If using Quay.io, you can follow the procedure below to obtain the config.json file used for creating the secret. If not using quay, apply your registry's equivalent procedure.

  1. ⚙️ Log into quay.io and click your user icon on the top-right corner.

  2. ⚙️ Select Account Settings.

  3. ⚙️ Click on Generate Encrypted Password.

  4. ⚙️ Enter your login password and click Verify.

  5. ⚙️ Select Docker Configuration.

  6. ⚙️ Click Download <your-username>-auth.json and take note of the download location.

  7. ⚙️ Replace <path/to/.docker/config.json> on the kubectl create secret command with this path.

Configuring a Push Secret for the Release Pipeline

If the release pipeline needs to push images to a container registry, it needs to be configured with a push secret as well.

⚙️ In the managed namespace, repeat the same steps mentioned above for configuring the push secret.

Automatically Provision Quay Repositories for Container Images

Note: This step is mandatory for importing components using the UI.

Konflux integrates with the Image Controller that can automatically create Quay repositories when onboarding a component. The image controller requires access to a Quay organization. Please follow the following steps for configuring it:

  1. ⚙️ Create a user on Quay.io

  2. ⚙️ Create Quay Organization

  3. ⚙️ Create Application and OAuth access token. The application should have the following permissions:

    • Administer Organization
    • Administer Repositories
    • Create Repositories

  4. ⚙️ Run the deploy-image-controller.sh script:

$TOKEN - the token for the application you've created on step 3.

$ORGANIZATION - the name of the organization you created on step 2.

./deploy-image-controller.sh $TOKEN $ORGANIZATION