FirstUser - Create the first user account
The FirstUser custom resource requires Quay version 3.6 or later.
To use the resource, you must enable the first user creation feature of your Quay installation (FEATURE_USER_INITIALIZE in config.yaml).
You must also use the internal database of your Quay installation for authentication (AUTHENTICATION_TYPE to Database in config.yaml).",
Use the module just after installing Quay, when the database is empty.
The resource fails if user accounts are already defined in the database.
The FirstUser custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:
host: URL for accessing the Quay API, such ashttps://quay.example.com:8443for example.validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.
You can create the secret by using the kubectl create secret command:
kubectl create secret generic quay-connection-secret --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false
Or you can create the secret from a resource file:
---
apiVersion: v1
kind: Secret
metadata:
name: quay-connection-secret
stringData:
host: https://quay.example.com:8443
validateCerts: "false"
You refer to this secret in your FirstUser custom resource by using the connSecretRef property:
---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: FirstUser
metadata:
name: FirstUser-sample
spec:
# Connection parameters in a Secret resource
connSecretRef:
name: quay-connection-secret
# By default, the operator looks for the secret in the same namespace as
# the FirstUser resource, but you can specify a different namespace.
# namespace: mynamespace
...
The FirstUser custom resource generates an OAuth access token for authenticating against the API, and stores it in the Secret resource that you specify by using the retSecretRef property.
You can use that secret as an input for other custom resources, by specifying it in the connSecretRef property of these resources.
The OAuth access token that the FirstUser custom resource generates is valid for only 2 hours and 20 minutes.
For a permanent token, see the ApiToken custom resource.
Usage Example
---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: FirstUser
metadata:
name: firstuser-sample
spec:
# Connection parameters in a Secret resource.
# Only the host and optionally the validateCerts parameters are used.
connSecretRef:
name: quay-connection-secret
# By default, the operator looks for the secret in the same namespace as
# the firstuser resource, but you can specify a different namespace.
# namespace: mynamespace
username: admin
password: Sup3r53cr3L
email: admin@example.com
createToken: true
# The Secret resource is created or updated, and stores the "accessToken"
# parameter.
# "host", "validateCerts", "token", "username", and "password" parameters
# are also added, so that you can use the secret with other Quay resources
# to access the API.
# The token is valid only for 2 hours and 20 minutes.
retSecretRef:
name: quay-temp-credentials-secret
# By default, the operator stores the secret in the same namespace as the
# firstuser resource, but you can specify a different namespace.
# namespace: mynamespace
Properties
connSecretRef
Reference to the secret resource that stores the connection parameters to the Quay Container Registry API.
The secret must include the host, token (or username and password), and optionally the validateCerts keys.
Type: object (see the following properties)
Required: True
Default value: None
connSecretRef.name
Name of the secret resource.
Type: string
Required: True
Default value: None
connSecretRef.namespace
Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current FirstUser resource.
Type: string
Required: False
Default value: None
createToken
If true, then an OAuth access token is created and returned. You can use that returned token with the other Quay resources, by setting it in the quayToken parameter. The token is valid for 2 hours 30 minutes. If false, then no access token is created.
Type: boolean
Required: False
Default value: None
Users email address. If your Quay administrator has enabled the mailing capability of your Quay installation (FEATURE_MAILINGtotrueinconfig.yaml), then thisemail' parameter is mandatory.
Type: string
Required: False
Default value: None
password
User's password as a clear string. The password must be at least eight characters long and must not contain white spaces.
Type: string
Required: True
Default value: None
preserveInQuayOnDeletion
Whether to preserve the corresponding Quay object when you delete the FirstUser resource. When set to false (the default), the object is deleted from Quay.
Type: boolean
Required: False
Default value: False
retSecretRef
RetSecretRef is the secret resource that the FirstUser resource creates. This secret will store the data that the resource generates:
- accessToken - The access token that you can use for subsequent resource calls. The token is valid for 2 hours 30 minutes.
- token - The OAuth access token (copy).
- host - URL for accessing the Quay API.
- validateCerts - Whether to allow insecure connections to the API.
- email - User's email address.
- encryptedPassword - Encrypted user's password.
Type: object (see the following properties)
Required: False
Default value: None
retSecretRef.name
Name of the secret resource.
Type: string
Required: True
Default value: None
retSecretRef.namespace
Namespace of the secret resource. By default, the secret resource is created in the same namespace as the current FirstUser resource.
Type: string
Required: False
Default value: None
username
Name of the user account to create. You probably want that user account to have superuser permissions so that you can use the returned token to create additional objects. To do so, add the account name to the SUPER_USERS section in the config.yaml file before using the FirstUser resource.
Type: string
Required: True
Default value: None
Listing the FirstUser Resources
You can retrieve the list of the FirstUser custom resources in a namespace by using the kubectl get command:
kubectl get firstusers.quay.herve4m.github.io -n <namespace>