Notification - Manage Quay Container Registry repository notifications
The Notification custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:
host: URL for accessing the Quay API, such ashttps://quay.example.com:8443for example.validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.token: OAuth access token for authenticating against the API. To create such a token see the Creating an OAuth Access Token documentation. You can also use the ApiToken custom resource to create this token.username: The username to use for authenticating against the API. Iftokenis set, thenusernameis ignored.password: The password to use for authenticating against the API. Iftokenis set, thenpasswordis ignored.
You can create the secret by using the kubectl create secret command:
kubectl create secret generic quay-credentials --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false --from-literal token=vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku
Or you can create the secret from a resource file:
---
apiVersion: v1
kind: Secret
metadata:
name: quay-credentials
stringData:
host: https://quay.example.com:8443
validateCerts: "false"
token: vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku
You refer to this secret in your Notification custom resource by using the connSecretRef property.
See the usage example.
Warning
Do not delete the Secret resource if a Quay custom resource still references it. If you delete the Secret resource, then the Operator cannot connect to the Quay API anymore, and cannot synchronize the Quay custom resource with its corresponding object in Quay. In addition, deleting the Quay custom resource does not complete because the Operator cannot delete the corresponding object in Quay.
If you face this issue, then edit the custom resource (kubectl edit), and set the .spec.preserveInQuayOnDeletion property to true.
Alternatively, you can remove the .metadata.finalizers section.
In both case, you must manually delete the corresponding object in Quay.
Usage Example
---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: Notification
metadata:
name: notification-sample
spec:
# Connection parameters in a Secret resource
connSecretRef:
name: quay-credentials
# By default, the operator looks for the secret in the same namespace as
# the notification resource, but you can specify a different namespace.
# namespace: mynamespace
# Whether to preserve the corresponding Quay object when you
# delete the Notification resource.
preserveInQuayOnDeletion: false
repository: production/smallimage
title: Notify critical image vulnerabilities to Slack
event: vulnerability_found
vulnerabilityLevel: critical
method: slack
config:
url: https://hooks.slack.com/services/XXX/YYY/ZZZ
Properties
config
Configuration parameters for the notification method.
Type: object (see the following properties)
Required: False
Default value: None
config.email
Destination email address. Required by the email notification method.
Type: string
Required: False
Default value: None
config.flowApiToken
API token required for the Flowdock notification method.
Type: string
Required: False
Default value: None
config.name
Name of the account, team, or organization. Robot accounts are not allowed. Required by the Quay Notification method.
Type: string
Required: False
Default value: None
config.notificationToken
Notification token required for the HipChat notification method.
Type: string
Required: False
Default value: None
config.roomId
Chat room ID required for the HipChat notification method.
Type: string
Required: False
Default value: None
config.template
JSON data for the body content of the webhook POST method.
Type: string
Required: False
Default value: None
config.type
Specifies the type of the account defined in config.name. Only applies to the Quay Notification method.
Type: string
Required: False
Default value: user
config.url
Webhook URL for the Slack method or POST URL for the webhook POST method.
Type: string
Required: False
Default value: None
connSecretRef
Reference to the secret resource that stores the connection parameters to the Quay Container Registry API.
The secret must include the host, token (or username and password), and optionally the validateCerts keys.
Type: object (see the following properties)
Required: True
Default value: None
connSecretRef.name
Name of the secret resource.
Type: string
Required: True
Default value: None
connSecretRef.namespace
Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current Notification resource.
Type: string
Required: False
Default value: None
event
Event that triggers the notification. Depending of the activated Quay components, not all events might be available on your system.
Type: string
Required: False
Default value: None
imageExpiryDays
Only used when event is repo_image_expiry. The notification is triggered when the image expires in the specified number of days.
Type: integer
Required: False
Default value: 7
method
Notification method. Each method requires a specific set of options that you define by using the config parameter. The email notification method is only available on Quay installations where the mailing capability has been activated (FEATURE_MAILING to true in config.yaml).
Type: string
Required: False
Default value: None
preserveInQuayOnDeletion
Whether to preserve the corresponding Quay object when you delete the Notification resource. When set to false (the default), the object is deleted from Quay.
Type: boolean
Required: False
Default value: False
regexp
The regular expression to search in the title of the existing notifications. This does not have to match the entire title. The resource uses that regular expression to select the notifications to process. For state=present, the resource resets the failure counter (if resetFailcount is true) or initiates a test (if test is true) of all the matching notifications. For state=absent, the resource deletes all the notifications that match. Uses Python regular expressions. See https://docs.python.org/3/library/re.html. Mutually exclusive with searchString.
Type: string
Required: False
Default value: None
repository
Name of the repository which contains the notifications to manage. The format for the name is namespace/shortname. The namespace can be an organization or your personal namespace. If you omit the namespace part in the name, then the resource looks for the repository in your personal namespace. You can manage notifications for repositories in your personal namespace, but not in the personal namespace of other users. The token you use in quayToken determines the user account you are using.
Type: string
Required: True
Default value: None
resetFailcount
Reset the notification failure counter.
Type: boolean
Required: False
Default value: None
searchString
The literal string to search in the title of the existing notifications. This does not have to match the entire line. For state=present, the resource resets the failure counter (if resetFailcount is true) or initiates a test (if test is true) of all the matching notifications. For state=absent, the resource deletes all the notifications that match. Mutually exclusive with regexp.
Type: string
Required: False
Default value: None
test
Initiate a test of the notification.
Type: boolean
Required: False
Default value: None
title
Notification title.
Type: string
Required: False
Default value: None
vulnerabilityLevel
Only used when event is vulnerability_found. The notification is triggered when the vulnerability has a level equal or higher to the level that you define in vulnerabilityLevel.
Type: string
Required: False
Default value: None
Listing the Notification Resources
You can retrieve the list of the Notification custom resources in a namespace by using the kubectl get command:
kubectl get notifications.quay.herve4m.github.io -n <namespace>