OrganizationMirror - Manage Quay Container Registry organization mirror configurations

The OrganizationMirror custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:

• host: URL for accessing the Quay API, such as https://quay.example.com:8443 for example.
• validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.
• timeout: Number of seconds to wait for Quay to send data before giving up. By default the timeout is at 10 seconds.
• token: OAuth access token for authenticating against the API. To create such a token see the Creating an OAuth Access Token documentation. You can also use the ApiToken custom resource to create this token.
• username: The username to use for authenticating against the API. If token is set, then username is ignored.
• password: The password to use for authenticating against the API. If token is set, then password is ignored.

You can create the secret by using the kubectl create secret command:

kubectl create secret generic quay-credentials --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false --from-literal timeout=21 --from-literal token=vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

Or you can create the secret from a resource file:

---
apiVersion: v1
kind: Secret
metadata:
  name: quay-credentials
stringData:
  host: https://quay.example.com:8443
  validateCerts: "false"
  timeout: 21
  token: vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

You refer to this secret in your OrganizationMirror custom resource by using the connSecretRef property. See the usage example.

Usage Example

---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: OrganizationMirror
metadata:
  name: organizationmirror-sample
spec:
  # Connection parameters in a Secret resource
  connSecretRef:
    name: quay-credentials
    # By default, the operator looks for the secret in the same namespace as
    # the organizationmirror resource, but you can specify a different namespace.
    # namespace: mynamespace

  # Whether to preserve the corresponding Quay object when you
  # delete the OrganizationMirror resource.
  preserveInQuayOnDeletion: false

  organization: productionmirror
  externalRegistryType: quay
  externalRegistryUrl: https://quay.io
  externalNamespace: projectquay
  robotUsername: productionmirror+syncrobot
  visibility: public
  repositoryFilters:
    - quay
    - clair
    - redis
  syncInterval: 2d
  syncStartDate: "2026-04-27T13:00:00Z"
  isEnabled: true

Properties

connSecretRef

Reference to the secret resource that stores the connection parameters to the Quay Container Registry API. The secret must include the host, token (or username and password), and optionally the validateCerts keys.

Type: object (see the following properties)

Required: True

Default value: None

connSecretRef.name

Name of the secret resource.

Type: string

Required: True

Default value: None

connSecretRef.namespace

Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current OrganizationMirror resource.

Type: string

Required: False

Default value: None

externalNamespace

Namespace, or project, in the external registry from which repositories are mirrored, such as projectquay or library. This parameter is required when creating the mirroring configuration.

Type: string

Required: False

Default value: None

externalRegistryPassword

Password to use for pulling images from the remote registry. Only used when externalRegistryUsername is also provided.

Type: string

Required: False

Default value: None

externalRegistryType

Type of the external registry from which repositories are mirrored. This parameter is required when creating the mirroring configuration. The type cannot be changed after creation.

Type: string

Required: False

Default value: None

externalRegistryUrl

URL of the external registry, such as https://quay.io or https://harbor.example.com This parameter is required when creating the mirroring configuration.

Type: string

Required: False

Default value: None

externalRegistryUsername

Username to use for pulling images from the remote registry. If not provided, then anonymous access is used.

Type: string

Required: False

Default value: None

forceSync

Triggers an immediate synchronization of all repositories in the mirror.

Type: boolean

Required: False

Default value: None

httpProxy

HTTP proxy to use for accessing the remote container registry. See the curl documentation for more details. By default, no proxy is used.

Type: string

Required: False

Default value: None

httpsProxy

HTTPS proxy to use for accessing the remote container registry. See the curl documentation for more details. By default, no proxy is used.

Type: string

Required: False

Default value: None

isEnabled

Defines whether the mirror configuration is active or inactive. true by default.

Type: boolean

Required: False

Default value: None

noProxy

Comma-separated list of hosts for which the proxy should not be used. Only relevant when you also specify a proxy configuration by setting the httpProxy or httpsProxy variables. See the curl documentation for more details.

Type: string

Required: False

Default value: None

organization

Name of the organization to configure for mirroring. The organization must exist and be empty (contain no repositories) when creating a new mirror configuration.

Type: string

Required: True

Default value: None

preserveInQuayOnDeletion

Whether to preserve the corresponding Quay object when you delete the OrganizationMirror resource. When set to false (the default), the object is deleted from Quay.

Type: boolean

Required: False

Default value: False

repositoryFilters

List of repository name patterns to synchronize from the external namespace. Supports glob patterns such as hello*, busy*, or *test. If not specified or empty, then all repositories from the external namespace are synchronized.

Type: array

Required: False

Default value: None

robotUsername

Username of the robot account that is used for synchronization. The robot must belong to the organization specified in organization. This parameter is required when creating the mirroring configuration.

Type: string

Required: False

Default value: None

skopeoTimeout

Maximum duration of mirroring jobs. The timeout must be between 5 minutes (300 seconds) and 12 hours (43200 seconds). The skopeoTimeout parameter accepts a time unit as a suffix; s for seconds, m for minutes, and h for hours. For example, 10m for 10 minutes. 5 minutes (300 seconds) by default.

Type: string

Required: False

Default value: None

syncInterval

Synchronization interval for this repository mirror in seconds. The syncInterval parameter accepts a time unit as a suffix; s for seconds, m for minutes, h for hours, d for days, and w for weeks. For example, 8h for eight hours. The minimal value in 60 seconds. 86400 (one day) by default.

Type: string

Required: False

Default value: None

syncStartDate

The date and time at which the first synchronization should be initiated. The format for the syncStartDate parameter is ISO 8601 UTC, such as 2026-04-25T21:06:00Z. If you do not provide the syncStartDate parameter when you configure a new organization mirror, then the synchronization is immediately active, and a synchronization is initiated if the isEnabled parameter is true.

Type: string

Required: False

Default value: None

verifyTls

Defines whether TLS of the external registry should be verified. true by default.

Type: boolean

Required: False

Default value: None

visibility

Visibility of the mirrored repositories created in the organization. public by default.

Type: string

Required: False

Default value: None

Listing the OrganizationMirror Resources

You can retrieve the list of the OrganizationMirror custom resources in a namespace by using the kubectl get command:

kubectl get organizationmirrors.quay.herve4m.github.io -n <namespace>