Repository - Manage Quay Container Registry repositories
The Repository custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:
host: URL for accessing the Quay API, such ashttps://quay.example.com:8443for example.validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.token: OAuth access token for authenticating against the API. To create such a token see the Creating an OAuth Access Token documentation. You can also use the ApiToken custom resource to create this token.username: The username to use for authenticating against the API. Iftokenis set, thenusernameis ignored.password: The password to use for authenticating against the API. Iftokenis set, thenpasswordis ignored.
You can create the secret by using the kubectl create secret command:
kubectl create secret generic quay-credentials --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false --from-literal token=vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku
Or you can create the secret from a resource file:
---
apiVersion: v1
kind: Secret
metadata:
name: quay-credentials
stringData:
host: https://quay.example.com:8443
validateCerts: "false"
token: vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku
You refer to this secret in your Repository custom resource by using the connSecretRef property.
See the usage example.
Warning
Do not delete the Secret resource if a Quay custom resource still references it. If you delete the Secret resource, then the Operator cannot connect to the Quay API anymore, and cannot synchronize the Quay custom resource with its corresponding object in Quay. In addition, deleting the Quay custom resource does not complete because the Operator cannot delete the corresponding object in Quay.
If you face this issue, then edit the custom resource (kubectl edit), and set the .spec.preserveInQuayOnDeletion property to true.
Alternatively, you can remove the .metadata.finalizers section.
In both case, you must manually delete the corresponding object in Quay.
Usage Example
---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: Repository
metadata:
name: repository-sample-1
spec:
# Connection parameters in a Secret resource
connSecretRef:
name: quay-credentials
# By default, the operator looks for the secret in the same namespace as
# the repository resource, but you can specify a different namespace.
# namespace: mynamespace
# Whether to preserve the corresponding Quay object when you
# delete the Repository resource.
preserveInQuayOnDeletion: false
name: production/smallimage
visibility: public
description: |
# My first repository
* smallimage is a small GNU/linux container image.
* Use podman to start a container using that image.
perms:
- name: operators
type: team
role: read
- name: dwilde
type: user
role: read
- name: production+robotprod1
type: user
role: admin
append: true
star: true
repoState: NORMAL
---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: Repository
metadata:
name: repository-sample-2
spec:
# Connection parameters in a Secret resource
connSecretRef:
name: quay-credentials
# By default, the operator looks for the secret in the same namespace as the
# repository resource, but you can specify a different namespace.
# repository: mynamespace
# Whether to preserve the corresponding Quay object when you
# delete the resource.
preserveInQuayOnDeletion: false
name: production/ubi9
repoState: MIRROR
Properties
append
If true, then add the permission defined in perms to the repository. If false, then the resource sets the permissions specified in perms, removing all others permissions from the repository.
Type: boolean
Required: False
Default value: True
autoPruneMethod
The autoPruneMethod parameter is deprecated and will be removed in future versions of the collection. Use the OrganizationPrune and the RepositoryPrune resources instead. Method to use for the auto-pruning tags policy. If none, then the resource ensures that no policy is in place. The tags are not pruned. If several policies are available, then the resource removes them all. If tags, then the policy keeps only the number of tags that you specify in autoPruneValue. If date, then the policy deletes the tags older than the time period that you specify in autoPruneValue. autoPruneValue is required when autoPruneMethod is tags or date.
Type: string
Required: False
Default value: None
autoPruneValue
The autoPruneValue parameter is deprecated and will be removed in future versions of the collection. Use the OrganizationPrune and the RepositoryPrune resources instead. Number of tags to keep when autoPruneMethod is tags. The value must be 1 or more. Period of time when autoPruneMethod is date. The value must be 1 or more, and must be followed by a suffix; s (for second), m (for minute), h (for hour), d (for day), or w (for week). autoPruneMethod is required when autoPruneValue is set.
Type: string
Required: False
Default value: None
connSecretRef
Reference to the secret resource that stores the connection parameters to the Quay Container Registry API.
The secret must include the host, token (or username and password), and optionally the validateCerts keys.
Type: object (see the following properties)
Required: True
Default value: None
connSecretRef.name
Name of the secret resource.
Type: string
Required: True
Default value: None
connSecretRef.namespace
Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current Repository resource.
Type: string
Required: False
Default value: None
description
Text in Markdown format that describes the repository.
Type: string
Required: False
Default value: None
name
Name of the repository to create, remove, or modify. The format for the name is namespace/shortname. The namespace can be an organization or your personal namespace. The name must be in lowercase and must not contain white spaces. If you omit the namespace part in the name, then the resource uses your personal namespace. You can manage repositories in your personal namespace, but not in the personal namespace of other users. The token you use in quayToken determines the user account you are using.
Type: string
Required: True
Default value: None
perms
User, robot, and team permissions to associate with the repository.
Type: array
Required: False
Default value: None
preserveInQuayOnDeletion
Whether to preserve the corresponding Quay object when you delete the Repository resource. When set to false (the default), the object is deleted from Quay.
Type: boolean
Required: False
Default value: False
repoState
If NORMAL, then the repository is in the default state (read/write). If READ_ONLY, then the repository is read-only. If MIRROR, then the repository is a mirror and you can configure it by using the RepositoryMirror resource. You must enable the mirroring capability of your Quay installation to use this repoState parameter.
Type: string
Required: False
Default value: None
star
If true, then add a star to the repository. If false, then remove the star. To star or unstar a repository you must provide the quayToken parameter to authenticate. If you are not authenticated, then the resource ignores the star parameter.
Type: boolean
Required: False
Default value: None
visibility
If public, then anyone can pull images from the repository. If private, then nobody can access the repository and you need to explicitly grant access to users, robots, and teams. If you do not set the parameter when you create a repository, then it defaults to private.
Type: string
Required: False
Default value: None
Listing the Repository Resources
You can retrieve the list of the Repository custom resources in a namespace by using the kubectl get command:
kubectl get repositories.quay.herve4m.github.io -n <namespace>
You can also use the short version for the resource type:
kubectl get repo -n <namespace>