Robot - Manage Quay Container Registry robot accounts

The Robot custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:

• host: URL for accessing the Quay API, such as https://quay.example.com:8443 for example.
• validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.
• token: OAuth access token for authenticating against the API. To create such a token see the Creating an OAuth Access Token documentation. You can also use the ApiToken custom resource to create this token.
• username: The username to use for authenticating against the API. If token is set, then username is ignored.
• password: The password to use for authenticating against the API. If token is set, then password is ignored.

You can create the secret by using the kubectl create secret command:

kubectl create secret generic quay-credentials --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false --from-literal token=vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

Or you can create the secret from a resource file:

---
apiVersion: v1
kind: Secret
metadata:
  name: quay-credentials
stringData:
  host: https://quay.example.com:8443
  validateCerts: "false"
  token: vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

You refer to this secret in your Robot custom resource by using the connSecretRef property. See the usage example.

Usage Example

---
apiVersion: quay.herve4m.github.io/v1alpha1
kind: Robot
metadata:
  name: robot-sample
spec:
  # Connection parameters in a Secret resource
  connSecretRef:
    name: quay-credentials
    # By default, the operator looks for the secret in the same namespace as
    # the robot resource, but you can specify a different namespace.
    # namespace: mynamespace

  # Whether to preserve the corresponding Quay object when you
  # delete the Robot resource.
  preserveInQuayOnDeletion: false

  name: production+robotprod1
  description: Robot account for production
  federations:
    - issuer: https://keycloak-auth-realm.quayadmin.org/realms/quayrealm
      subject: 449e14f8-9eb5-4d59-a63e-b7a77c75f770

  # The Secret resource is created or updated, and stores the returned data.
  # You can use the secret as a pull secret so that pods can pull images from
  # Quay by using the robot account credentials.
  # The secret contains three entries:
  # - name: the token name (same as .spec.name), such as production+robotprod1
  # - token: robot credential
  # - .dockerconfigjson: Base64 encoded Docker configuration in JSON format
  retSecretRef:
    name: robot-sample-ret-secret
    # By default, the operator stores the secret in the same namespace as the
    # robot resource, but you can specify a different namespace.
    # namespace: mynamespace

Properties

append

If true, then add the robot account federation configurations defined in federations. If false, then the resource sets the federation configurations specified in federations, removing all others federation configurations. Robot account federations require Quay version 3.13 or later.

Type: boolean

Required: False

Default value: True

connSecretRef

Reference to the secret resource that stores the connection parameters to the Quay Container Registry API. The secret must include the host, token (or username and password), and optionally the validateCerts keys.

Type: object (see the following properties)

Required: True

Default value: None

connSecretRef.name

Name of the secret resource.

Type: string

Required: True

Default value: None

connSecretRef.namespace

Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current Robot resource.

Type: string

Required: False

Default value: None

description

Description of the robot account. You cannot update the description of existing robot accounts.

Type: string

Required: False

Default value: None

federations

Federation configurations, which enable keyless authentication with robot accounts. Robot account federations require Quay version 3.13 or later.

Type: array

Required: False

Default value: None

name

Name of the robot account to create or remove, in the format namespace+shortname. The namespace can be an organization or your personal namespace. The short name (the part after the + sign) must be in lowercase, must not contain white spaces, must not start by a digit, and must be at least two characters long. If you omit the namespace part in the name, then the resource uses your personal namespace. You can create and delete robot accounts in your personal namespace, but not in the personal namespace of other users. The token you use in quayToken determines the user account you are using.

Type: string

Required: True

Default value: None

preserveInQuayOnDeletion

Whether to preserve the corresponding Quay object when you delete the Robot resource. When set to false (the default), the object is deleted from Quay.

Type: boolean

Required: False

Default value: False

retSecretRef

RetSecretRef is the secret resource that the Robot resource creates. This secret will store the data that the resource generates:

• name - Token name. From this name and the token, in token, you can construct a Docker configuration file that you can use to manage images in the container image registry. See DockerConfig#filter.
• token - Robot credential (token).

Type: object (see the following properties)

Required: False

Default value: None

retSecretRef.name

Name of the secret resource.

Type: string

Required: True

Default value: None

retSecretRef.namespace

Namespace of the secret resource. By default, the secret resource is created in the same namespace as the current Robot resource.

Type: string

Required: False

Default value: None

Listing the Robot Resources

You can retrieve the list of the Robot custom resources in a namespace by using the kubectl get command:

kubectl get robots.quay.herve4m.github.io -n <namespace>