TeamLdap - Synchronize Quay Container Registry teams with LDAP groups

The TeamLdap custom resource relies on a Secret resource to provide the connection parameters to the Quay instance. This Secret resource must include the following data:

host: URL for accessing the Quay API, such as https://quay.example.com:8443 for example.
validateCerts: Whether to allow insecure connections to the API. By default, insecure connections are refused.
token: OAuth access token for authenticating against the API. To create such a token see the Creating an OAuth Access Token documentation. You can also use the ApiToken custom resource to create this token.
username: The username to use for authenticating against the API. If token is set, then username is ignored.
password: The password to use for authenticating against the API. If token is set, then password is ignored.

You can create the secret by using the kubectl create secret command:

kubectl create secret generic quay-credentials --from-literal host=https://quay.example.com:8443 --from-literal validateCerts=false --from-literal token=vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

Or you can create the secret from a resource file:

---
apiVersion: v1
kind: Secret
metadata:
  name: quay-credentials
stringData:
  host: https://quay.example.com:8443
  validateCerts: "false"
  token: vFYyU2D0fHYXvcA3Y5TYfMrIMyVIH9YmxoVLsmku

You refer to this secret in your TeamLdap custom resource by using the connSecretRef property. See the usage example.

Warning

Do not delete the Secret resource if a Quay custom resource still references it. If you delete the Secret resource, then the Operator cannot connect to the Quay API anymore, and cannot synchronize the Quay custom resource with its corresponding object in Quay. In addition, deleting the Quay custom resource does not complete because the Operator cannot delete the corresponding object in Quay.

If you face this issue, then edit the custom resource (kubectl edit), and set the .spec.preserveInQuayOnDeletion property to true. Alternatively, you can remove the .metadata.finalizers section. In both case, you must manually delete the corresponding object in Quay.

Usage Example

---
# The resource requires that your Quay administrator configures the Quay
# authentication method to LDAP (AUTHENTICATION_TYPE to LDAP in
# config.yaml and the LDAP_* parameters correctly set).
apiVersion: quay.herve4m.github.io/v1alpha1
kind: TeamLdap
metadata:
  name: teamldap-sample
spec:
  # Connection parameters in a Secret resource
  connSecretRef:
    name: quay-credentials
    # By default, the operator looks for the secret in the same namespace as
    # the teamldap resource, but you can specify a different namespace.
    # namespace: mynamespace

  # Whether to preserve the corresponding configuration in Quay when you
  # delete the resource.
  preserveInQuayOnDeletion: false

  name: operators
  organization: production
  sync: true
  groupDn: cn=op1,ou=groups
  keepUsers: true

Properties

connSecretRef

Reference to the secret resource that stores the connection parameters to the Quay Container Registry API. The secret must include the host, token (or username and password), and optionally the validateCerts keys.

Type: object (see the following properties)

Required: True

Default value: None

connSecretRef.name

Name of the secret resource.

Type: string

Required: True

Default value: None

connSecretRef.namespace

Namespace of the secret resource. By default, the secret resource is retrieved from the same namespace as the current TeamLdap resource.

Type: string

Required: False

Default value: None

groupDn

LDAP group distinguished name (DN), relative to the base DN that you defined in the config.yaml Quay configuration file with the LDAP_BASE_DN parameter. For example, if the LDAP group DN is cn=group1,ou=groups,dc=example,dc=org and the base DN is dc=example,dc=org, then you must set groupDn to cn=group1,ou=groups. groupDn is required when sync is true.

Type: string

Required: False

Default value: None

keepUsers

If true, then the current team members are kept after the synchronization is disabled. If false, then the team members are removed (except robot accounts). keepUsers is only used when sync is false.

Type: boolean

Required: False

Default value: True

name

Name of the team to synchronize or unsynchronize with an LDAP group. That team must exist (see the Team resource to create it).

Type: string

Required: True

Default value: None

organization

Name of the organization for the team. That organization must exist.

Type: string

Required: True

Default value: None

preserveInQuayOnDeletion

Whether to preserve the corresponding Quay object when you delete the TeamLdap resource. When set to false (the default), the object is deleted from Quay.

Type: boolean

Required: False

Default value: False

sync

If true, then the team members are retrieved from the LDAP group that you define in groupDn. The pre-existing members are removed from the team before the synchronization process starts. Existing robot account members are not removed. If false, then the synchronization from LDAP is disabled. Existing team members (from LDAP) are kept, except if you set keepUsers to false.

Type: boolean

Required: False

Default value: True

Listing the TeamLdap Resources

You can retrieve the list of the TeamLdap custom resources in a namespace by using the kubectl get command:

kubectl get teamldaps.quay.herve4m.github.io -n <namespace>

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search