In our previous posts we discussed, in Part 1, the business case for using Red Hat Quay as our container registry and Red Hat Clair to scan the images in Quay for known security vulnerabilities. Then, in Part 2, we then deployed our Openshift cluster in AWS public cloud infrastructure to support Quay and Clair.
In this, part 3 of our three part series, we will deploy Quay and Clair using the Quay operator in our Openshift cluster on AWS and push an image to the Quay registry. We will then monitor the image to see if it passes the Clair security scan
Series Overview
In Part 1 of this series. We prepared the resources required to install Openshift as a public cluster on the AWS Public cloud infrastructure including resources required to deploy Quay and Clair on that Openshift cluster.
Part 2 of this series takes you through the steps required to install Openshift as a public cluster in AWS. A public Openshift cluster has internet accessible resources. Installing in AWS provides us the resources to lock down our Openshift environment to limit access to just the systems we specify.
Part 3 of the series takes you through the steps required to deploy Quay Container Registry and the Clair security scanner in our Openshift Cluster running on AWS public cloud.
Preparing for the Openshift Container Platform(OCP) cluster installation
The Openshift cluster installation will be done from your local workstation or laptop.
The local user account name used in the examples is "usera" with a home directory of /home/usera
You will need a user account on the Red Hat customer portal. (access.redhat.com) "yourname@redhat.com" is used as an example in the following steps.
Your Red Hat user account will be used to create and download a pull secret.
################### NOTE ###################
Use your own sshKey, AWS Access Key ID, AWS Secret Access Key, Base Domain, and Red Hat pullSecret.
The examples listed in the steps below WILL NOT WORK!!!
################# END NOTE ##################
Open a terminal session on your RHEL workstation or laptop
Start in your home directory
[usera@local-workstation ~]$ cd ~
2. Make a directories for the kubernettes configuration file:
[usera@local-workstation ~]$ mkdir ~/.kube
3. Copy the kubeconfig file to the .kube directory:
[usera@local-workstation ~]$ cp \
/home/usera/aws-ocp/install/auth/kubeconfig ~/.kube/config
4. Run the following command to configure your CLI session to connect to the Openshift cluster
[usera@local-workstation ~]$ export \
KUBECONFIG=/home/usera/aws-ocp/install/auth/kubeconfig
5. Make a directory for the Quay installation
[usera@local-workstation ~]$ mkdir -p \
aws-ocp-quay-clair/ocp-quay
6. Create a new project for Quay in the openshift cluster
[usera@local-workstation ~]$ oc new-project quay-enterprise
7. Create an htpasswd file with the user who will be the local administrator for Quay:
[usera@local-workstation ~]$ htpasswd -c -B -b \
/home/usera/aws-ocp-quay-clair/ocp-quay/htshad \
quay-admin QuayAdministrator
8. Create an OpenShift Container Platform Secret that contains the HTPasswd users file.
[usera@local-workstation ~]$ oc create secret generic \
htpass-secret \
--from-file=htpasswd=/home/usera/aws-ocp-quay-clair/ocp-quay/htshad -n openshift-config
9. Create a Custom Resource (CR) yaml file for the HTPasswd provider
[usera@local-workstation ~]$ vi htpasswd-cr.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: Local
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
10. Apply the defined CR(Custom Resource) to the Openshift cluster:
[usera@local-workstation ~]$ oc apply -f htpasswd-cr.yaml
Install the Red Hat Quay Operator in the Openshift webUI
Log into the Openshift webUI using the kubeadmin account and password listed when the Openshift cluster finished installing at the end of part 2 of this series.
2. You may have to accept one or two security exceptions because the new Openshift cluster is using a self signed certificate.
In the OpenShift webUI, select Operators → OperatorHub
Search for Quay
Select "Red Hat Quay"
Click "Install"
3. Choose the following then select Subscribe:
Update Channel: Choose the update channel (I used quay 3.3 for this series)
Installation Mode: Select a specific namespace (quay-enterprise)
Approval Strategy: Choose to approve automatic or manual updates (automatic)
Create the secrets for Quay and Clair
Return to the command line.
Credentials are required for Accessing Quay.io registry. Create a new file with the required credentials.
[usera@local-workstation ~]$ vi docker_quay.json
{
"auths":{
"quay.io": {
"auth": "cmVkaGF0K3F1YXk6TzgxV1NIUlNKUjE0VUFaQks1NEdRSEpTMFAxVjRDTFdBSlYxWDJDNFNEN0tPNTlDUTlOM1JFMTI2MTJYVTFIUg==",
"email": ""
}
}
}
2. Create a Red Hat pull secret:
[usera@local-workstation ~]$ oc create secret generic \
redhat-pull-secret \
--from-file=".dockerconfigjson=docker_quay.json" \
--type='kubernetes.io/dockerconfigjson'
3. Create a Quay Superuser secret:
[usera@local-workstation ~]$ oc create secret generic \
quay-admin --from-literal=superuser-username=quay-admin \
--from-literal=superuser-password=QUAYadminPW \
--from-literal=superuser-email=network.operations@your.aws.rt53.dns.domain.com
4. A dedicated deployment of Quay Enterprise is used to manage the configuration of Quay. Access to the configuration interface is secured and requires authentication in order to gain access.
Create a Quay Configuration Secret:
[usera@local-workstation ~]$ oc create secret generic \
quay-config --from-literal=superuser-username=quay-config \
--from-literal=config-app-password=CONFIGadminPW
5. Create a Quay Configuration App Secret:
[usera@local-workstation ~]$ oc create secret generic \
quay-config-app \
--from-literal=config-app-password=QUAYCONFIGAPPadminPW
6. Create a Database credentials secret – PostgreSQL:
[usera@local-workstation ~]$ oc create secret generic \
quay-database-credential --from-literal=database-username=quay \
--from-literal=database-password=quay \
--from-literal=database-root-password=quayAdmin \
--from-literal=database-name=quay-enterprise
7. Create a Redis Password Secret
By default, the operator managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password:
[usera@local-workstation ~]$ oc create secret generic \
redis-password --from-literal=password=REDISPW
8. Create an S3 secret
[usera@local-workstation ~]$ oc create secret generic \
S3-credentials \
--from-literal=accessKey=ANKIYOURACCESSKEYHEREVES2W \
--from-literal=secretKey=A1IqkYourSecretKeyHere/%bksiujrwgQZrc
9. Create the Quay Ecosystem yaml file:
[usera@local-workstation ~]$ vi quay-ecosystem.yaml
apiVersion: redhatcop.redhat.io/v1alpha1
kind: QuayEcosystem
metadata:
name: quay-ecosystem
spec:
clair:
enabled: true
imagePullSecretName: redhat-pull-secret
updateInterval: "60m"
quay:
superusers:
- quay-admin
- quay-config
externalAccess:
hostname: registry.apps.ocp-quay.your.aws.rt53.dns.domain.com
registryBackends:
- name: s3
s3:
accessKey: ANKIYOURACCESSKEYHEREVES2W
bucketName: your-s3-bucket
secretKey: A1IqkYourSecretKeyHere/%bksiujrwgQZrc
imagePullSecretName: redhat-pull-secret
superuserCredentialsSecretName: quay-admin
configSecretName: quay-config-app
deploymentStrategy: RollingUpdate
skipSetup: false
redis:
credentialsSecretName: redis-password
database:
volumeSize: 10Gi
credentialsSecretName: quay-database-credential
registryStorage:
persistentVolumeSize: 20Gi
persistentVolumeAccessModes:
- ReadWriteMany
livenessProbe:
initialDelaySeconds: 120
httpGet:
path: /health/instance
port: 8443
scheme: HTTPS
readinessProbe:
initialDelaySeconds: 10
httpGet:
path: /health/instance
port: 8443
scheme: HTTPS
10. Modify the file to fit the requirements for your environment. When done making the changes, apply the configuration to the Openshift cluster to start the Quay deployment:
[usera@local-workstation ~]$ oc apply -f quay-ecosystem.yaml
Verify the Quay deployment and create the first Quay repository
Return to the Openshift webUI
In the list of options along the far left side of the page, click the arrow to expand “Home” and select “Projects”.
Search for “quay” and select quay-enterprise.
Scroll down the page until you can see the “Inventory” section on the left and verify you have at least 4 pods running.
In the list of options along the far left side of the page, click the arrow to expand “Networking” and select “Routes”.
Double click on the URL for the quay-ecosystem-quay route.
6. A new web page will open where you can log into the Quay webUI with the credentials from the Quay Superuser secret you created earlier. You may have to accept one or two security exceptions to access the Quay webUI due to the Openshift self signed certificate.
Quay-admin
QUAYadminPW
7. In the Quay webUI, click on the plus sign on the left side of the page next to “Create New Repository”.
8. Name your new repository, “thanos” and click the button to create it as a private repository.
9. Click the icon along the left side of the page that looks like a diagonal price tag.
The page that opens will show the image based on it’s tag when we push it from the command line session.
Push an image to the Quay Repository.
Return to the command line session.
Login to registry.redhat.io with your Red Hat account so you can pull down an existing image:
[usera@local-workstation ~]$ podman login --tls-verify=false \
registry.redhat.io
2. Login to your new Quay registry:
[usera@local-workstation ~]$ podman login --tls-verify=false \
Registry.apps.ocp-quay.your.aws.rt53.dns.domain.com
Username: quay-admin
Password: QUAYadminPW
3. Pull an older image that may have security issues.
[usera@local-workstation ~]$ podman pull \
registry.redhat.io/rhacm2/thanos-rhel7:v2.1.0-5
4. List the images in your local registry:
[usera@local-workstation ~]$ podman image ls
5. Apply a tag to the image so it can be pushed to the new Quay registry:
[usera@local-workstation ~]$ podman tag \
registry.redhat.io/rhacm2/thanos-rhel7:v2.1.0-5 \
registry.apps.ocp-quay.your.aws.rt53.dns.domain.com/quay-admin/thanos:1.0
6. List the images in your local registry.
[usera@local-workstation ~]$ podman image ls
7. Push the newly tagged image to the Quay repository:
[usera@local-workstation ~]$ podman push --tls-verify=false \
docker://registry.apps.ocp-quay.your.aws.rt53.dns.domain.com/quay-admin/thanos:1.0
Verify the image was successfully pushed to the Quay registry and was scanned by Clair.
Return to the Quay webUi and refresh the page to see the image and the results of the Clair security scan.
Conclusion
You have completed part 3 of this series and have successfully deployed Quay and Clair to the Openshift cluster you created on AWS in part 2. With the completion of part 3, you have learned the skills to deploy Quay and Clair in the Openshift cluster running on AWS public cloud but that is just the beginning. You now have the basic knowledge to deploy more operators and expand the uses of Openshift for your organization. I hope you found this series to be informative.
About the Author
Eric Archer is a Senior Red Hat Consultant for Stone Door Group, a Hybrid Cloud and DevOps consulting company that helps enterprises successfully complete digital transformation projects. Stone Door Group offers rapid adoption of Red Hat Hybrid Cloud technologies with their OpenShift Container Platform Accelerator. To speak to Eric, drop us a line at letsdothis@stonedoorgroup.com
About Stone Door Group
Stone Door Group is a Hybrid Cloud and DevOps consulting company that delivers successful digital transformation projects in the private and public sectors. Stone Door Group is a team of leading experts in Hybrid Cloud and DevOps technologies. To speak with Eric and our team, send us an email at letsdothis@stonedoorgroup.com