Install Project Quay Registry on OpenShift With Operator

Posted on 205 views

Project Quay is a scalable container image registry that enables you to build, organize, distribute, and deploy containers. With Quay you can create image repositories, perform image vulnerability scanning and robust access controls. We had covered installation of Quay on a Linux distribution using Docker.

How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu

In this guide, we will review how you can deploy Quay container registry on OpenShift Container Platform using Operator. The operator we’ll use is provided in the Operators Hub. If you don’t have an OpenShift / OKD cluster running and would like to try this article, checkout our guides below.

Setup Local OpenShift 4.x Cluster with CodeReady Containers

How to Setup OpenShift Origin (OKD) 3.11 on Ubuntu

How To run Local Openshift Cluster with Minishift

The Project Quay is made up of several core components.

  • Database: Used by Red Hat Quay as its primary metadata storage (not for image storage).
  • Redis (key, value store): Stores live builder logs and the Red Hat Quay tutorial.
  • Quay (container registry): Runs the quay container as a service, consisting of several components in the pod.
  • Clair: Scans container images for vulnerabilities and suggests fixes.

Step 1: Create new project for Project Quay

Let’s begin by creating a new project for Quay registry.

$ oc new-project quay-enterprise
Now using project "quay-enterprise" on server "https://api.crc.testing:6443".

You can also create a Project from OpenShift Web console.


Click create button and confirm the project is created and running.


Step 2: Install Red Hat Quay Setup Operator

The Red Hat Quay Setup Operator provides a simple method to deploy and manage a Red Hat Quay cluster.

Login to the OpenShift console and select Operators → OperatorHub:


Select the Red Hat Quay Operator.


Select Install then Operator Subscription page will appear.


Choose the following then select Subscribe:

  • Installation Mode: Select a specific namespace to install to
  • Update Channel: Choose the update channel (only one may be available)
  • Approval Strategy: Choose to approve automatic or manual updates


Step 3: Deploy a Red Hat Quay ecosystem

Certain credentials are required for Accessing registry. Create a new file with below details.

$ vim docker_quay.json 

        "email": ""

Then create a secret on OpenShift that will be used.

oc project quay-enterprise
oc create secret generic redhat-pull-secret --from-file=".dockerconfigjson=docker_quay.json" --type=''

Create Quay Superuser credentials secret:

oc create secret generic quay-admin \
--from-literal=superuser-username=quayadmin \
--from-literal=superuser-password=StrongAdminPassword \
[email protected]


  • quayadmin is the Quay admin username
  • StrongAdminPassword is the password for admin user
  • [email protected] is the email of Admin user to be created

Create Quay Configuration Secret

A dedicated deployment of Quay Enterprise is used to manage the configuration of Quay. Access to the configuration interface is secured and requires authentication in order for access.

oc create secret generic quay-config --from-literal=config-app-password=StrongPassword

Replace StrongPassword with your desired password.

Create Database credentials secret – PostgreSQL

oc create secret generic postgres-creds \
--from-literal=database-username=quay \
--from-literal=database-password=StrongUserPassword \
--from-literal=database-root-password=StrongRootPassword \

These are the credentials for accessing the database server:

  • quay – Database and DB username
  • StrongUserPassword – quay DB user password
  • StrongRootPassword – root user database password

Create Redis Password Credential

By default, the operator managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password in the key password.

oc create secret generic redis-password  --from-literal=password=StrongRedisPassword

Create Quay Ecosystem Deployment Manifest

My Red Hat Quay ecosystem configuration file looks like below

kind: QuayEcosystem
  name: quay-ecosystem
    enabled: true
    imagePullSecretName: redhat-pull-secret
    updateInterval: "60m"
    imagePullSecretName: redhat-pull-secret
    superuserCredentialsSecretName: quay-admin
    configSecretName: quay-config
    deploymentStrategy: RollingUpdate
    skipSetup: false
      credentialsSecretName: redis-password
      volumeSize: 10Gi
      credentialsSecretName: postgres-creds
      persistentVolumeSize: 20Gi
        - ReadWriteMany
      initialDelaySeconds: 120
        path: /health/instance
        port: 8443
        scheme: HTTPS
      initialDelaySeconds: 10
        path: /health/instance
        port: 8443
        scheme: HTTPS

Modify it to fit you use case. When done apply the configuration:

oc apply -f quay-ecosystem.yaml

Using Custom SSL Certificates

If you want to use custom SSL certificates with Quay, you need to create a secret with the key and the certificate:

oc create secret generic custom-quay-ssl \
   --from-file=ssl.key=example.key \

Then modify your Ecosystem file to use the custom certificate secret:

    imagePullSecretName: redhat-pull-secret
    sslCertificatesSecretName: custom-quay-ssl

Wait for few minutes then confirm deployment:

$ oc get deployments
NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
quay-ecosystem-clair              1/1     1            1           2m35s
quay-ecosystem-clair-postgresql   1/1     1            1           2m57s
quay-ecosystem-quay               1/1     1            1           3m45s
quay-ecosystem-quay-postgresql    1/1     1            1           5m8s
quay-ecosystem-redis              1/1     1            1           5m57s
quay-operator                     1/1     1            1           70m

$ oc get svc
NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
quay-ecosystem-clair              ClusterIP             6060/TCP,6061/TCP   4m
quay-ecosystem-clair-postgresql   ClusterIP           5432/TCP            3m58s
quay-ecosystem-quay               ClusterIP           443/TCP             5m38s
quay-ecosystem-quay-postgresql    ClusterIP           5432/TCP            6m15s
quay-ecosystem-redis              ClusterIP           6379/TCP            6m58s
quay-operator-metrics             ClusterIP           8383/TCP,8686/TCP   70m

Running pods in the project:

$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
quay-ecosystem-clair-84b4d77654-cjwcr             1/1     Running   0          2m57s
quay-ecosystem-clair-postgresql-7c47b5955-qbc4s   1/1     Running   0          3m23s
quay-ecosystem-quay-66584ccbdb-8szts              1/1     Running   0          4m8s
quay-ecosystem-quay-postgresql-74bf8db7f8-vnrx9   1/1     Running   0          5m34s
quay-ecosystem-redis-7dcd5c58d6-p7xkn             1/1     Running   0          6m23s
quay-operator-764c99dcdb-k44cq                    1/1     Running   0          70m

Step 4: Access Quay Dashboard

Get a route URL for deployed Quay:

$ oc get route
quay-ecosystem-quay         quay-ecosystem-quay   8443   passthrough/Redirect   None

Open the URL on the machine with access to the cluster domain.


Use the credentials you configured to login to Quay registry.


And there you have it. You now have Quay registry running on OpenShift using Operators. Refer to below documentations for more help.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.