diff --git a/deploy/k8s/clair-deployment.yaml b/deploy/k8s/clair-deployment.yaml index 994c3770c7..3532d9b259 100644 --- a/deploy/k8s/clair-deployment.yaml +++ b/deploy/k8s/clair-deployment.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -37,4 +37,4 @@ spec: volumes: - name: configvolume secret: - secretName: clair-scanner-config-secret \ No newline at end of file + secretName: clair-scanner-config-secret diff --git a/deploy/k8s/postgres-clair-deployment.yaml b/deploy/k8s/postgres-clair-deployment.yaml index 66cd62c663..93dcefb022 100644 --- a/deploy/k8s/postgres-clair-deployment.yaml +++ b/deploy/k8s/postgres-clair-deployment.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: labels: @@ -16,18 +16,21 @@ spec: labels: app: postgres-clair spec: + securityContext: + runAsUser: 0 + fsGroup: 0 containers: - env: - - name: POSTGRESQL_USER + - name: POSTGRES_USER # Set the username for the Clair postgres database (clair by default) value: clair - - name: POSTGRESQL_DATABASE + - name: POSTGRES_DATABASE # Set the name of the Clair postgres database value: clair - - name: POSTGRESQL_PASSWORD + - name: POSTGRES_PASSWORD # Set the password for the Clair postgress user value: test123 - image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 + image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 imagePullPolicy: IfNotPresent name: postgres-clair ports: @@ -36,9 +39,9 @@ spec: volumeMounts: - mountPath: /var/lib/pgsql/data name: postgredb - serviceAccount: postgres - serviceAccountName: postgres + serviceAccount: postgres + serviceAccountName: postgres volumes: - name: postgredb persistentVolumeClaim: - claimName: postgres-clair-storage \ No newline at end of file + claimName: postgres-clair-storage diff --git a/deploy/k8s/postgres-deployment.yaml b/deploy/k8s/postgres-deployment.yaml index c2f38bb1ff..b3ee5e018a 100644 --- a/deploy/k8s/postgres-deployment.yaml +++ b/deploy/k8s/postgres-deployment.yaml @@ -1,38 +1,46 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: postgres namespace: quay-enterprise + labels: + app: postgres spec: # Only one instance of the postgres database is defined here. Adjust replicas based on demand. replicas: 1 + selector: + matchLabels: + app: postgres template: metadata: labels: app: postgres spec: + securityContext: + runAsUser: 0 + fsGroup: 0 containers: - name: postgres - image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 + image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 env: - - name: POSTGRESQL_USER + - name: POSTGRES_USER # Replace "username" with a name for your Postgres user value: "username" - - name: POSTGRESQL_DATABASE + - name: POSTGRES_DATABASE # Replace "password" with a password for your Postgres user value: "quay" - - name: POSTGRESQL_PASSWORD + - name: POSTGRES_PASSWORD value: "password" volumeMounts: - mountPath: /var/lib/pgsql/data name: postgredb - serviceAccount: postgres - serviceAccountName: postgres + serviceAccount: postgres + serviceAccountName: postgres volumes: - name: postgredb persistentVolumeClaim: - claimName: postgres-storage \ No newline at end of file + claimName: postgres-storage diff --git a/deploy/k8s/quay-enterprise-app-rc.yaml b/deploy/k8s/quay-enterprise-app-rc.yaml index f65bf60457..1eb31e88a5 100644 --- a/deploy/k8s/quay-enterprise-app-rc.yaml +++ b/deploy/k8s/quay-enterprise-app-rc.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: namespace: quay-enterprise @@ -18,14 +18,17 @@ spec: labels: quay-enterprise-component: app spec: + securityContext: + fsGroup: 1001 volumes: - name: configvolume secret: - secretName: quay-enterprise-secret + secretName: quay-enterprise-config-secret containers: - name: quay-enterprise-app # Pick the Quay version you wish to run - image: quay.io/redhat/quay:v3.1.0 + image: quay.io/redhat/quay:v3.2.1 + #8080 for non-ssl - useful when testing ports: - containerPort: 8443 volumeMounts: diff --git a/deploy/k8s/quay-enterprise-config-secret.yaml b/deploy/k8s/quay-enterprise-config-secret.yaml index 1b74c4fa34..e08ed2c92b 100644 --- a/deploy/k8s/quay-enterprise-config-secret.yaml +++ b/deploy/k8s/quay-enterprise-config-secret.yaml @@ -3,4 +3,10 @@ apiVersion: v1 kind: Secret metadata: namespace: quay-enterprise - name: quay-enterprise-config-secret \ No newline at end of file + name: quay-enterprise-config-secret +data: + # I had success by doing this 2-step process. + # Step 1: Spin up the quay-config service and use that to generate a config.yml. Download the config.yml locally + # Step 2: Use the following command to generate the secret + # 'kubectl create secret generic quay-enterprise-config-secret --from-file=config.yaml' + config.yml: diff --git a/deploy/k8s/quay-enterprise-config.yaml b/deploy/k8s/quay-enterprise-config.yaml index 4b6647ec9d..0f5be055bc 100644 --- a/deploy/k8s/quay-enterprise-config.yaml +++ b/deploy/k8s/quay-enterprise-config.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: namespace: quay-enterprise @@ -17,12 +17,14 @@ spec: labels: quay-enterprise-component: config-app spec: + securityContext: + fsGroup: 1001 containers: - name: quay-enterprise-config-app - image: quay.io/redhat/quay:v3.1.0 + image: quay.io/redhat/quay:v3.2.1 ports: - containerPort: 8443 command: ["/quay-registry/quay-entrypoint.sh"] - args: ["config", "secret"] + args: ["config", "my-secret-password"] imagePullSecrets: - - name: redhat-quay-pull-secret \ No newline at end of file + - name: redhat-quay-pull-secret diff --git a/deploy/k8s/quay-enterprise-mirror.yaml b/deploy/k8s/quay-enterprise-mirror.yaml index 86b923d3bd..aa7b62957f 100644 --- a/deploy/k8s/quay-enterprise-mirror.yaml +++ b/deploy/k8s/quay-enterprise-mirror.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: namespace: quay-enterprise @@ -17,12 +17,23 @@ spec: labels: quay-enterprise-component: mirror-app spec: + securityContext: + fsGroup: 1001 + volumes: + - name: configvolume + secret: + secretName: quay-enterprise-config-secret containers: - name: quay-enterprise-mirror-app - image: quay.io/redhat/quay:v3.1.0 + image: quay.io/redhat/quay:v3.2.1 ports: - containerPort: 8443 command: ["/quay-registry/quay-entrypoint.sh"] args: ["repomirror"] + volumeMounts: + - name: configvolume + readOnly: false + mountPath: /conf/stack imagePullSecrets: - - name: redhat-quay-pull-secret \ No newline at end of file + - name: redhat-quay-pull-secret + diff --git a/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml b/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml index 7fb445ac05..0092ee0b9d 100644 --- a/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml +++ b/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml @@ -6,5 +6,5 @@ metadata: name: redhat-quay-pull-secret data: # Change to include the credentials shown from https://access.redhat.com/solutions/3533201 - .dockerconfigjson: -type: kubernetes.io/dockerconfigjson \ No newline at end of file + .dockerconfigjson: +type: kubernetes.io/dockerconfigjson diff --git a/deploy/k8s/quay-enterprise-redis.yaml b/deploy/k8s/quay-enterprise-redis.yaml index 2a77f41d4b..13166e9e6b 100644 --- a/deploy/k8s/quay-enterprise-redis.yaml +++ b/deploy/k8s/quay-enterprise-redis.yaml @@ -1,5 +1,5 @@ --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: namespace: quay-enterprise @@ -36,4 +36,4 @@ spec: ports: - port: 6379 selector: - quay-enterprise-component: redis \ No newline at end of file + quay-enterprise-component: redis diff --git a/deploy/k8s/quay-postgres-service-account.yaml b/deploy/k8s/quay-postgres-service-account.yaml new file mode 100644 index 0000000000..d1cf48e945 --- /dev/null +++ b/deploy/k8s/quay-postgres-service-account.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: postgres