From 3581bd206a161b5bb8d68a7a9eab2bfa20ca699c Mon Sep 17 00:00:00 2001
From: Brent Boe <bboe@splunk.com>
Date: Wed, 20 May 2020 16:02:17 -0700
Subject: [PATCH 1/5] Some initial changes to get things into a semi-working
 state. Still not entirely functional though

More updates
---
 deploy/k8s/clair-deployment.yaml              |  4 ++--
 deploy/k8s/postgres-clair-deployment.yaml     | 19 ++++++++-------
 deploy/k8s/postgres-deployment.yaml           | 24 ++++++++++++-------
 deploy/k8s/quay-enterprise-app-rc.yaml        |  4 ++--
 deploy/k8s/quay-enterprise-config.yaml        |  8 +++----
 deploy/k8s/quay-enterprise-mirror.yaml        |  6 ++---
 ...ay-enterprise-redhat-quay-pull-secret.yaml |  4 ++--
 deploy/k8s/quay-enterprise-redis.yaml         |  4 ++--
 deploy/k8s/quay-postgres-service-account.yaml |  5 ++++
 9 files changed, 47 insertions(+), 31 deletions(-)
 create mode 100644 deploy/k8s/quay-postgres-service-account.yaml

diff --git a/deploy/k8s/clair-deployment.yaml b/deploy/k8s/clair-deployment.yaml
index 994c3770c7..3532d9b259 100644
--- a/deploy/k8s/clair-deployment.yaml
+++ b/deploy/k8s/clair-deployment.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   labels:
@@ -37,4 +37,4 @@ spec:
       volumes:
       - name: configvolume
         secret:
-          secretName: clair-scanner-config-secret
\ No newline at end of file
+          secretName: clair-scanner-config-secret
diff --git a/deploy/k8s/postgres-clair-deployment.yaml b/deploy/k8s/postgres-clair-deployment.yaml
index 66cd62c663..30faad3dc9 100644
--- a/deploy/k8s/postgres-clair-deployment.yaml
+++ b/deploy/k8s/postgres-clair-deployment.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   labels:
@@ -16,18 +16,21 @@ spec:
       labels:
         app: postgres-clair
     spec:
+      securityContext:
+        runAsUser: 0 
+        fsGroup: 0
       containers:
       - env:
-        - name: POSTGRESQL_USER
+        - name: POSTGRES_USER
           # Set the username for the Clair postgres database (clair by default)
           value: clair
-        - name: POSTGRESQL_DATABASE
+        - name: POSTGRES_DATABASE
           # Set the name of the Clair postgres database
           value: clair
-        - name: POSTGRESQL_PASSWORD
+        - name: POSTGRES_PASSWORD
           # Set the password for the Clair postgress user
           value: test123
-        image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
+          image: postgres:12 
         imagePullPolicy: IfNotPresent
         name: postgres-clair
         ports:
@@ -36,9 +39,9 @@ spec:
         volumeMounts:
         - mountPath: /var/lib/pgsql/data
           name: postgredb
-        serviceAccount: postgres
-        serviceAccountName: postgres
+      serviceAccount: postgres
+      serviceAccountName: postgres
       volumes:
       - name: postgredb
         persistentVolumeClaim:
-          claimName: postgres-clair-storage
\ No newline at end of file
+          claimName: postgres-clair-storage
diff --git a/deploy/k8s/postgres-deployment.yaml b/deploy/k8s/postgres-deployment.yaml
index c2f38bb1ff..7ea7b22691 100644
--- a/deploy/k8s/postgres-deployment.yaml
+++ b/deploy/k8s/postgres-deployment.yaml
@@ -1,38 +1,46 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   name: postgres
   namespace: quay-enterprise
+  labels:
+    app: postgres
 spec:
   # Only one instance of the postgres database is defined here. Adjust replicas based on demand.
   replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
   template:
     metadata:
       labels:
         app: postgres
     spec:
+      securityContext:
+        runAsUser: 0 
+        fsGroup: 0
       containers:
         - name: postgres
-          image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35
+          image: postgres:12 
           imagePullPolicy: "IfNotPresent"
           ports:
             - containerPort: 5432
           env:
-          - name: POSTGRESQL_USER
+          - name: POSTGRES_USER
             # Replace "username" with a name for your Postgres user
             value: "username"
-          - name: POSTGRESQL_DATABASE
+          - name: POSTGRES_DATABASE
             # Replace "password" with a password for your Postgres user
             value: "quay"
-          - name: POSTGRESQL_PASSWORD
+          - name: POSTGRES_PASSWORD
             value: "password"
           volumeMounts:
             - mountPath: /var/lib/pgsql/data
               name: postgredb
-          serviceAccount: postgres
-          serviceAccountName: postgres
+      serviceAccount: postgres
+      serviceAccountName: postgres
       volumes:
         - name: postgredb
           persistentVolumeClaim:
-            claimName: postgres-storage
\ No newline at end of file
+            claimName: postgres-storage
diff --git a/deploy/k8s/quay-enterprise-app-rc.yaml b/deploy/k8s/quay-enterprise-app-rc.yaml
index f65bf60457..c7b4e0515c 100644
--- a/deploy/k8s/quay-enterprise-app-rc.yaml
+++ b/deploy/k8s/quay-enterprise-app-rc.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   namespace: quay-enterprise
@@ -25,7 +25,7 @@ spec:
       containers:
       - name: quay-enterprise-app
         # Pick the Quay version you wish to run 
-        image: quay.io/redhat/quay:v3.1.0
+        image: quay.io/redhat/quay:v3.2.1
         ports:
         - containerPort: 8443
         volumeMounts:
diff --git a/deploy/k8s/quay-enterprise-config.yaml b/deploy/k8s/quay-enterprise-config.yaml
index 4b6647ec9d..930c0cb495 100644
--- a/deploy/k8s/quay-enterprise-config.yaml
+++ b/deploy/k8s/quay-enterprise-config.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   namespace: quay-enterprise
@@ -19,10 +19,10 @@ spec:
     spec:
       containers:
       - name: quay-enterprise-config-app
-        image: quay.io/redhat/quay:v3.1.0
+        image: quay.io/redhat/quay:v3.2.1
         ports:
         - containerPort: 8443
         command: ["/quay-registry/quay-entrypoint.sh"]
-        args: ["config", "secret"]
+        args: ["config", "my-secret-password"]
       imagePullSecrets:
-        - name: redhat-quay-pull-secret
\ No newline at end of file
+        - name: redhat-quay-pull-secret
diff --git a/deploy/k8s/quay-enterprise-mirror.yaml b/deploy/k8s/quay-enterprise-mirror.yaml
index 86b923d3bd..29d41a781b 100644
--- a/deploy/k8s/quay-enterprise-mirror.yaml
+++ b/deploy/k8s/quay-enterprise-mirror.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   namespace: quay-enterprise
@@ -19,10 +19,10 @@ spec:
     spec:
       containers:
       - name: quay-enterprise-mirror-app
-        image: quay.io/redhat/quay:v3.1.0
+        image: quay.io/redhat/quay:v3.2.1
         ports:
         - containerPort: 8443
         command: ["/quay-registry/quay-entrypoint.sh"]
         args: ["repomirror"]
       imagePullSecrets:
-        - name: redhat-quay-pull-secret
\ No newline at end of file
+        - name: redhat-quay-pull-secret
diff --git a/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml b/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml
index 7fb445ac05..0092ee0b9d 100644
--- a/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml
+++ b/deploy/k8s/quay-enterprise-redhat-quay-pull-secret.yaml
@@ -6,5 +6,5 @@ metadata:
   name: redhat-quay-pull-secret
 data:
   # Change <Add credentials> to include the credentials shown from https://access.redhat.com/solutions/3533201
-  .dockerconfigjson: <Add credentials>
-type: kubernetes.io/dockerconfigjson
\ No newline at end of file
+  .dockerconfigjson: <Add credentials> 
+type: kubernetes.io/dockerconfigjson
diff --git a/deploy/k8s/quay-enterprise-redis.yaml b/deploy/k8s/quay-enterprise-redis.yaml
index 2a77f41d4b..13166e9e6b 100644
--- a/deploy/k8s/quay-enterprise-redis.yaml
+++ b/deploy/k8s/quay-enterprise-redis.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1 
 kind: Deployment
 metadata:
   namespace: quay-enterprise
@@ -36,4 +36,4 @@ spec:
   ports:
     - port: 6379
   selector:
-    quay-enterprise-component: redis
\ No newline at end of file
+    quay-enterprise-component: redis
diff --git a/deploy/k8s/quay-postgres-service-account.yaml b/deploy/k8s/quay-postgres-service-account.yaml
new file mode 100644
index 0000000000..d1cf48e945
--- /dev/null
+++ b/deploy/k8s/quay-postgres-service-account.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres

From a030ca886ae2b4c2a0efd9c5ee6ebd8f413fdda8 Mon Sep 17 00:00:00 2001
From: Brent Boe <bboe@splunk.com>
Date: Tue, 2 Jun 2020 12:49:55 -0700
Subject: [PATCH 2/5] Fixed mirror config

---
 deploy/k8s/postgres-clair-deployment.yaml |  2 +-
 deploy/k8s/quay-enterprise-app-rc.yaml    |  5 ++++-
 deploy/k8s/quay-enterprise-mirror.yaml    | 11 +++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/deploy/k8s/postgres-clair-deployment.yaml b/deploy/k8s/postgres-clair-deployment.yaml
index 30faad3dc9..2c38bcedf9 100644
--- a/deploy/k8s/postgres-clair-deployment.yaml
+++ b/deploy/k8s/postgres-clair-deployment.yaml
@@ -30,7 +30,7 @@ spec:
         - name: POSTGRES_PASSWORD
           # Set the password for the Clair postgress user
           value: test123
-          image: postgres:12 
+        image: postgres:12 
         imagePullPolicy: IfNotPresent
         name: postgres-clair
         ports:
diff --git a/deploy/k8s/quay-enterprise-app-rc.yaml b/deploy/k8s/quay-enterprise-app-rc.yaml
index c7b4e0515c..1eb31e88a5 100644
--- a/deploy/k8s/quay-enterprise-app-rc.yaml
+++ b/deploy/k8s/quay-enterprise-app-rc.yaml
@@ -18,14 +18,17 @@ spec:
       labels:
         quay-enterprise-component: app
     spec:
+      securityContext:
+        fsGroup: 1001
       volumes:
         - name: configvolume
           secret:
-            secretName: quay-enterprise-secret
+            secretName: quay-enterprise-config-secret
       containers:
       - name: quay-enterprise-app
         # Pick the Quay version you wish to run 
         image: quay.io/redhat/quay:v3.2.1
+        #8080 for non-ssl - useful when testing 
         ports:
         - containerPort: 8443
         volumeMounts:
diff --git a/deploy/k8s/quay-enterprise-mirror.yaml b/deploy/k8s/quay-enterprise-mirror.yaml
index 29d41a781b..aa7b62957f 100644
--- a/deploy/k8s/quay-enterprise-mirror.yaml
+++ b/deploy/k8s/quay-enterprise-mirror.yaml
@@ -17,6 +17,12 @@ spec:
       labels:
         quay-enterprise-component: mirror-app
     spec:
+      securityContext:
+        fsGroup: 1001
+      volumes:
+        - name: configvolume
+          secret:
+            secretName: quay-enterprise-config-secret
       containers:
       - name: quay-enterprise-mirror-app
         image: quay.io/redhat/quay:v3.2.1
@@ -24,5 +30,10 @@ spec:
         - containerPort: 8443
         command: ["/quay-registry/quay-entrypoint.sh"]
         args: ["repomirror"]
+        volumeMounts:
+        - name: configvolume
+          readOnly: false
+          mountPath: /conf/stack
       imagePullSecrets:
         - name: redhat-quay-pull-secret
+

From 513b510f1f89946b527f719290d393c29fada712 Mon Sep 17 00:00:00 2001
From: Brent Boe <bboe@splunk.com>
Date: Tue, 2 Jun 2020 12:50:22 -0700
Subject: [PATCH 3/5] Updated config yaml

---
 deploy/k8s/quay-enterprise-config.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/deploy/k8s/quay-enterprise-config.yaml b/deploy/k8s/quay-enterprise-config.yaml
index 930c0cb495..0f5be055bc 100644
--- a/deploy/k8s/quay-enterprise-config.yaml
+++ b/deploy/k8s/quay-enterprise-config.yaml
@@ -17,6 +17,8 @@ spec:
       labels:
         quay-enterprise-component: config-app
     spec:
+      securityContext:
+        fsGroup: 1001
       containers:
       - name: quay-enterprise-config-app
         image: quay.io/redhat/quay:v3.2.1

From 60983a8a60a36b37cbc24567a975aa4e18f83f8a Mon Sep 17 00:00:00 2001
From: Brent Boe <bboe@splunk.com>
Date: Tue, 2 Jun 2020 12:51:52 -0700
Subject: [PATCH 4/5] updated config secret

---
 deploy/k8s/quay-enterprise-config-secret.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/deploy/k8s/quay-enterprise-config-secret.yaml b/deploy/k8s/quay-enterprise-config-secret.yaml
index 1b74c4fa34..e08ed2c92b 100644
--- a/deploy/k8s/quay-enterprise-config-secret.yaml
+++ b/deploy/k8s/quay-enterprise-config-secret.yaml
@@ -3,4 +3,10 @@ apiVersion: v1
 kind: Secret
 metadata:
   namespace: quay-enterprise
-  name: quay-enterprise-config-secret
\ No newline at end of file
+  name: quay-enterprise-config-secret
+data:
+  # I had success by doing this 2-step process.
+  # Step 1: Spin up the quay-config service and use that to generate a config.yml. Download the config.yml locally
+  # Step 2: Use the following command to generate the secret 
+  #      'kubectl create secret generic quay-enterprise-config-secret --from-file=config.yaml'
+  config.yml: <Base64 config file contents> 

From 6674d16a5e8be00e62f1308be6165c641167df72 Mon Sep 17 00:00:00 2001
From: Brent Boe <bboe@splunk.com>
Date: Fri, 5 Jun 2020 11:52:34 -0700
Subject: [PATCH 5/5] reverting postgres back, per comments

---
 deploy/k8s/postgres-clair-deployment.yaml | 2 +-
 deploy/k8s/postgres-deployment.yaml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/k8s/postgres-clair-deployment.yaml b/deploy/k8s/postgres-clair-deployment.yaml
index 2c38bcedf9..93dcefb022 100644
--- a/deploy/k8s/postgres-clair-deployment.yaml
+++ b/deploy/k8s/postgres-clair-deployment.yaml
@@ -30,7 +30,7 @@ spec:
         - name: POSTGRES_PASSWORD
           # Set the password for the Clair postgress user
           value: test123
-        image: postgres:12 
+        image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 
         imagePullPolicy: IfNotPresent
         name: postgres-clair
         ports:
diff --git a/deploy/k8s/postgres-deployment.yaml b/deploy/k8s/postgres-deployment.yaml
index 7ea7b22691..b3ee5e018a 100644
--- a/deploy/k8s/postgres-deployment.yaml
+++ b/deploy/k8s/postgres-deployment.yaml
@@ -22,7 +22,7 @@ spec:
         fsGroup: 0
       containers:
         - name: postgres
-          image: postgres:12 
+          image: registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-35 
           imagePullPolicy: "IfNotPresent"
           ports:
             - containerPort: 5432