Deploy Project Quay on OpenShift with the Quay Operator

apiVersion: quay.redhat.com/v1
kind: QuayRegistry
metadata:
  name: example-registry
spec:
  components:
    - kind: horizontalpodautoscaler
      managed: false

:leveloffset!:

// TODO 36
//include::modules/operator-customize-external-access.adoc[leveloffset=+2]
//include::modules/operator-disable-route.adoc[leveloffset=+2]


== Quay Operator features
// TODO 36 MOVE Helm to Use Quay guide, and fix up

//include::modules/helm-oci-intro.adoc[leveloffset=+2]
//include::modules/helm-oci-prereqs.adoc[leveloffset=+3]
//include::modules/helm-oci-quay.adoc[leveloffset=+3]
//include::modules/config-fields-helm-oci.adoc[leveloffset=+3]
//include::modules/operator-helm-oci.adoc[leveloffset=+3]

:leveloffset: +2

[[operator-console-monitoring-alerting]]
= Console monitoring and alerting

{productname} {producty} provides support for monitoring Quay instances that were deployed using the Operator, from inside the OpenShift console. The new monitoring features include a Grafana dashboard, access to individual metrics, and alerting to notify for frequently restarting Quay pods.

[NOTE]
====
To enable the monitoring features, the Operator must be installed in  "all namespaces" mode.
====

== Dashboard

In the OpenShift console, navigate to Monitoring -> Dashboards and search for the dashboard of your desired Quay registry instance:

image:choose-dashboard.png[Choose Quay dashboard]

The dashboard shows various statistics including:

* The number of Organizations, Repositories, Users and Robot accounts
* CPU Usage and Max Memory Usage
* Rates of Image Pulls and Pushes, and Authentication requests
* API request rate
* Latencies

image:console-dashboard-1.png[Console dashboard]

== Metrics

You can see the underlying metrics behind the Quay dashboard, by accessing Monitoring -> Metrics in the UI. In the Expression field, enter the text `quay_` to see the list of metrics available:

image:quay-metrics.png[Quay metrics]

Select a sample metric, for example, `quay_org_rows`:

image:quay-metrics-org-rows.png[Number of Quay organizations]

This metric shows the number of organizations in the registry, and it is directly surfaced in the dashboard as well.

== Alerting

An alert is raised if the Quay pods restart too often. The alert can be configured by accessing the Alerting rules tab from Monitoring -> Alerting in the consol UI and searching for the Quay-specific alert:

image:alerting-rules.png[Alerting rules]

Select the QuayPodFrequentlyRestarting rule detail to configure the alert:

image:quay-pod-frequently-restarting.png[Alerting rule details]


:leveloffset: 2


:leveloffset: +2

[[clair-openshift-airgap-update]]
=  Manually updating the vulnerability databases for Clair in an air-gapped OpenShift cluster

Clair utilizes packages called `updaters` that encapsulate the logic of fetching and parsing different vulnerability databases. Clair supports running updaters in a different environment and importing the results. This is aimed at supporting installations that disallow the Clair cluster from talking to the Internet directly.

To manually update the vulnerability databases for Clair in an air-gapped OpenShift cluster, use the following steps:

* Obtain the `clairctl` program
* Retrieve the Clair config
* Use `clairctl` to export the updaters bundle from a Clair instance that has access to the internet
* Update the Clair config in the air-gapped OpenShift cluster to allow access to the Clair database
* Transfer the updaters bundle from the system with internet access, to make it available inside the air-gapped environment
* Use `clairctl` to import the updaters bundle into the Clair instance for the air-gapped OpenShift cluster

:leveloffset: 2
:leveloffset: +3

[[clair-clairctl]]
= Obtaining clairctl

To obtain the `clairctl` program from a Clair deployment in an OpenShift cluster, use the `oc cp` command, for example:

For a standalone Clair deployment, use the `podman cp` command, for example:

:leveloffset: 2
==== Retrieving the Clair config
:leveloffset: +4

[[clair-openshift-config]]
= Clair on OpenShift config

To retrieve the configuration file for a Clair instance deployed using the OpenShift Operator, retrieve and decode the config secret using the appropriate namespace, and save it to file, for example:

An excerpt from a Clair configuration file is shown below:

.clair-config.yaml
[source,yaml]

:leveloffset: 2
:leveloffset: +4

[[clair-standalone-config-location]]
= Standalone Clair config

For standalone Clair deployments, the config file is the one specified in CLAIR_CONF environment variable in the `podman run` command, for example:

[subs="verbatim,attributes"]
....
sudo podman run -d --rm --name clairv4 \
  -p 8081:8081 -p 8089:8089 \
  -e CLAIR_CONF=/clair/config.yaml -e CLAIR_MODE=combo \
  -v /etc/clairv4/config:/clair:Z \
  {productrepo}/{clairimage}:{productminv}
....

:leveloffset: 2
:leveloffset: +3

[[clair-export-bundle]]
= Exporting the updaters bundle

From a Clair instance that has access to the internet, use `clairctl` with the appropriate configuration file to export the updaters bundle:

:leveloffset: 2
:leveloffset: +3

[[clair-openshift-airgap-database]]
= Configuring access to the Clair database in the air-gapped OpenShift cluster

* Use `kubectl` to determine the Clair database service:
+

* Forward the Clair database port so that it is accessible from the local machine, for example:
+

* Update the Clair configuration file, replacing the value of the `host` in the multiple `connstring` fields with `localhost`, for example:
+
.clair-config.yaml
[source,yaml]

[NOTE]
====
As an alternative to using `kubectl port-forward`, you can use `kubefwd` instead. With this method, there is no need to modify the `connstring` field in the Clair configuration file to use `localhost`.
====

:leveloffset: 2
:leveloffset: +3

[[clair-openshift-airgap-import-bundle]]
= Importing the updaters bundle into the air-gapped environment

After transferring the updaters bundle to the air-gapped environment, use `clairctl` to import the bundle into the Clair database deployed by the OpenShift Operator:

:leveloffset: 2


:leveloffset: +2

[[fips-overview]]
= FIPS readiness and compliance

FIPS (the Federal Information Processing Standard developed by the National Institute of Standards and Technology, NIST) is regarded as the gold standard for securing and encrypting sensitive data, particularly in heavily regulated areas such as banking, healthcare and the public sector. Red Hat Enterprise Linux and Red Hat OpenShift Container Platform support this standard by providing a FIPS mode in which the system would only allow usage of certain, FIPS-validated cryptographic modules, like `openssl`. This ensures FIPS compliance.


{productname} supports running on RHEL and OCP in FIPS mode in production since version 3.5. Furthermore, {productname} itself also commits to exclusively using cryptography libraries that are validated or are in the process of being validated by NIST. {productname} 3.5 has pending FIPS 140-2 validation based on the RHEL 8.3 cryptography libraries. As soon as that validation is finalized, {productname} will be officially FIPS compliant.



:leveloffset: 2


:leveloffset: +1

= Advanced Concepts



:leveloffset: 2
:leveloffset: +2

[[operator-deploy-infrastructure]]
= Deploying Quay on infrastructure nodes

By default, Quay-related pods are placed on arbitrary worker nodes when using the Operator to deploy the registry. The OpenShift Container Platform documentation shows how to use machine sets to configure nodes to only host infrastructure components (see link:https://docs.openshift.com/container-platform/4.7/machine_management/creating-infrastructure-machinesets.html[]).


If you are not using OCP MachineSet resources to deploy infra nodes, this section shows you how to manually label and taint nodes for infrastructure purposes.

Once you have your configured your infrastructure nodes, either manually or using machine sets, you can then control the placement of Quay pods on these nodes using node selectors and tolerations.

== Label and taint nodes for infrastructure use

In the cluster used in this example, there are three master nodes and six worker nodes:

Label the final three worker nodes for infrastructure use:

Now, when you list the nodes in the cluster, the last 3 worker nodes will have an added role of `infra`:

With an infra node being assigned as a worker, there is a chance that user workloads could get inadvertently assigned to an infra node. To avoid this, you can apply a taint to the infra node and then add tolerations for the pods you want to control.

== Create a Project with node selector and toleration

If you have already deployed Quay using the Quay Operator, remove the installed operator and any specific namespace(s) you created for the deployment.

Create a Project resource, specifying a node selector and toleration as shown in the following example:

.quay-registry.yaml

Use the `oc apply` command to create the project:

Any subsequent resources created in the `quay-registry` namespace should now be scheduled on the dedicated infrastructure nodes.


== Install the Quay Operator in the namespace

When installing the Quay Operator, specify the appropriate project namespace explicitly, in this case `quay-registry`. This will result in the operator pod itself landing on one of the three infrastructure nodes:

== Create the registry

Create the registry as explained earlier, and then wait for the deployment to be ready. When you list the Quay pods, you should now see that they have only been scheduled on the three nodes that you have labelled for infrastructure purposes:

:leveloffset: 2
:leveloffset: +2

[[monitoring-single-namespace]]
= Enabling monitoring when Operator is installed in a single namespace

When {productname} Operator is installed in a single namespace, the monitoring component is unmanaged. To configure monitoring, you need to enable it for user-defined namespaces in OpenShift Container Platform. For more information, see the OCP documentation for link:https://docs.openshift.com/container-platform/4.7/monitoring/configuring-the-monitoring-stack.html[Configuring the monitoring stack] and link:https://docs.openshift.com/container-platform/4.7/monitoring/enabling-monitoring-for-user-defined-projects.html[Enabling monitoring for user-defined projects].

The following steps show you how to configure monitoring for Quay, based on the OCP documentation.

== Creating a cluster monitoring config map

. Check whether the `cluster-monitoring-config` ConfigMap object exists:
+
```
$ oc -n openshift-monitoring get configmap cluster-monitoring-config

Error from server (NotFound): configmaps "cluster-monitoring-config" not found
```

. If the ConfigMap object does not exist: 
.. Create the following YAML manifest. In this example, the file is called `cluster-monitoring-config.yaml`:
+

.. Create the ConfigMap object:
+

+

== Creating a user-defined workload monitoring config map

. Check whether the `user-workload-monitoring-config` ConfigMap object exists:
+

. If the ConfigMap object does not exist:
.. Create the following YAML manifest. In this example, the file is called `user-workload-monitoring-config.yaml`:
+

.. Create the ConfigMap object:
+

== Enable monitoring for user-defined projects

. Check whether monitoring for user-define projects is runnning:
+

. Edit the  `cluster-monitoring-config` ConfigMap:
+

 
. Set `enableUserWorkload: true` to enable monitoring for user-defined projects on the cluster:
+
[source,yaml]

. Save the file to apply the changes and then check that the appropriate pods are running:
+

 

== Create a Service object to expose Quay metrics

. Create a YAML file for the Service object:
+

 
 
. Create the Service object:
+

== Create a ServiceMonitor object

Configure OpenShift Monitoring to scrape the metrics by creating a ServiceMonitor resource.


. Create a YAML file for the ServiceMonitor resource:
+

. Create the ServiceMonitor:
+

== View the metrics in OpenShift

You can access the metrics in the OpenShift console under  Monitoring -> Metrics. In the Expression field, enter the text `quay_` to see the list of metrics available:

image:metrics-single-namespace.png[Quay metrics]


For example, if you have added users to your registry, select the `quay-users_rows` metric:

image:metrics-single-namespace-users.png[Quay metrics]

:leveloffset: 2
:leveloffset: +2

[[operator-resize-storage]]
= Resizing Managed Storage

The Quay Operator creates default object storage using the defaults provided by RHOCS when creating a `NooBaa` object (50 Gib).  There are two ways to extend this storage; you can resize an existing PVC or add more PVCs to a new storage pool.

== Resize Noobaa PVC

. Log into the OpenShift console and select `Storage` -> `Persistent Volume Claims`.
. Select the `PersistentVolumeClaim` named like `noobaa-default-backing-store-noobaa-pvc-*`.
. From the Action menu, select `Expand PVC`.
. Enter the new size of the Persistent Volume Claim and select `Expand`.

After a few minutes (depending on the size of the PVC), the expanded size should reflect in the PVC's `Capacity` field.

[NOTE]
====
Expanding CSI volumes is a Technology Preview feature only. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/storage/expanding-persistent-volumes[].
====

== Add Another Storage Pool

. Log into the OpenShift console and select `Networking` -> `Routes`.  Make sure the `openshift-storage` project is selected.
. Click on the `Location` field for the `noobaa-mgmt` Route.
. Log into the Noobaa Management Console.
. On the main dashboard, under `Storage Resources`, select `Add Storage Resources`.
. Select `Deploy Kubernetes Pool`
. Enter a new pool name.  Click `Next`.
. Choose the number of Pods to manage the pool and set the size per node.  Click `Next`.
. Click `Deploy`.

After a few minutes, the additional storage pool will be added to the Noobaa resources and available for use by {productname}.


:leveloffset: 2
:leveloffset: +2

[[operator-customize-images]]
= Customizing Default Operator Images

[NOTE]
====
Using this mechanism is not supported for production Quay environments and is strongly encouraged only for development/testing purposes.  There is no guarantee your deployment will work correctly when using non-default images with the Quay Operator.
====

In certain circumstances, it may be useful to override the default images used by the Operator.  This can be done by setting one or more environment variables in the Quay Operator `ClusterServiceVersion`.

== Environment Variables
The following environment variables are used in the Operator to override component images:

[cols=2*]
|===
|Environment Variable
|Component

|`RELATED_IMAGE_COMPONENT_QUAY`
|`base`

|`RELATED_IMAGE_COMPONENT_CLAIR`
|`clair`

|`RELATED_IMAGE_COMPONENT_POSTGRES`
|`postgres` and `clair` databases

|`RELATED_IMAGE_COMPONENT_REDIS`
|`redis`
|===

[NOTE]
====
Override images *must* be referenced by manifest (@sha256:), not by tag (:latest).
====

== Applying Overrides to a Running Operator

When the Quay Operator is installed in a cluster via the link:https://docs.openshift.com/container-platform/4.6/operators/understanding/olm/olm-understanding-olm.html[Operator Lifecycle Manager (OLM)], the managed component container images can be easily overridden by modifying the `ClusterServiceVersion` object, which is OLM's representation of a running Operator in the cluster. Find the Quay Operator's `ClusterServiceVersion` either by using a Kubernetes UI or `kubectl`/`oc`:

```
$ oc get clusterserviceversions -n <your-namespace>
```

Using the UI, `oc edit`, or any other method, modify the Quay `ClusterServiceVersion` to include the environment variables outlined above to point to the override images:

*JSONPath*: `spec.install.spec.deployments[0].spec.template.spec.containers[0].env`

[source,yaml]

Note that this is done at the Operator level, so every QuayRegistry will be deployed using these same overrides.




:leveloffset: 2
:leveloffset: +2

[[operator-cloudfront]]
= AWS S3 CloudFront

If you use AWS S3 CloudFront for backend registry storage, specify the private key as shown in the following example:
....
$ oc create secret generic --from-file config.yaml=./config_awss3cloudfront.yaml --from-file default-cloudfront-signing-key.pem=./default-cloudfront-signing-key.pem test-config-bundle
....

:leveloffset: 2



:leveloffset: +1

[[operator-upgrade]]
= Upgrading Quay using the Quay Operator

The Quay Operator follows a _synchronized versioning_ scheme, which means that each version of the Operator is tied to the version of Quay and its components which it manages. There is no field on the `QuayRegistry` custom resource which sets the version of Quay to deploy; the Operator only knows how to deploy a single version of all components. This scheme was chosen to ensure that all components work well together and to reduce the complexity of the Operator needing to know how to manage the lifecycles of many different versions of Quay on Kubernetes.

== Operator Lifecycle Manager

The Quay Operator should be installed and upgraded using the link:https://docs.openshift.com/container-platform/4.6/operators/understanding/olm/olm-understanding-olm.html[Operator Lifecycle Manager (OLM)]. When creating a `Subscription` with the default `approvalStrategy: Automatic`, OLM will automatically upgrade the Quay Operator whenever a new version becomes available.

[WARNING]
====
When the Quay Operator is installed via Operator Lifecycle Manager it may be configured to support automatic or manual upgrades.  This option is shown on the Operator Hub page for the Quay Operator during installation.  It can also be found in the Quay Operator `Subscription` object via the `approvalStrategy` field.  Choosing `Automatic` means that your Quay Operator will automatically be upgraded whenever a new Operator version is released.  If this is not desireable, then the `Manual` approval strategy should be selected.
====


== Upgrading Quay by upgrading the Quay Operator

The general approach for upgrading installed Operators on OpenShift is documented at link:https://docs.openshift.com/container-platform/4.7/operators/admin/olm-upgrading-operators.html[Upgrading installed Operators].

[NOTE]
====
In general, {productname} only supports upgrading from one minor version to the next, for example, 3.4 -> 3.5.

However, for v3.6, multiple upgrade paths are supported:

* 3.3 -> 3.6
* 3.4 -> 3.6
* 3.5 -> 3.6

TODO more details here
====


=== Upgrading Quay
From a {productname} point of view, to update from one minor version to the next, for example, 3.4 -> 3.5, you need to actively change the update channel for the Quay Operator.

For `z` stream upgrades, for example, 3.4.2 -> 3.4.3, updates are released in the major-minor channel that the user initially selected during install. The procedure to perform a `z` stream upgrade depends on the `approvalStrategy` as outlined above. If the approval strategy is set to `Automatic`, the Operator will upgrade automatically to the newest `z` stream, resulting in automatic, rolling Quay updates to newer `z` streams with little to no downtime. Otherwise, the update must be manually approved before installation can begin.


=== Changing the update channel for an Operator

The subscription of an installed Operator specifies an update channel, which is used to track and receive updates for the Operator. To upgrade the Quay Operator to start tracking and receiving updates from a newer channel, change the update channel in the *Subscription* tab for the installed Quay Operator. For subscriptions with an `Automatic` approval strategy, the upgrade begins automatically and can be monitored on the page that lists the Installed Operators.



=== Manually approving a pending Operator upgrade

If an installed Operator has the approval strategy in its subscription set to `Manual`, when new updates are released in its current update channel, the update must be manually approved before installation can begin. If the Quay Operator has a pending upgrade, this status will be displayed in the list of Installed Operators. In the `Subscription` tab for the Quay Operator, you can preview the install plan and review the resources that are listed as available for upgrade. If satisfied, click `Approve` and return to the page that lists Installed Operators to monitor the progress of the upgrade.

The following image shows the *Subscription* tab in the UI, including the update `Channel`, the `Approval` strategy, the `Upgrade status` and the `InstallPlan`:

image:update-channel-approval-strategy.png[Subscription tab including upgrade Channel and Approval strategy]

The list of Installed Operators provides a high-level summary of the current Quay installation:

image:installed-operators-list.png[Installed Operators]


== Upgrading a QuayRegistry

When the Quay Operator starts up, it immediately looks for any `QuayRegistries` it can find in the namespace(s) it is configured to watch. When it finds one, the following logic is used:

* If `status.currentVersion` is unset, reconcile as normal.
* If `status.currentVersion` equals the Operator version, reconcile as normal.
* If `status.currentVersion` does not equal the Operator version, check if it can be upgraded. If it can, perform upgrade tasks and set the `status.currentVersion` to the Operator's version once complete. If it cannot be upgraded, return an error and leave the `QuayRegistry` and its deployed Kubernetes objects alone.

== Enabling features in Quay 3.6

=== Console monitoring and alerting

The support for monitoring of Quay 3.6 in the OpenShift console requires that the Operator is installed in all namespaces. If you previously installed the Operator in a specific namespace, delete the Operator itself and re-install it for all namespaces, once the upgrade has taken place.

=== OCI and Helm support

Support for Helm and some OCI artifacts is now enabled by default in {productname} {producty}. If you want to explicitly enable the feature, for example, if you are upgrading from a version where it is not enabled by default, you need to reconfigure your Quay deployment to enable the use of OCI artifacts using the following properties:

TODO

////
[source,yaml]

////

== Upgrading a QuayEcosystem

Upgrades are supported from previous versions of the Operator which used the `QuayEcosystem` API for a limited set of configurations. To ensure that migrations do not happen unexpectedly, a special label needs to be applied to the `QuayEcosystem` for it to be migrated. A new `QuayRegistry` will be created for the Operator to manage, but the old `QuayEcosystem` will remain until manually deleted to ensure that you can roll back and still access Quay in case anything goes wrong. To migrate an existing `QuayEcosystem` to a new `QuayRegistry`, follow these steps:

. Add `"quay-operator/migrate": "true"` to the `metadata.labels` of the `QuayEcosystem`.
+
```
$ oc edit quayecosystem <quayecosystemname>
```
+
[source, json]

. Wait for a `QuayRegistry` to be created with the same `metadata.name` as your `QuayEcosystem`. The `QuayEcosystem` will be marked with the label `"quay-operator/migration-complete": "true"`.

. Once the `status.registryEndpoint` of the new `QuayRegistry` is set, access Quay and confirm all data and settings were migrated successfully.

. When you are confident everything worked correctly, you may delete the `QuayEcosystem` and Kubernetes garbage collection will clean up all old resources.

=== Reverting QuayEcosystem Upgrade

If something goes wrong during the automatic upgrade from `QuayEcosystem` to `QuayRegistry`, follow these steps to revert back to using the `QuayEcosystem`:

* Delete the `QuayRegistry` using either the UI or `kubectl`:
+
```sh
$ kubectl delete -n <namespace> quayregistry <quayecosystem-name>
```

* If external access was provided using a `Route`, change the `Route` to point back to the original `Service` using the UI or `kubectl`.

[NOTE]
====
If your `QuayEcosystem` was managing the Postgres database, the upgrade process will migrate your data to a new Postgres database managed by the upgraded Operator.  Your old database will not be changed or removed but Quay will no longer use it once the migration is complete.  If there are issues during the data migration, the upgrade process will exit and it is recommended that you continue with your database as an unmanaged component.
====

=== Supported QuayEcosystem Configurations for Upgrades

The Quay Operator will report errors in its logs and in `status.conditions` if migrating a `QuayEcosystem` component fails or is unsupported. All unmanaged components should migrate successfully because no Kubernetes resources need to be adopted and all the necessary values are already provided in Quay's `config.yaml`.

*Database*

Ephemeral database not supported (`volumeSize` field must be set).

*Redis*

Nothing special needed.

*External Access*

Only passthrough `Route` access supported for automatic migration. Manual migration required for other methods.

* `LoadBalancer` without custom hostname:
After the `QuayEcosystem` is marked with label `"quay-operator/migration-complete": "true"`, delete the `metadata.ownerReferences` field from existing `Service` _before_ deleting the `QuayEcosystem` to prevent Kubernetes from garbage collecting the `Service` and removing the load balancer. A new `Service` will be created with `metadata.name` format `<QuayEcosystem-name>-quay-app`. Edit the `spec.selector` of the existing `Service` to match the `spec.selector` of the new `Service` so traffic to the old load balancer endpoint will now be directed to the new pods. You are now responsible for the old `Service`; the Quay Operator will not manage it.

* `LoadBalancer`/`NodePort`/`Ingress` with custom hostname:
A new `Service` of type `LoadBalancer` will be created with `metadata.name` format `<QuayEcosystem-name>-quay-app`. Change your DNS settings to point to the `status.loadBalancer` endpoint provided by the new `Service`.

*Clair*

Nothing special needed.

*Object Storage*

`QuayEcosystem` did not have a managed object storage component, so object storage will always be marked as unmanaged. Local storage is not supported.

*Repository Mirroring*

Nothing special needed.

:leveloffset: 2


[discrete]
== Additional resources
* For more details on the {productname} Operator, see the upstream
link:https://github.com/quay/quay-operator/[quay-operator] project.