# Quay Container Registry configuration # Copy this file to /etc/quadlets/quay/app/config.yaml and customize it. # # For more information on configuration options, see: # - the json schema of the config tool: https://github.com/quay/quay/blob/master/config-tool/utils/generate/schema.json # - the json schema of the Python core: https://github.com/quay/quay/blob/master/util/config/schema.py # The URL at which Quay is accessible, without the scheme. SERVER_HOSTNAME: localhost # The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https` PREFERRED_URL_SCHEME: https # SSL certificates for HTTPS. SSL_CERTFILE: /quay-registry/conf/stack/tls/ssl.crt SSL_KEYFILE: /quay-registry/conf/stack/tls/ssl.key # Secret key for signing database entries (generate a strong random value) DATABASE_SECRET_KEY: 'REDACTEDREDACTEDREDACTED' # Local filesystem storage for container images DISTRIBUTED_STORAGE_CONFIG: default: - LocalStorage - storage_path: /datastorage/registry DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: [] DISTRIBUTED_STORAGE_PREFERENCE: - default # The authentication engine to use for credential authentication. AUTHENTICATION_TYPE: Database # The URI at which to access the database, including any credentials. DB_URI: postgresql://quay:quay@127.0.0.1:5432/quay # If specified, connection arguments for the database such as timeouts and SSL. # DB_CONNECTION_ARGS: # Connection information for Redis for build logs caching BUILDLOGS_REDIS: host: localhost password: quay port: 6379 # Connection information for Redis for user events caching USER_EVENTS_REDIS: host: localhost password: quay port: 6379 # Whether to allow the first user to be bootstrapped through API call. # If true, the first call to the /api/v1/user/initialize endpoint will create a user with the provided credentials, and this endpoint will be disabled after that. Defaults to False. # # Tip: You can then create the first superuser with the following command: # # ```sh # ADMIN_PASSWORD='F00barbaz' # curl -vk -X POST https://localhost:8443/api/v1/user/initialize -H 'Content-Type: application/json' --data "{\"username\":\"quayadmin\",\"password\":\"${ADMIN_PASSWORD}\",\"email\": \"root@localhost\",\"access_token\": true}" # ``` FEATURE_USER_INITIALIZE: true # Superusers have the following capabilities: # - User management # - Organization management # - Service key management # - Change log transparency # - Usage log management # - Globally-visible user message creation SUPER_USERS: - quayadmin # Enable permanent sessions FEATURE_PERMANENT_SESSIONS: true # Session duration for users, in seconds. Defaults to 2592000 (30 days) PERMANENT_SESSION_LIFETIME: 2592000 # The length of time after which a user must re-authenticate, even with a valid session. Defaults to 5m. FRESH_LOGIN_TIMEOUT: "12h" # Podman/docker session duration APP_SPECIFIC_TOKEN_EXPIRATION: 604800 # Mark initial setup as complete SETUP_COMPLETE: true # Mark testing phase as complete TESTING: false # Enable the new UI FEATURE_UI_V2: true # Restrict the API to only allow XHR calls from the browser. Defaults to False. BROWSER_API_CALLS_XHR_ONLY: false # Automatically create a namespace for each organization on push, if it doesn't already exist CREATE_NAMESPACE_ON_PUSH: true # Whether users can directly login to the UI. Defaults to True # FEATURE_DIRECT_LOGIN: true # Whether GitHub login is supported. Defaults to False # FEATURE_GITHUB_LOGIN: false # Whether Google login is supported. Defaults to False # FEATURE_GOOGLE_LOGIN: false # Whether users can be created (by non-super users). Defaults to True FEATURE_USER_CREATION: false # Whether users being created must be invited by another user. Defaults to False # FEATURE_INVITE_ONLY_USER_CREATION: false # If set to true, autocompletion will apply to partial usernames. Defaults to True # FEATURE_PARTIAL_USER_AUTOCOMPLETE: true # Whether to record the last time a user was accessed. Defaults to True # FEATURE_USER_LAST_ACCESSED: true # If set to true, users will have access to audit logs for their namespace. Defaults to False FEATURE_USER_LOG_ACCESS: true # Whether to collect and support user metadata. Defaults to False # FEATURE_USER_METADATA: false # If set to true, users can confirm their generated usernames. Defaults to True # FEATURE_USERNAME_CONFIRMATION: true # If set to true, users can rename their own namespace. Defaults to False FEATURE_USER_RENAME: true # Whether to allow anonymous users to browse and pull public repositories. Defaults to True FEATURE_ANONYMOUS_ACCESS: false # The length of time a token for recovering a user accounts is valid. Defaults to 30m. # USER_RECOVERY_TOKEN_LIFETIME: 30m # The time after which a fresh login requires users to reenter their password # FRESH_LOGIN_TIMEOUT: 10m # Whether or not to rotate old action logs to storage. Defaults to False # FEATURE_ACTION_LOG_ROTATION: false # If action log archiving is enabled, the path in storage in which to place the archived data. # ACTION_LOG_ARCHIVE_PATH: # If action log archiving is enabled, the storage engine in which to place the archived data. # ACTION_LOG_ARCHIVE_LOCATION: # Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False # FEATURE_PROXY_STORAGE: false # Configuration for storage engine(s) to use in Quay. Each key is a unique ID for a storage engine, with the value being a tuple of the type and configuration for that engine. # DISTRIBUTED_STORAGE_CONFIG: # If specified, the long-form title for the registry. Defaults to `Red Hat Quay`. # REGISTRY_TITLE: Project Quay # If specified, the short-form title for the registry. Defaults to `Red Hat Quay`. # REGISTRY_TITLE_SHORT: Project Quay # Number of results returned per page by search page. Defaults to 10 # SEARCH_RESULTS_PER_PAGE: 10 # Maximum number of pages the user can paginate in search before they are limited. Defaults to 10 # SEARCH_MAX_RESULT_PAGE_COUNT: 10 # If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly. # CONTACT_INFO: [] # The types of avatars to display, either generated inline (local) or Gravatar (gravatar) # AVATAR_KIND: local # Custom branding for logos and URLs in the Quay UI # BRANDING: # Root URL for documentation links # DOCUMENTATION_ROOT: # Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone) # FEATURE_TEAM_SYNCING: false # If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False. # FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false # If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m) # TEAM_RESYNC_STALE_TIME: 30m # If enabled, users can create tokens for use by the Docker CLI. Defaults to True # FEATURE_APP_SPECIFIC_TOKENS: true # Whether to turn of/off the security scanner. Defaults to False FEATURE_SECURITY_SCANNER: true # If 'SECURITY_SCANNER_V4_SIGN_JWT', Quay will sign JWTs with either the key provided by `SECURITY_SCANNER_V4_PSK' or the Quay instance's private key otherwise. SECURITY_SCANNER_V4_SIGN_JWT: true # The endpoint for the V2 security scanner # SECURITY_SCANNER_ENDPOINT: # Whether or not to the security scanner notification feature # SECURITY_SCANNER_NOTIFICATIONS: false # The number of seconds between indexing intervals in the security scanner. Defaults to 30. # SECURITY_SCANNER_INDEXING_INTERVAL: 30 # The endpoint for the V4 security scanner SECURITY_SCANNER_V4_ENDPOINT: http://localhost:6060 # The namespaces to which the security scanner should be enabled for # SECURITY_SCANNER_V4_NAMESPACE_WHITELIST: [] # If 'SECURITY_SCANNER_V4_SIGN_JWT', Quay will sign JWTs with either the key provided by `SECURITY_SCANNER_V4_PSK' (if specified here) or the Quay instance's private key otherwise. SECURITY_SCANNER_V4_PSK: 'REDACTEDREDACTEDREDACTED' # The issuer name to use in JWTs for the security scanner. SECURITY_SCANNER_ISSUER_NAME: security_scanner # Whether to support Dockerfile build. Defaults to True # FEATURE_BUILD_SUPPORT: # Configuration for using BitBucket for build triggers # BITBUCKET_TRIGGER_CONFIG: # Whether to support Bitbucket build triggers. Defaults to False # FEATURE_BITBUCKET_BUILD: false # Act as a proxy cache for upstream registries (e.g. Docker Hub, Quay.io, etc.) FEATURE_PROXY_CACHE: true # Logs model for action logs # LOGS_MODEL: database # Logs model config for action logs # LOGS_MODEL_CONFIG: # Whether to support GitHub build triggers. Defaults to False # FEATURE_GITHUB_BUILD: false # Configuration for using GitHub (Enterprise) for build triggers # GITHUB_TRIGGER_CONFIG: # Configuration for using GitHub (Enterprise) as an external login provider # GITHUB_LOGIN_CONFIG: # Whether to support GitLab build triggers. Defaults to False # FEATURE_GITLAB_BUILD: false # Configuration for using Gitlab (Enterprise) for external authentication # GITLAB_TRIGGER_CONFIG: # Configuration for using Google for external authentication # GOOGLE_LOGIN_CONFIG: # The endpoint for JWT verification # JWT_VERIFY_ENDPOINT: # The endpoint for JWT queries # JWT_QUERY_ENDPOINT: # The endpoint for JWT users # JWT_GETUSER_ENDPOINT: # The endpoint for JWT users # JWT_AUTH_ISSUER: # Whether emails are enabled. Defaults to False FEATURE_MAILING: false # If TLS is supported, but terminated at a layer before Quay, must be true. # EXTERNAL_TLS_TERMINATION: false # Whether to enable support for repository mirroring. Defaults to False FEATURE_REPO_MIRROR: true # Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True REPO_MIRROR_TLS_VERIFY: false # The number of seconds between checking for repository mirror candidates. Defaults to 30. # REPO_MIRROR_INTERVAL: 30 # Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset # REPO_MIRROR_SERVER_HOSTNAME: # Maximum size in bytes of manifest list JSON to parse during mirroring. Prevents DoS via oversized manifests. Defaults to 10485760 (10MB). # REPO_MIRROR_MAX_MANIFEST_LIST_SIZE: 10485760 # Maximum number of manifest entries to process during architecture-filtered mirroring. Prevents DoS via manifest lists with excessive entries. Defaults to 1000. # REPO_MIRROR_MAX_MANIFEST_ENTRIES: 1000 # The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true. # MAIL_SERVER: # The SMTP port to use. If not specified, defaults to 587. # MAIL_PORT: 587 # If set to true, no new User accounts may be created if their email domain is blacklisted. # FEATURE_BLACKLISTED_EMAILS: false # The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true. # BLACKLISTED_EMAIL_DOMAINS: [] # Whether or not to use authentication for mail server. # MAIL_USE_AUTH: false # The SMTP username to use when sending e-mails. # MAIL_USERNAME: # The SMTP password to use when sending e-mails. # MAIL_PASSWORD: # If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`. # MAIL_DEFAULT_SENDER: support@quay.io # If specified, whether to use TLS for sending e-mails. # MAIL_USE_TLS: false # Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True. # FEATURE_CHANGE_TAG_EXPIRATION: true # The options that users can select for expiration of tags in their namespace (if enabled) # TAG_EXPIRATION_OPTIONS: [2w] # The default, configurable tag expiration time for time machine. Defaults to `2w`. # DEFAULT_TAG_EXPIRATION: 2w # LDAP configuration for external authentication. Only required if AUTHENTICATION_TYPE is set to LDAP. # LDAP_ADMIN_DN: # LDAP_ADMIN_PASSWD: # LDAP_URI: ldap://localhost # LDAP_ALLOW_INSECURE_FALLBACK: false # LDAP_BASE_DN: # LDAP_USER_RDN: [] # LDAP_UID_ATTR: uid # LDAP_EMAIL_ATTR: mail # LDAP_USER_FILTER: # If set to true, auto pruning of images is supported. Defaults to False # FEATURE_AUTO_PRUNE: true # Default org wide auto prune policy. Defaults to empty # DEFAULT_NAMESPACE_AUTOPRUNE_POLICY: