Karanvir's Blog

Configure AWS S3 Storage for Quay

Published August 28, 2024 5 min read

In this guide, we will walk through the steps to configure AWS S3 storage for Quay. Follow these instructions to set up an S3 bucket and integrate it with Quay for object storage.

Create an IAM User and Assign Permissions

First, you need to create an IAM user and assign the necessary permissions.

Create an IAM User:

  • Navigate to the AWS Management Console.
  • Go to IAM (Identity and Access Management) > Users.
  • Click on Add user and provide a username.
  • Under Permissions select Attach existing policies directly and assign the AmazonS3FullAccess policy to the user.
  • Complete the process by clicking Next: Tags and then Next: Review before clicking Create user

Create Access Key:

  • Navigate to IAM > Users > Click on your new user.
  • Go to the Security credentials tab.
  • Under Access keys, click Create access key.
  • Select Application running outside AWS, give the key name, and create it.
  • Note down the access key and secret key. These will be used in the config.yaml file later.

Create and Configure an S3 Bucket

Create a New Bucket:

  • Log in to the AWS Management Console.
  • Go to the S3 service.
  • Click Create bucket and choose General Purpose.
  • Provide a unique bucket name.
  • Ensure ACLs are disabled.
  • Uncheck Block all public access and click Create bucket.

Configure Bucket Policy:

  • Navigate to your bucket.
  • Go to Permissions and then Bucket policy.
  • Add the following policy, replacing quaybucket with your actual bucket name:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::quaybucket/*"
        }
    ]
}

Configure Quay to Use AWS S3 Storage by updating the config.yaml

Replace placeholders with the access_key, secret_key, and bucket name you noted earlier. Ensure the region is set correctly. Here's how your config.yaml should look:

DISTRIBUTED_STORAGE_CONFIG:
  s3Storage::
    - S3Storage
    - host: s3.us-east-1.amazonaws.com
      s3_bucket: quaybucket
      s3_access_key: ******************
      s3_secret_key: *************************
      s3_region: us-east-1
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - s3Storage

Create a Secret in OpenShift:

  • Run the following command to create a secret with the config.yaml:
oc create secret generic --from-file config.yaml=./config.yaml config-bundle-secret -n openshift-operators

Create the Quay Registry Instance:

  • Specify the config-bundle-secret in your Quay registry instance YAML.
  • For objectstorage set managed to false in yaml configuration file.
                            
    apiVersion: quay.redhat.com/v1
    kind: QuayRegistry
    metadata:
        name: example-registry
        namespace: quay-enterprise
        spec:
        configBundleSecret: config-bundle-secret
        components:
        - kind: quay
            managed: true
        - kind: postgres
            managed: true
        - kind: clair
            managed: true
        - kind: redis
            managed: true
        - kind: horizontalpodautoscaler
            managed: true
        - kind: objectstorage
            managed: false           >>>>>>>>>>>>>>>>>>>>>>>>>>>> Here
        - kind: route
            managed: true
        - kind: mirror
            managed: true
        - kind: monitoring
            managed: true
        - kind: tls
            managed: true
        - kind: clairpostgres
            managed: true