Project Quay is a scalable container image registry that enables you to build, organize, distribute, and deploy containers. With Quay you can create image repositories, perform image vulnerability scanning and robust access controls. We had covered installation of Quay on a Linux distribution using Docker.

How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu

In this guide, we will review how you can deploy Quay container registry on OpenShift Container Platform using Operator. The operator we’ll use is provided in the Operators Hub. If you don’t have an OpenShift / OKD cluster running and would like to try this article, checkout our guides below.

Setup Local OpenShift 4.x Cluster with CodeReady Containers

How to Setup OpenShift Origin (OKD) 3.11 on Ubuntu

How To run Local Openshift Cluster with Minishift

The Project Quay is made up of several core components.

  • Database: Used by Red Hat Quay as its primary metadata storage (not for image storage).
  • Redis (key, value store): Stores live builder logs and the Red Hat Quay tutorial.
  • Quay (container registry): Runs the quay container as a service, consisting of several components in the pod.
  • Clair: Scans container images for vulnerabilities and suggests fixes.

Step 1: Create new project for Project Quay

Let’s begin by creating a new project for Quay registry.

$ oc new-project quay-enterprise
Now using project "quay-enterprise" on server "https://api.crc.testing:6443".

You can also create a Project from OpenShift Web console.

install project quay openshift 01

Click create button and confirm the project is created and running.

install project quay openshift 02

Step 2: Install Red Hat Quay Setup Operator

The Red Hat Quay Setup Operator provides a simple method to deploy and manage a Red Hat Quay cluster.

Login to the OpenShift console and select OperatorsOperatorHub:

install project quay openshift 03

Select the Red Hat Quay Operator.

install project quay openshift 04

Select Install then Operator Subscription page will appear.

install project quay openshift 05

Choose the following then select Subscribe:

  • Installation Mode: Select a specific namespace to install to
  • Update Channel: Choose the update channel (only one may be available)
  • Approval Strategy: Choose to approve automatic or manual updates
install project quay openshift 06 1

Step 3: Deploy a Red Hat Quay ecosystem

Certain credentials are required for Accessing registry. Create a new file with below details.

$ vim docker_quay.json 
    "": {
        "email": ""

Then create a secret on OpenShift that will be used.

oc project quay-enterprise
oc create secret generic redhat-pull-secret --from-file=".dockerconfigjson=docker_quay.json" --type=''

Create Quay Superuser credentials secret:

oc create secret generic quay-admin \
--from-literal=superuser-username=quayadmin \
--from-literal=superuser-password=StrongAdminPassword \
[email protected]


  • quayadmin is the Quay admin username
  • StrongAdminPassword is the password for admin user
  • [email protected] is the email of Admin user to be created

Create Quay Configuration Secret

A dedicated deployment of Quay Enterprise is used to manage the configuration of Quay. Access to the configuration interface is secured and requires authentication in order for access.

oc create secret generic quay-config --from-literal=config-app-password=StrongPassword

Replace StrongPassword with your desired password.

Create Database credentials secret – PostgreSQL

oc create secret generic postgres-creds \
--from-literal=database-username=quay \
--from-literal=database-password=StrongUserPassword \
--from-literal=database-root-password=StrongRootPassword \

These are the credentials for accessing the database server:

  • quay – Database and DB username
  • StrongUserPassword – quay DB user password
  • StrongRootPassword – root user database password

Create Redis Password Credential

By default, the operator managed Redis instance is deployed without a password. A password can be specified by creating a secret containing the password in the key password.

oc create secret generic redis-password  --from-literal=password=StrongRedisPassword

Create Quay Ecosystem Deployment Manifest

My Red Hat Quay ecosystem configuration file looks like below

kind: QuayEcosystem
  name: quay-ecosystem
    enabled: true
    imagePullSecretName: redhat-pull-secret
    updateInterval: "60m"
    imagePullSecretName: redhat-pull-secret
    superuserCredentialsSecretName: quay-admin
    configSecretName: quay-config
    deploymentStrategy: RollingUpdate
    skipSetup: false
      credentialsSecretName: redis-password
      volumeSize: 10Gi
      credentialsSecretName: postgres-creds
      persistentVolumeSize: 20Gi
        - ReadWriteMany
      initialDelaySeconds: 120
        path: /health/instance
        port: 8443
        scheme: HTTPS
      initialDelaySeconds: 10
        path: /health/instance
        port: 8443
        scheme: HTTPS

Modify it to fit you use case. When done apply the configuration:

oc apply -f quay-ecosystem.yaml

Using Custom SSL Certificates

If you want to use custom SSL certificates with Quay, you need to create a secret with the key and the certificate:

oc create secret generic custom-quay-ssl \
   --from-file=ssl.key=example.key \

Then modify your Ecosystem file to use the custom certificate secret:

    imagePullSecretName: redhat-pull-secret
    sslCertificatesSecretName: custom-quay-ssl

Wait for few minutes then confirm deployment:

$ oc get deployments
NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
quay-ecosystem-clair              1/1     1            1           2m35s
quay-ecosystem-clair-postgresql   1/1     1            1           2m57s
quay-ecosystem-quay               1/1     1            1           3m45s
quay-ecosystem-quay-postgresql    1/1     1            1           5m8s
quay-ecosystem-redis              1/1     1            1           5m57s
quay-operator                     1/1     1            1           70m

$ oc get svc
NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
quay-ecosystem-clair              ClusterIP     <none>        6060/TCP,6061/TCP   4m
quay-ecosystem-clair-postgresql   ClusterIP   <none>        5432/TCP            3m58s
quay-ecosystem-quay               ClusterIP   <none>        443/TCP             5m38s
quay-ecosystem-quay-postgresql    ClusterIP   <none>        5432/TCP            6m15s
quay-ecosystem-redis              ClusterIP   <none>        6379/TCP            6m58s
quay-operator-metrics             ClusterIP   <none>        8383/TCP,8686/TCP   70m

Running pods in the project:

$ oc get pods
NAME                                              READY   STATUS    RESTARTS   AGE
quay-ecosystem-clair-84b4d77654-cjwcr             1/1     Running   0          2m57s
quay-ecosystem-clair-postgresql-7c47b5955-qbc4s   1/1     Running   0          3m23s
quay-ecosystem-quay-66584ccbdb-8szts              1/1     Running   0          4m8s
quay-ecosystem-quay-postgresql-74bf8db7f8-vnrx9   1/1     Running   0          5m34s
quay-ecosystem-redis-7dcd5c58d6-p7xkn             1/1     Running   0          6m23s
quay-operator-764c99dcdb-k44cq                    1/1     Running   0          70m

Step 4: Access Quay Dashboard

Get a route URL for deployed Quay:

$ oc get route
quay-ecosystem-quay         quay-ecosystem-quay   8443   passthrough/Redirect   None

Open the URL on the machine with access to the cluster domain.

install project quay openshift 07

Use the credentials you configured to login to Quay registry.

install project quay openshift 08

OpenShift Courses:

Practical OpenShift for Developers – New Course 2021

Ultimate Openshift (2021) Bootcamp by School of Devops

And there you have it. You now have Quay registry running on OpenShift using Operators. Refer to below documentations for more help.

More on OpenShift / Registry:

Ceph Persistent Storage for Kubernetes with Cephfs

Persistent Storage for Kubernetes with Ceph RBD

Install Harbor Container Image Registry on CentOS / Debian / Ubuntu

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here