import json CONFIG_SCHEMA = { "type": "object", "description": "Schema for Quay configuration", "required": [ "PREFERRED_URL_SCHEME", "SERVER_HOSTNAME", "DB_URI", "AUTHENTICATION_TYPE", "DISTRIBUTED_STORAGE_CONFIG", "BUILDLOGS_REDIS", "USER_EVENTS_REDIS", "DISTRIBUTED_STORAGE_PREFERENCE", "DEFAULT_TAG_EXPIRATION", "TAG_EXPIRATION_OPTIONS", ], "properties": { "REGISTRY_STATE": { "type": "string", "description": "The state of the registry.", "enum": ["normal", "readonly"], "x-example": "readonly", }, # Hosting. "PREFERRED_URL_SCHEME": { "type": "string", "description": "The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https`", "enum": ["http", "https"], "x-example": "https", }, "SERVER_HOSTNAME": { "type": "string", "description": "The URL at which Quay is accessible, without the scheme.", "x-example": "quay.io", }, "EXTERNAL_TLS_TERMINATION": { "type": "boolean", "description": "If TLS is supported, but terminated at a layer before Quay, must be true.", "x-example": True, }, # SSL/TLS. "SSL_CIPHERS": { "type": "array", "description": "If specified, the nginx-defined list of SSL ciphers to enabled and disabled", "x-example": ["CAMELLIA", "!3DES"], "x-reference": "http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers", }, "SSL_PROTOCOLS": { "type": "array", "description": "If specified, the nginx-defined list of SSL protocols to enabled and disabled", "x-example": ["TLSv1.1", "TLSv1.2"], "x-reference": "http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols", }, # User-visible configuration. "REGISTRY_TITLE": { "type": "string", "description": "If specified, the long-form title for the registry. Defaults to `Red Hat Quay`.", "x-example": "Corp Container Service", }, "REGISTRY_TITLE_SHORT": { "type": "string", "description": "If specified, the short-form title for the registry. Defaults to `Red Hat Quay`.", "x-example": "CCS", }, "CONTACT_INFO": { "type": "array", "uniqueItems": True, "description": "If specified, contact information to display on the contact page. " + "If only a single piece of contact information is specified, the contact footer will link directly.", "items": [ { "type": "string", "pattern": "^mailto:(.)+$", "x-example": "mailto:support@quay.io", "description": "Adds a link to send an e-mail", }, { "type": "string", "pattern": "^irc://(.)+$", "x-example": "irc://chat.freenode.net:6665/quay", "description": "Adds a link to visit an IRC chat room", }, { "type": "string", "pattern": "^tel:(.)+$", "x-example": "tel:+1-888-930-3475", "description": "Adds a link to call a phone number", }, { "type": "string", "pattern": "^http(s)?://(.)+$", "x-example": "https://twitter.com/quayio", "description": "Adds a link to a defined URL", }, ], }, "SEARCH_RESULTS_PER_PAGE": { "type": "number", "description": "Number of results returned per page by search page. Defaults to 10", "x-example": 10, }, "SEARCH_MAX_RESULT_PAGE_COUNT": { "type": "number", "description": "Maximum number of pages the user can paginate in search before they are limited. Defaults to 10", "x-example": 10, }, # E-mail. "FEATURE_MAILING": { "type": "boolean", "description": "Whether emails are enabled. Defaults to True", "x-example": True, }, "MAIL_SERVER": { "type": "string", "description": "The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.", "x-example": "smtp.somedomain.com", }, "MAIL_USE_TLS": { "type": "boolean", "description": "If specified, whether to use TLS for sending e-mails.", "x-example": True, }, "MAIL_PORT": { "type": "number", "description": "The SMTP port to use. If not specified, defaults to 587.", "x-example": 588, }, "MAIL_USERNAME": { "type": ["string", "null"], "description": "The SMTP username to use when sending e-mails.", "x-example": "myuser", }, "MAIL_PASSWORD": { "type": ["string", "null"], "description": "The SMTP password to use when sending e-mails.", "x-example": "mypassword", }, "MAIL_DEFAULT_SENDER": { "type": ["string", "null"], "description": "If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`.", "x-example": "support@myco.com", }, # Database. "DB_URI": { "type": "string", "description": "The URI at which to access the database, including any credentials.", "x-example": "mysql+pymysql://username:password@dns.of.database/quay", "x-reference": "https://www.postgresql.org/docs/9.3/static/libpq-connect.html#AEN39495", }, "DB_CONNECTION_ARGS": { "type": "object", "description": "If specified, connection arguments for the database such as timeouts and SSL.", "properties": { "threadlocals": { "type": "boolean", "description": "Whether to use thread-local connections. Should *ALWAYS* be `true`", }, "autorollback": { "type": "boolean", "description": "Whether to use auto-rollback connections. Should *ALWAYS* be `true`", }, "ssl": { "type": "object", "description": "SSL connection configuration", "properties": { "ca": { "type": "string", "description": "*Absolute container path* to the CA certificate to use for SSL connections", "x-example": "conf/stack/ssl-ca-cert.pem", }, }, "required": ["ca"], }, }, "required": ["threadlocals", "autorollback"], }, "ALLOW_PULLS_WITHOUT_STRICT_LOGGING": { "type": "boolean", "description": "If true, pulls in which the pull audit log entry cannot be written will " + "still succeed. Useful if the database can fallback into a read-only state " + "and it is desired for pulls to continue during that time. Defaults to False.", "x-example": True, }, "ALLOW_WITHOUT_STRICT_LOGGING": { "type": "boolean", "description": "If true, any action in which the audit log entry cannot be written will " + "still succeed. Useful if using an external logging service that may be down " + "intermittently and the registry should continue to work. Defaults to False.", "x-example": False, }, # Storage. "FEATURE_STORAGE_REPLICATION": { "type": "boolean", "description": "Whether to automatically replicate between storage engines. Defaults to False", "x-example": False, }, "FEATURE_PROXY_STORAGE": { "type": "boolean", "description": "Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False", "x-example": False, }, "MAXIMUM_LAYER_SIZE": { "type": "string", "description": "Maximum allowed size of an image layer. Defaults to 20G", "x-example": "100G", "pattern": "^[0-9]+(G|M)$", }, "DISTRIBUTED_STORAGE_CONFIG": { "type": "object", "description": "Configuration for storage engine(s) to use in Quay. Each key is a unique ID" + " for a storage engine, with the value being a tuple of the type and " + " configuration for that engine.", "x-example": { "local_storage": ["LocalStorage", {"storage_path": "some/path/"}], }, "items": { "type": "array", }, }, "DISTRIBUTED_STORAGE_PREFERENCE": { "type": "array", "description": "The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to " + "use. A preferred engine means it is first checked for pullig and images are " + "pushed to it.", "items": { "type": "string", "uniqueItems": True, }, "x-example": ["s3_us_east", "s3_us_west"], }, "DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS": { "type": "array", "description": "The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose " + "images should be fully replicated, by default, to all other storage engines.", "items": { "type": "string", "uniqueItems": True, }, "x-example": ["s3_us_east", "s3_us_west"], }, "USERFILES_LOCATION": { "type": "string", "description": "ID of the storage engine in which to place user-uploaded files", "x-example": "s3_us_east", }, "USERFILES_PATH": { "type": "string", "description": "Path under storage in which to place user-uploaded files", "x-example": "userfiles", }, "ACTION_LOG_ARCHIVE_LOCATION": { "type": "string", "description": "If action log archiving is enabled, the storage engine in which to place the " + "archived data.", "x-example": "s3_us_east", }, "ACTION_LOG_ARCHIVE_PATH": { "type": "string", "description": "If action log archiving is enabled, the path in storage in which to place the " + "archived data.", "x-example": "archives/actionlogs", }, "ACTION_LOG_ROTATION_THRESHOLD": { "type": "string", "description": "If action log archiving is enabled, the time interval after which to " + "archive data.", "x-example": "30d", }, "LOG_ARCHIVE_LOCATION": { "type": "string", "description": "If builds are enabled, the storage engine in which to place the " + "archived build logs.", "x-example": "s3_us_east", }, "LOG_ARCHIVE_PATH": { "type": "string", "description": "If builds are enabled, the path in storage in which to place the " + "archived build logs.", "x-example": "archives/buildlogs", }, # Authentication. "AUTHENTICATION_TYPE": { "type": "string", "description": "The authentication engine to use for credential authentication.", "x-example": "Database", "enum": ["Database", "LDAP", "JWT", "Keystone", "OIDC", "AppToken"], }, "SUPER_USERS": { "type": "array", "description": "Quay usernames of those users to be granted superuser privileges", "uniqueItems": True, "items": { "type": "string", }, }, "DIRECT_OAUTH_CLIENTID_WHITELIST": { "type": "array", "description": "A list of client IDs of *Quay-managed* applications that are allowed " + "to perform direct OAuth approval without user approval.", "x-reference": "https://coreos.com/quay-enterprise/docs/latest/direct-oauth.html", "uniqueItems": True, "items": { "type": "string", }, }, # Redis. "BUILDLOGS_REDIS": { "type": "object", "description": "Connection information for Redis for build logs caching", "required": ["host"], "properties": { "host": { "type": "string", "description": "The hostname at which Redis is accessible", "x-example": "my.redis.cluster", }, "port": { "type": "number", "description": "The port at which Redis is accessible", "x-example": 1234, }, "password": { "type": "string", "description": "The password to connect to the Redis instance", "x-example": "mypassword", }, }, }, "USER_EVENTS_REDIS": { "type": "object", "description": "Connection information for Redis for user event handling", "required": ["host"], "properties": { "host": { "type": "string", "description": "The hostname at which Redis is accessible", "x-example": "my.redis.cluster", }, "port": { "type": "number", "description": "The port at which Redis is accessible", "x-example": 1234, }, "password": { "type": "string", "description": "The password to connect to the Redis instance", "x-example": "mypassword", }, }, }, # OAuth configuration. "GITHUB_LOGIN_CONFIG": { "type": ["object", "null"], "description": "Configuration for using GitHub (Enterprise) as an external login provider", "required": ["CLIENT_ID", "CLIENT_SECRET"], "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-auth.html", "properties": { "GITHUB_ENDPOINT": { "type": "string", "description": "The endpoint of the GitHub (Enterprise) being hit", "x-example": "https://github.com/", }, "API_ENDPOINT": { "type": "string", "description": "The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com", "x-example": "https://api.github.com/", }, "CLIENT_ID": { "type": "string", "description": "The registered client ID for this Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG", "x-example": "0e8dbe15c4c7630b6780", "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html", }, "CLIENT_SECRET": { "type": "string", "description": "The registered client secret for this Quay instance", "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846", "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html", }, "ORG_RESTRICT": { "type": "boolean", "description": "If true, only users within the organization whitelist can login using this provider", "x-example": True, }, "ALLOWED_ORGANIZATIONS": { "type": "array", "description": "The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option", "uniqueItems": True, "items": { "type": "string", }, }, }, }, "BITBUCKET_TRIGGER_CONFIG": { "type": ["object", "null"], "description": "Configuration for using BitBucket for build triggers", "required": ["CONSUMER_KEY", "CONSUMER_SECRET"], "x-reference": "https://coreos.com/quay-enterprise/docs/latest/bitbucket-build.html", "properties": { "CONSUMER_KEY": { "type": "string", "description": "The registered consumer key (client ID) for this Quay instance", "x-example": "0e8dbe15c4c7630b6780", }, "CONSUMER_SECRET": { "type": "string", "description": "The registered consumer secret (client secret) for this Quay instance", "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846", }, }, }, "GITHUB_TRIGGER_CONFIG": { "type": ["object", "null"], "description": "Configuration for using GitHub (Enterprise) for build triggers", "required": ["GITHUB_ENDPOINT", "CLIENT_ID", "CLIENT_SECRET"], "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-build.html", "properties": { "GITHUB_ENDPOINT": { "type": "string", "description": "The endpoint of the GitHub (Enterprise) being hit", "x-example": "https://github.com/", }, "API_ENDPOINT": { "type": "string", "description": "The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com", "x-example": "https://api.github.com/", }, "CLIENT_ID": { "type": "string", "description": "The registered client ID for this Quay instance; cannot be shared with GITHUB_LOGIN_CONFIG", "x-example": "0e8dbe15c4c7630b6780", "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html", }, "CLIENT_SECRET": { "type": "string", "description": "The registered client secret for this Quay instance", "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846", "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html", }, }, }, "GOOGLE_LOGIN_CONFIG": { "type": ["object", "null"], "description": "Configuration for using Google for external authentication", "required": ["CLIENT_ID", "CLIENT_SECRET"], "properties": { "CLIENT_ID": { "type": "string", "description": "The registered client ID for this Quay instance", "x-example": "0e8dbe15c4c7630b6780", }, "CLIENT_SECRET": { "type": "string", "description": "The registered client secret for this Quay instance", "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846", }, }, }, "GITLAB_TRIGGER_CONFIG": { "type": ["object", "null"], "description": "Configuration for using Gitlab (Enterprise) for external authentication", "required": ["GITLAB_ENDPOINT", "CLIENT_ID", "CLIENT_SECRET"], "properties": { "GITLAB_ENDPOINT": { "type": "string", "description": "The endpoint at which Gitlab(Enterprise) is running", "x-example": "https://gitlab.com", }, "CLIENT_ID": { "type": "string", "description": "The registered client ID for this Quay instance", "x-example": "0e8dbe15c4c7630b6780", }, "CLIENT_SECRET": { "type": "string", "description": "The registered client secret for this Quay instance", "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846", }, }, }, "BRANDING": { "type": ["object", "null"], "description": "Custom branding for logos and URLs in the Quay UI", "required": ["logo"], "properties": { "logo": { "type": "string", "description": "Main logo image URL", "x-example": "/static/img/quay-horizontal-color.svg", }, "footer_img": { "type": "string", "description": "Logo for UI footer", "x-example": "/static/img/RedHat.svg", }, "footer_url": { "type": "string", "description": "Link for footer image", "x-example": "https://redhat.com", }, }, }, "DOCUMENTATION_ROOT": {"type": "string", "description": "Root URL for documentation links"}, # Health. "HEALTH_CHECKER": { "description": "The configured health check.", "x-example": ("RDSAwareHealthCheck", {"access_key": "foo", "secret_key": "bar"}), }, # Metrics. "PROMETHEUS_NAMESPACE": { "type": "string", "description": "The prefix applied to all exposed Prometheus metrics. Defaults to `quay`", "x-example": "myregistry", }, # Misc configuration. "BLACKLIST_V2_SPEC": { "type": "string", "description": "The Docker CLI versions to which Quay will respond that V2 is *unsupported*. Defaults to `<1.6.0`", "x-reference": "http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec", "x-example": "<1.8.0", }, "USER_RECOVERY_TOKEN_LIFETIME": { "type": "string", "description": "The length of time a token for recovering a user accounts is valid. Defaults to 30m.", "x-example": "10m", "pattern": "^[0-9]+(w|m|d|h|s)$", }, "SESSION_COOKIE_SECURE": { "type": "boolean", "description": "Whether the `secure` property should be set on session cookies. " + "Defaults to False. Recommended to be True for all installations using SSL.", "x-example": True, "x-reference": "https://en.wikipedia.org/wiki/Secure_cookies", }, "PUBLIC_NAMESPACES": { "type": "array", "description": "If a namespace is defined in the public namespace list, then it will appear on *all*" + " user's repository list pages, regardless of whether that user is a member of the namespace." + ' Typically, this is used by an enterprise customer in configuring a set of "well-known"' + " namespaces.", "uniqueItems": True, "items": { "type": "string", }, }, "AVATAR_KIND": { "type": "string", "description": "The types of avatars to display, either generated inline (local) or Gravatar (gravatar)", "enum": ["local", "gravatar"], }, "V2_PAGINATION_SIZE": { "type": "number", "description": "The number of results returned per page in V2 registry APIs", "x-example": 100, }, "ENABLE_HEALTH_DEBUG_SECRET": { "type": ["string", "null"], "description": "If specified, a secret that can be given to health endpoints to see full debug info when" + "not authenticated as a superuser", "x-example": "somesecrethere", }, "BROWSER_API_CALLS_XHR_ONLY": { "type": "boolean", "description": "If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.", "x-example": False, }, # Time machine and tag expiration settings. "FEATURE_CHANGE_TAG_EXPIRATION": { "type": "boolean", "description": "Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.", "x-example": False, }, "DEFAULT_TAG_EXPIRATION": { "type": "string", "description": "The default, configurable tag expiration time for time machine. Defaults to `2w`.", "pattern": "^[0-9]+(w|m|d|h|s)$", }, "TAG_EXPIRATION_OPTIONS": { "type": "array", "description": "The options that users can select for expiration of tags in their namespace (if enabled)", "items": { "type": "string", "pattern": "^[0-9]+(w|m|d|h|s)$", }, }, # Team syncing. "FEATURE_TEAM_SYNCING": { "type": "boolean", "description": "Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone)", "x-example": True, }, "TEAM_RESYNC_STALE_TIME": { "type": "string", "description": "If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m)", "x-example": "2h", "pattern": "^[0-9]+(w|m|d|h|s)$", }, "FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP": { "type": "boolean", "description": "If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.", "x-example": True, }, # Security scanning. "FEATURE_SECURITY_SCANNER": { "type": "boolean", "description": "Whether to turn of/off the security scanner. Defaults to False", "x-example": False, "x-reference": "https://coreos.com/quay-enterprise/docs/latest/security-scanning.html", }, "FEATURE_SECURITY_NOTIFICATIONS": { "type": "boolean", "description": "If the security scanner is enabled, whether to turn of/off security notificaitons. Defaults to False", "x-example": False, }, "SECURITY_SCANNER_ENDPOINT": { "type": "string", "pattern": "^http(s)?://(.)+$", "description": "The endpoint for the V2 security scanner", "x-example": "http://192.168.99.101:6060", }, "SECURITY_SCANNER_V4_ENDPOINT": { "type": ["string", "null"], "pattern": "^http(s)?://(.)+$", "description": "The endpoint for the V4 security scanner", "x-example": "http://192.168.99.101:6060", }, "SECURITY_SCANNER_INDEXING_INTERVAL": { "type": "number", "description": "The number of seconds between indexing intervals in the security scanner. Defaults to 30.", "x-example": 30, }, # Repository mirroring "REPO_MIRROR_INTERVAL": { "type": "number", "description": "The number of seconds between checking for repository mirror candidates. Defaults to 30.", "x-example": 30, }, # Build "FEATURE_GITHUB_BUILD": { "type": "boolean", "description": "Whether to support GitHub build triggers. Defaults to False", "x-example": False, }, "FEATURE_BITBUCKET_BUILD": { "type": "boolean", "description": "Whether to support Bitbucket build triggers. Defaults to False", "x-example": False, }, "FEATURE_GITLAB_BUILD": { "type": "boolean", "description": "Whether to support GitLab build triggers. Defaults to False", "x-example": False, }, "FEATURE_BUILD_SUPPORT": { "type": "boolean", "description": "Whether to support Dockerfile build. Defaults to True", "x-example": True, }, "DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT": { "type": ["number", "null"], "description": "If not None, the default maximum number of builds that can be queued in a namespace.", "x-example": 20, }, "SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD": { "type": ["number", "null"], "description": "If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.", "x-example": 10, }, "SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD": { "type": ["number", "null"], "description": "If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.", "x-example": 50, }, # Login "FEATURE_GITHUB_LOGIN": { "type": "boolean", "description": "Whether GitHub login is supported. Defaults to False", "x-example": False, }, "FEATURE_GOOGLE_LOGIN": { "type": "boolean", "description": "Whether Google login is supported. Defaults to False", "x-example": False, }, # Recaptcha "FEATURE_RECAPTCHA": { "type": "boolean", "description": "Whether Recaptcha is necessary for user login and recovery. Defaults to False", "x-example": False, "x-reference": "https://www.google.com/recaptcha/intro/", }, "RECAPTCHA_SITE_KEY": { "type": ["string", "null"], "description": "If recaptcha is enabled, the site key for the Recaptcha service", }, "RECAPTCHA_SECRET_KEY": { "type": ["string", "null"], "description": "If recaptcha is enabled, the secret key for the Recaptcha service", }, # External application tokens. "FEATURE_APP_SPECIFIC_TOKENS": { "type": "boolean", "description": "If enabled, users can create tokens for use by the Docker CLI. Defaults to True", "x-example": False, }, "APP_SPECIFIC_TOKEN_EXPIRATION": { "type": ["string", "null"], "description": "The expiration for external app tokens. Defaults to None.", "pattern": "^[0-9]+(w|m|d|h|s)$", }, "EXPIRED_APP_SPECIFIC_TOKEN_GC": { "type": ["string", "null"], "description": "Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.", "pattern": "^[0-9]+(w|m|d|h|s)$", }, # Feature Flag: Garbage collection. "FEATURE_GARBAGE_COLLECTION": { "type": "boolean", "description": "Whether garbage collection of repositories is enabled. Defaults to True", "x-example": False, }, # Feature Flag: Rate limits. "FEATURE_RATE_LIMITS": { "type": "boolean", "description": "Whether to enable rate limits on API and registry endpoints. Defaults to False", "x-example": True, }, # Feature Flag: Aggregated log retrieval. "FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL": { "type": "boolean", "description": "Whether to allow retrieval of aggregated log counts. Defaults to True", "x-example": True, }, # Feature Flag: Log export. "FEATURE_LOG_EXPORT": { "type": "boolean", "description": "Whether to allow exporting of action logs. Defaults to True", "x-example": True, }, # Feature Flag: User last accessed. "FEATURE_USER_LAST_ACCESSED": { "type": "boolean", "description": "Whether to record the last time a user was accessed. Defaults to True", "x-example": True, }, # Feature Flag: Permanent Sessions. "FEATURE_PERMANENT_SESSIONS": { "type": "boolean", "description": "Whether sessions are permanent. Defaults to True", "x-example": True, }, # Feature Flag: Super User Support. "FEATURE_SUPER_USERS": { "type": "boolean", "description": "Whether super users are supported. Defaults to True", "x-example": True, }, # Feature Flag: Anonymous Users. "FEATURE_ANONYMOUS_ACCESS": { "type": "boolean", "description": " Whether to allow anonymous users to browse and pull public repositories. Defaults to True", "x-example": True, }, # Feature Flag: User Creation. "FEATURE_USER_CREATION": { "type": "boolean", "description": "Whether users can be created (by non-super users). Defaults to True", "x-example": True, }, # Feature Flag: Invite Only User Creation. "FEATURE_INVITE_ONLY_USER_CREATION": { "type": "boolean", "description": "Whether users being created must be invited by another user. Defaults to False", "x-example": False, }, # Feature Flag: Encrypted Basic Auth. "FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH": { "type": "boolean", "description": "Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False", "x-example": False, }, # Feature Flag: Direct Login. "FEATURE_DIRECT_LOGIN": { "type": "boolean", "description": "Whether users can directly login to the UI. Defaults to True", "x-example": True, }, # Feature Flag: Advertising V2. "FEATURE_ADVERTISE_V2": { "type": "boolean", "description": "Whether the v2/ endpoint is visible. Defaults to True", "x-example": True, }, # Feature Flag: Log Rotation. "FEATURE_ACTION_LOG_ROTATION": { "type": "boolean", "description": "Whether or not to rotate old action logs to storage. Defaults to False", "x-example": False, }, # Feature Flag: ACI Conversion. "FEATURE_ACI_CONVERSION": { "type": "boolean", "description": "Whether to enable conversion to ACIs. Defaults to False", "x-example": False, }, # Feature Flag: Library Support. "FEATURE_LIBRARY_SUPPORT": { "type": "boolean", "description": 'Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True', "x-example": True, }, # Feature Flag: Require Team Invite. "FEATURE_REQUIRE_TEAM_INVITE": { "type": "boolean", "description": "Whether to require invitations when adding a user to a team. Defaults to True", "x-example": True, }, # Feature Flag: Collecting and Supporting Metadata. "FEATURE_USER_METADATA": { "type": "boolean", "description": "Whether to collect and support user metadata. Defaults to False", "x-example": False, }, # Feature Flag: Support App Registry. "FEATURE_APP_REGISTRY": { "type": "boolean", "description": "Whether to enable support for App repositories. Defaults to False", "x-example": False, }, # Feature Flag: Read only app registry. "FEATURE_READONLY_APP_REGISTRY": { "type": "boolean", "description": "Whether to App repositories are read-only. Defaults to False", "x-example": True, }, # Feature Flag: Public Reposiotires in _catalog Endpoint. "FEATURE_PUBLIC_CATALOG": { "type": "boolean", "description": "If set to true, the _catalog endpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False", "x-example": False, }, # Feature Flag: Reader Build Logs. "FEATURE_READER_BUILD_LOGS": { "type": "boolean", "description": "If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False", "x-example": False, }, # Feature Flag: Usernames Autocomplete. "FEATURE_PARTIAL_USER_AUTOCOMPLETE": { "type": "boolean", "description": "If set to true, autocompletion will apply to partial usernames. Defaults to True", "x-example": True, }, # Feature Flag: User log access. "FEATURE_USER_LOG_ACCESS": { "type": "boolean", "description": "If set to true, users will have access to audit logs for their namespace. Defaults to False", "x-example": True, }, # Feature Flag: User renaming. "FEATURE_USER_RENAME": { "type": "boolean", "description": "If set to true, users can rename their own namespace. Defaults to False", "x-example": True, }, # Feature Flag: Username confirmation. "FEATURE_USERNAME_CONFIRMATION": { "type": "boolean", "description": "If set to true, users can confirm their generated usernames. Defaults to True", "x-example": False, }, # Feature Flag: V1 push restriction. "FEATURE_RESTRICTED_V1_PUSH": { "type": "boolean", "description": "If set to true, only namespaces listed in V1_PUSH_WHITELIST support V1 push. Defaults to True", "x-example": False, }, # Feature Flag: Support Repository Mirroring. "FEATURE_REPO_MIRROR": { "type": "boolean", "description": "Whether to enable support for repository mirroring. Defaults to False", "x-example": False, }, "REPO_MIRROR_TLS_VERIFY": { "type": "boolean", "description": "Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True", "x-example": True, }, "REPO_MIRROR_SERVER_HOSTNAME": { "type": "string", "description": "Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset", "x-example": "openshift-quay-service", }, # Feature Flag: V1 push restriction. "V1_PUSH_WHITELIST": { "type": "array", "description": "The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true.", "x-example": ["some", "namespaces"], }, # Logs model "LOGS_MODEL": { "type": "string", "description": "Logs model for action logs", "enum": ["database", "transition_reads_both_writes_es", "elasticsearch"], "x-example": "database", }, "LOGS_MODEL_CONFIG": { "type": "object", "description": "Logs model config for action logs", "x-reference": "https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html", "properties": { "producer": { "type": "string", "description": "Logs producer if logging to Elasticsearch", "enum": ["kafka", "elasticsearch", "kinesis_stream"], "x-example": "kafka", }, "elasticsearch_config": { "type": "object", "description": "Elasticsearch cluster configuration", "properties": { "host": { "type": "string", "description": "Elasticsearch cluster endpoint", "x-example": "host.elasticsearch.example", }, "port": { "type": "number", "description": "Elasticsearch cluster endpoint port", "x-example": 1234, }, "access_key": { "type": "string", "description": "Elasticsearch user (or IAM key for AWS ES)", "x-example": "some_string", }, "secret_key": { "type": "string", "description": "Elasticsearch password (or IAM secret for AWS ES)", "x-example": "some_secret_string", }, "aws_region": { "type": "string", "description": "Amazon web service region", "x-example": "us-east-1", }, "use_ssl": { "type": "boolean", "description": "Use ssl for Elasticsearch. Defaults to True", "x-example": True, }, "index_prefix": { "type": "string", "description": "Elasticsearch's index prefix", "x-example": "logentry_", }, "index_settings": { "type": "object", "description": "Elasticsearch's index settings", }, }, }, "splunk_config": { "type": "object", "description": "Logs model config for splunk action logs/ splunk cluster configuration", "x-reference": "https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python" "/howtousesplunkpython/howtogetdatapython#To-add-data-directly-to-an-index", "properties": { "host": { "type": "string", "description": "Splunk cluster endpoint", "x-example": "host.splunk.example", }, "port": { "type": "number", "description": "Splunk management cluster endpoint port", "x-example": 1234, }, "bearer_token": { "type": "string", "description": "Bearer_Token for splunk.See: " "https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python" "/howtousesplunkpython/howtoconnectpython/#Log-in-using-a-bearer-token", "x-example": "us-east-1", }, "url_scheme": { "type": "string", "description": "The url scheme for accessing the splunk service. If Splunk is behind SSL" "*at all*, this *must* be `https`", "enum": ["http", "https"], "x-example": "https", }, "verify_ssl": { "type": "boolean", "description": "Enable (True) or disable (False) SSL verification for https connections." "Defaults to True", "x-example": True, }, "index_prefix": { "type": "string", "description": "Splunk's index prefix", "x-example": "splunk_logentry_", }, "ssl_ca_path": { "type": "string", "description": "*Relative container path* to a single .pem file containing a CA " "certificate for SSL verification", "x-example": "conf/stack/ssl-ca-cert.pem", }, }, }, "splunk_hec_config": { "type": "object", "description": "Logs model config for splunk HTTP event collector action logs configuration", "x-reference": "https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector#More_information_on_HEC_for_developers", "properties": { "host": { "type": "string", "description": "Splunk cluster endpoint", "x-example": "host.splunk.example", }, "port": { "type": "number", "description": "Splunk management cluster endpoint port", "x-example": 8080, "default": 443, }, "hec_token": { "type": "string", "description": "HEC token for splunk.", "x-example": "1ad4d7bb-eed9-443a-897d-29e3b27df7a8", }, "url_scheme": { "type": "string", "description": "The url scheme for accessing the splunk service. If Splunk is behind SSL" "*at all*, this *must* be `https`", "enum": ["http", "https"], "x-example": "https", "default": "https", }, "verify_ssl": { "type": "boolean", "description": "Enable (True) or disable (False) SSL verification for https connections." "Defaults to True", "x-example": True, "default": True, }, "ssl_ca_path": { "type": "string", "description": "*Relative container path* to a single .pem file containing a CA " "certificate for SSL verification", "x-example": "conf/stack/ssl-ca-cert.pem", }, "index": { "type": "string", "description": "The splunk index to use (overrides the token's default index).", "x-example": "main", }, "splunk_host": { "type": "string", "description": "The host name to log this event with (Defaults to the configured server hostname).", "x-example": "quay.dev", "default": "configured server hostname", }, "splunk_sourcetype": { "type": "string", "description": "The name of the Splunk sourcetype to use.", "x-example": "quay-sourcetype", "default": "access_combined", }, "timeout": { "type": "number", "description": "Timeout in seconds for HTTP requests to Splunk HEC endpoint. Prevents requests from hanging indefinitely when Splunk is unresponsive.", "x-example": 10, "default": 10, "minimum": 1, "maximum": 15, }, }, "required": ["host", "hec_token"], }, "kafka_config": { "type": "object", "description": "Kafka cluster configuration", "properties": { "bootstrap_servers": { "type": "array", "description": "List of Kafka brokers to bootstrap the client from", "uniqueItems": True, "items": { "type": "string", }, }, "topic": { "type": "string", "description": "Kafka topic to publish log entries to", "x-example": "logentry", }, "max_block_seconds": { "type": "number", "description": "Max number of seconds to block during a `send()`, either because the buffer is full or metadata unavailable", "x-example": 10, }, }, }, "kinesis_stream_config": { "type": "object", "description": "AWS Kinesis Stream configuration", "properties": { "stream_name": { "type": "string", "description": "Kinesis stream to send action logs to", "x-example": "logentry-kinesis-stream", }, "aws_region": { "type": "string", "description": "AWS region", "x-example": "us-east-1", }, "aws_access_key": { "type": "string", "description": "AWS access key", "x-example": "some_access_key", }, "aws_secret_key": { "type": "string", "description": "AWS secret key", "x-example": "some_secret_key", }, "connect_timeout": { "type": "number", "description": "Number of seconds before timeout when attempting to make a connection", "x-example": 5, }, "read_timeout": { "type": "number", "description": "Number of seconds before timeout when reading from a connection", "x-example": 5, }, "retries": { "type": "number", "description": "Max number of attempts made on a single request", "x-example": 5, }, "max_pool_connections": { "type": "number", "description": "The maximum number of connections to keep in a connection pool", "x-example": 10, }, }, }, }, }, # Feature Flag: Blacklist Email Domains "FEATURE_BLACKLISTED_EMAILS": { "type": "boolean", "description": "If set to true, no new User accounts may be created if their email domain is blacklisted.", "x-example": False, }, # Blacklisted Email Domains "BLACKLISTED_EMAIL_DOMAINS": { "type": "array", "description": "The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.", "x-example": ["example.com", "example.org"], }, "FRESH_LOGIN_TIMEOUT": { "type": "string", "description": "The time after which a fresh login requires users to reenter their password", "x-example": "5m", }, # Webhook blacklist. "WEBHOOK_HOSTNAME_BLACKLIST": { "type": "array", "description": "The set of hostnames to disallow from webhooks when validating, beyond localhost", "x-example": ["somexternaldomain.com"], }, "FEATURE_AUTO_PRUNE": { "type": "boolean", "description": "If set to true, auto pruning of images is supported. Defaults to False", "x-example": False, }, "DEFAULT_NAMESPACE_AUTOPRUNE_POLICY": { "type": "object", "description": "Default org wide auto prune policy. Defaults to empty", "x-example": {"number_of_tags": "10"}, }, }, } if __name__ == "__main__": with open("quay-config-schema.json", "w") as outfile: json.dump(CONFIG_SCHEMA, outfile)