Quay Migration Steps
Snapshot or Backup Quay DB
- In AWS RDS select your quay Database and press the
Instance Actions
buttin. - Select the
Take a Snapshot
menu option. - In the
Take a Snapshot
window enter a name to use for the snapshot and press theTake Snapshot
option.
Restore the Quay Database in the new VPC
- Once the snapshot is complete select the snapshot and press the
Snapshot Actions
and select theRestore Snapshot
menu option. - In the
Restore DB Instance
page modify the following options:- Set
Multi-AZ Deployment
to `Yes - Set
DB Instance Notifier
to a unique DB instance name. - Set
VPC
to the VPC you are migrating your Quay instance to.
- Set
- Press the
Restore DB Instance
- After the Quay Database has been restored record its new hostname by going to the Database's details pane and finding its
Endpoint
Snapshot Clair DB
- In AWS RDS select your Clair Database and press the
Instance Actions
buttin. - Select the
Take a Snapshot
menu option. - In the
Take a Snapshot
window enter a name to use for the snapshot and press theTake Snapshot
option.
Restore the Clair Database in the new VPC
- Once the snapshot is complete select the snapshot and press the
Snapshot Actions
and se lect theRestore Snapshot
menu option. - In the
Restore DB Instance
page modify the following options:- Set
Multi-AZ Deployment
to `Yes - Set
DB Instance Notifier
to a unique DB instance name. - Set
VPC
to the VPC you are migrating your Clair instance to.
- Set
- Press the
Restore DB Instance
- After the Clair Database has been restored record its new hostname by going to the Database's details pane and finding its
Endpoint
Deploy Quay in the new cluster
Use the docs located at [http://coreos.com/quay-enterprise/docs/latest/tectonic] to deploy Quay Enterprise into the new cluster.
After all the Quay objects have been created configure the new Quay Enterprise pods with the previous cluster's configuration:
- Copy the config secret from the previous cluster:
- `kubectl get secret quay-enterprise-config-secret -n -o yaml > secret-config.yaml
- Open secret-config.yaml and copy the
config.yaml
encrypted data to a file namedold-config.yaml
- Decrypt the contents of old-config.yaml:
base64 -d -w 0 old-config.yaml > config.yaml
- Edit config.yaml and replace the previous cluster's DB endpoint with the new one in the
DB_URI
line.- For example: Old Cluster DB_URI: mysql+pymysql://quayusername:quaypassword@quay-dev-OLD_ENDPOINT.cm3g0q5rykym.us-west-2.rds.amazonaws.com/quaydb New Cluster DB_URI: DB_URI: mysql+pymysql://quayusername:quaypassword @quay-dev-NEW_ENDPOINT.cm3g0q5rykym.us-west-2.rds.amazonaws.com/quaydb
- Encrypt the new config file:
base64 -w o config.yaml > secret.yaml
- Replace the
config.yaml
portion ofsecret-config.yaml
with the contents ofsecret.yaml
. - Replace the current Quay Enterprise Config Secret with the new contents of
secret-config.yaml
:cat secret-config.yaml
- It's easiest copy the new secret definition using kubectl edit function.
kubectl edit -n <quay enterprise namespace> quay-enterprise-config-secret
- Once the config secret has been updated restart the Quay Enterprise pod running in the new cluster:
kubectl get pods -n <quay enterprise namespace> | grep quay-enterprise
- `kubectl delete pod -n
Update your DNS to point to the new Quay service endpoint.
Deploy Clair in the new cluster
- Copy the following config to a file named
config.yaml
:- Modify the following below:
- Username used to access Clair DB
- Password used to access Clair DB
- Database enpoint created when the Clair DB was migrated above
- Name of the Clair Database
- Hostname used to access clair, can be publicly routable FQDN or service name internal to Kubernetes cluster
- Hostname used to access clair, can be publicly routable FQDN or ser vice name internal to Kubernetes cluster
- Modify the following below:
clair:
database:
# A PostgreSQL Connection string pointing to the Clair Postgres database.
# Documentation on the format can be found at: http://www.postgresql.org/docs/9.4/static/libpq-connect.html
source: postgres://<CLAIRDB USERNAME>:<CLAIRDB PASSWORD>@<NEW CLAIR DB ENDPOINT:5432/<CLAIR DB NAME>?sslmode=disable
cachesize: 16384
api:
# The port at which Clair will report its health status. For example, if Clair is running at
# https://clair.mycompany.com, the health will be reported at
# http://clair.mycompany.com:6061/health.
healthport: 6061
port: 6062
timeout: 900s
# paginationkey can be any random set of characters. *Must be the same across all Clair instances*.
paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
updater:
# interval defines how often Clair will check for updates from its upstream vulnerability databases.
interval: 6h
notifier:
attempts: 3
renotifyinterval: 1h
http:
# QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
# For example: https://myregistry.mycompany.com
endpoint: https://<QUAY HOSTNAME>/secscan/notify
proxy: http://localhost:6063
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :6063
ca_key_file: /certificates/mitm.key # Generated internally, do not change.
ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
signer:
issuer: security_scanner
expiration_time: 5m
max_skew: 1m
nonce_length: 32
private_key:
type: autogenerated
options:
rotate_every: 12h
key_folder: /config/
key_server:
type: keyregistry
options:
# The ID of the service key generated for Clair. The ID is returned when setting up
# the key in [Quay Enterprise Setup](security-scanning.html)
registry: https://<QUAY HOSTNAME>/keys/
private_key_path: /config/security_scanner.pem
verifier_proxies:
- enabled: true
# The port at which Clair will listen.
listen_addr: :6060
# If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
# section below for more information.
# key_file: /config/clair.key
# crt_file: /config/clair.crt
verifier:
# CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
# specified here must match the listen_addr port a few lines above this.
# Example: https://myclair.mycompany.com:6060
audience: http://<CLAIR HOSTNAME>:6060
upstream: http://localhost:6062
key_server:
type: keyregistry
options:
# QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
# Example: https://myregistry.mycompany.com
registry: https://<QUAY HOSTNAME>/keys/
-
Create a secret for clair by running the following:
kubectl create secret generic clairsecret --from-file=./config.yaml -n quay-enterprise
-
Create a Clair service in the new cluster by copying the following into a file named
clair-service.yaml
:
apiVersion: v1 kind: Service metadata: namespace: quay-enterprise name: quay-clair labels: quay-clair-component: app spec: type: LoadBalancer ports: - port: 6060 protocol: TCP targetPort: 6060 name: jwt - port: 6061 protocol: TCP targetPort: 6061 name: healthz selector: quay-clair-component: app
* Create the Clair Service by running the following command:
* `kubectl create -f clair-service.yaml`
* Deploy the Clair App by copying the following to a file named `clair-app.yaml`
apiVersion: extensions/v1beta1 kind: Deployment metadata: namespace: quay-enterprise name: quay-clair-app labels: quay-clair-component: app spec: strategy: type: Recreate template: metadata: namespace: quay-enterprise labels: quay-clair-component: app spec: containers: - name: quay-clair-app image: quay.io/coreos/clair-jwt:v1.2.6 ports: - containerPort: 6060 - containerPort: 6061 volumeMounts: - mountPath: /config name: secret-volume imagePullSecrets: - name: coreos-pull-secret volumes: - name: secret-volume secret: secretName: clairsecret
* Deploy the Clair application by running the following command:
* `kubectl create -f clair-app.yaml`
* Update your DNS to point your Clair FQDN to the new service endpoint
Comments
0 comments
Please sign in to leave a comment.