Consider deploying, helm stable/nginx-ingress chart, as the upstream nginx ingress controller is not configured to support cross-namespace ingress resources. The following manifests could likely be used with an ingress controller deployed to the
quay-enterprise namespace if an ingress-controller per-namespace is being used.
First create a clusterip service for Quay Enterprise:
apiVersion: v1 kind: Service metadata: name: quay-enterprise spec: ports: - name: http port: 80 protocol: TCP targetPort: 80 - name: https port: 443 protocol: TCP targetPort: 443 selector: quay-enterprise-component: app sessionAffinity: None type: ClusterIP
Next create a TLS secret object. This will be used as the SSL cert for the registry. While it is not ideal to have the LB/ingress terminate TLS there is not a known nginx-ingress configuration that will correctly route to the registry backend when using the docker cli (push/pull) without defining TLS in the ingress resource.
If the Using SSL to Protect Quay Enterprise guide was followed. The values of the ingress resource manifest are tls.crt = ssl.cert and tls.key = ssl.key.
Encode the contents of these files like so:
base64 -w=0 ssl.cert
apiVersion: v1 data: tls.crt: <base64 encoded string> tls.key: <base64 encoded string> kind: Secret metadata: name: registry-tls namespace: quay-enterprise type: Opaque
From the QE superuser panel, navigate to Server Configuration, TLS, and select "My own load balancer handles TLS". Save the config and recycle the quay-enterprise-app pod so the new configuration is deployed.
If the step above is done properly. The config.yaml for quay enterprise will contain:
EXTERNAL_TLS_TERMINATION: true PREFERRED_URL_SCHEME: https
Deploy the quay-enterprise ingress resource, be sure to replace
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" name: quay-enterprise spec: rules: - host: registry.example.com http: paths: - backend: serviceName: quay-enterprise servicePort: 80 path: / tls: - hosts: - registry.example.com secretName: registry-tls