Skip to content

Quay

QuayAccessToken creates a short-lived Quay Access token that can be used to authenticate against quay.io or a self-hosted instance of Quay in order to push or pull images. This requires a Quay Robot Account configured to federate with a Kubernetes service account.

Output Keys and Values

Key Description
registry Domain name of the registry you are authenticating to (defaults to quay.io).
auth Base64 encoded authentication string.
expiry Time when token expires in UNIX time (seconds since January 1, 1970 UTC).

Authentication

To configure Robot Account federation, your cluster must have a publicly available OIDC service account issuer endpoint for Quay to validate tokens against against. You can determine the issuer and subject fields by creating and decoding a service account token for the service account you wish to federate with (this is the service account you will use in spec.serviceAccountRef). For example, if federating with the default service account in the default namespace:

Obtain issuer:

kubectl create token default -n default | cut -d '.' -f 2 | sed 's/[^=]$/&==/' | base64 -d | jq -r '.iss'

Obtain subject:

kubectl create token default -n default | cut -d '.' -f 2 | sed 's/[^=]$/&==/' | base64 -d | jq -r '.sub'

Then use the instructions here to set up a robot account and federation.

Example Manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: QuayAccessToken
metadata:
  name: my-quay-token
  namespace: default
spec:
  url: "quay.io"
  robotAccount: "quay_user_or_org+robot_account_name"
  serviceAccountRef:
    name: "default"
    namespace: "default"

Example ExternalSecret that references the Quay generator:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: quay-credentials
  namespace: default
spec:
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: QuayAccessToken
          name: my-quay-token
  refreshInterval: 55m # Tokens are good for 1 hour
  target:
    name: quay-credentials
    template:
      type: kubernetes.io/dockerconfigjson
      data:
        .dockerconfigjson: |
          {
            "auths": {
              "{{ .registry }}": {
                "auth": "{{ .auth }}"
              }
            }
          }