IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Setting up Quay on an ARO cluster via CLI

Authors: Kristopher White, Connor Wooley
Last Editor: flozanorht
Published Date: 25 July 2022
Modified Date: 13 September 2023

Pre Requisites


Create Azure Resources

  1. Create Storage Account

    az login
    az group create --name <resource-group>  --location <location>
    az storage account create --name <storage-account> --resource-group <resource-group> \ --location eastus --sku Standard_LRS --kind  StorageV2
  2. Create Storage Container

    az storage account keys list --account-name <storage_account_name> --resource-group <resource_group> --output yaml

    Note: this command returns a json by default with your keyName and Values, command above specifies yaml

    az storage container create --name <container_name> --public-access blob \ --account-name <AZURE_STORAGE_ACCOUNT> --account-key <AZURE_STORAGE_ACCOUNT_KEY>

    Note: Will need the storage container creds for later use

Install Quay-Operator and Create Quay Registry

  1. Login to your cluster’s OCM

  2. Create a sub.yaml file with this template to install the quay operator

    kind: Subscription
        name: quay-operator
        namespace: <namespace>
        channel: <release_channel>
        name: quay-operator
        source: redhat-operators
        sourceNamespace: openshift-marketplace
        startingCSV: quay-operator.<version>
    oc apply -f sub.yaml
  3. Create the Quay Registry

    1. Create the Azure Storage Secret Bundle

      • Create a config.yaml file that injects the azure resource info from the storage container created in step 2 of Create Azure Resources
          - AzureStorage
          - azure_account_key: <AZURE_STORAGE_ACCOUNT_KEY>
            azure_account_name: <AZURE_STORAGE_ACCOUNT>
            azure_container: <AZURE_CONTAINER_NAME>
            storage_path: /datastorage/registry
      - local_us
      - local_us
      oc create secret generic --from-file config.yaml=./config.yaml -n <namespace> <config_bundle_secret_name>
    2. Create the Quay Registry with the Secret

      • Create a quayregistry.yaml file with this format
        kind: QuayRegistry
            name: <registry_name>
            namespace: <namespace>
                - quay-operator/finalizer
            generation: 3
            configBundleSecret: <config_bundle_secret_name>
                - kind: clair
                  managed: true
                - kind: postgres
                  managed: true
                - kind: objectstorage
                  managed: false
                - kind: redis
                  managed: true
                - kind: horizontalpodautoscaler
                  managed: true
                - kind: route
                  managed: true
                - kind: mirror
                  managed: true
                - kind: monitoring
                  managed: true
                - kind: tls
                  managed: true
                - kind: quay
                  managed: true
                - kind: clairpostgres
                  managed: true```
      oc create -n <namespace> -f quayregistry.yaml
  4. Login to your Quay Registry and begin pushing images to it!

Note: This configuration does not support in-cluster authentication integration with the quay deployment. User Management with the registry is handled by the registry.