IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Setting up Quay on an ARO cluster via CLI

Kristopher White x Connor Wooley


Pre Requisites


Create Azure Resources

  1. Create Storage Account

    az login
    az group create --name <resource-group>  --location <location>
    az storage account create --name <storage-account> --resource-group <resource-group> \ --location eastus --sku Standard_LRS --kind  StorageV2
  2. Create Storage Container

    az storage account keys list --account-name <storage_account_name> --resource-group <resource_group> --output yaml

    Note: this command returns a json by default with your keyName and Values, command above specifies yaml

    az storage container create --name <container_name> --public-access blob \ --account-name <AZURE_STORAGE_ACCOUNT> --account-key <AZURE_STORAGE_ACCOUNT_KEY>

    Note: Will need the storage container creds for later use

Install Quay-Operator and Create Quay Registry

  1. Login to your cluster’s OCM

  2. Create a sub.yaml file with this template to install the quay operator

    kind: Subscription
        name: quay-operator
        namespace: <namespace>
        channel: <release_channel>
        name: quay-operator
        source: redhat-operators
        sourceNamespace: openshift-marketplace
        startingCSV: quay-operator.<version>
    oc apply -f sub.yaml
  3. Create the Quay Registry

    1. Create the Azure Storage Secret Bundle

      • Create a config.yaml file that injects the azure resource info from the storage container created in step 2 of Create Azure Resources
          - AzureStorage
          - azure_account_key: <AZURE_STORAGE_ACCOUNT_KEY>
              azure_account_name: <AZURE_STORAGE_ACCOUNT>
              azure_container: <AZURE_CONTAINER_NAME>
              storage_path: /datastorage/registry
      - local_us
      - local_us
      oc create secret generic --from-file config.yaml=./config.yaml -n <namespace> <config_bundle_secret_name>
    2. Create the Quay Registry with the Secret

      • Create a quayregistry.yaml file with this format
        kind: QuayRegistry
            name: <registry_name>
            namespace: <namespace>
                - quay-operator/finalizer
            generation: 3
            configBundleSecret: <config_bundle_secret_name>
                - kind: clair
                managed: true
                - kind: postgres
                managed: true
                - kind: objectstorage
                managed: false
                - kind: redis
                managed: true
                - kind: horizontalpodautoscaler
                managed: true
                - kind: route
                managed: true
                - kind: mirror
                managed: true
                - kind: monitoring
                managed: true
                - kind: tls
                managed: true
                - kind: quay
                managed: true
                - kind: clairpostgres
                managed: true```
      oc create -n <namespace> -f quayregistry.yaml
  4. Login to your Quay Registry and begin pushing images to it!

Note: This configuration does not support in-cluster authentication integration with the quay deployment. User Management with the registry is handled by the registry.