Quay.io backend S3 storage

[BostjanBozic]

Hello,

I wonder if someone can point me to documentation (or provide me with a list) regarding Quay's backing S3 buckets?

Reason why I would need this information is that we are using AWS VPC S3 gateway endpoint with Endpoint policy and I need to whitelist quay.io there (traffic goes through VPC S3 endpoint, since CloudFront is pointing toward S3 buckets for image layers.

Thank you and best regards,
Bostjan

[BillDett]

Bostjan- we actually document this thru OpenShift: https://docs.openshift.com/container-platform/4.11/installing/install_config/configuring-firewall.html <https://docs.openshift.com/container-platform/4.11/installing/install_config/configuring-firewall.html> Hope that helps, Bill Dettelback He/Him Sr. Engineering Manager, Quay / OpenShift Registry Red Hat  <https://www.redhat.com/> <https://www.redhat.com/>

…

On Nov 7, 2022, at 8:01 AM, Bostjan Bozic ***@***.***> wrote: Hello, I wonder if someone can point me to documentation (or provide me with a list) regarding Quay's backing S3 buckets? Reason why I would need this information is that we are using AWS VPC S3 gateway endpoint with Endpoint policy and I need to whitelist quay.io there (traffic goes through VPC S3 endpoint, since CloudFront is pointing toward S3 buckets for image layers. Thank you and best regards, Bostjan — Reply to this email directly, view it on GitHub <#1612>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABQYQXZJ45CYXXYVUP46D3WHD4S5ANCNFSM6AAAAAARZFKBEM>. You are receiving this because you are subscribed to this thread.

[BostjanBozic]

Hello Bill,

thank you for fast reply on this. Perfect, for some reason I was going through Quay code and docs, never considered checking OpenShift docs :) Adding quayio-production-s3 to my VPC S3 endpoint policy resolved the issue.

Thank you again!

[prashant0085]

@BostjanBozic how did you added the bucket in your policy? by following name quayio-production-s3.s3.amazonaws.com or s3 arn like this arn:aws:s3:::quayio-production-s3/*.

Please let me know.

Thanks

[BostjanBozic]

@prashant0085 I added is as following (added some other ones there as well to cover DockerHub, gcr.io and some others (GetObject permission is added there):

"arn:aws:s3:::docker-images-prod/*",
"arn:aws:s3:::jfrog-prod-use1-shared-virginia-main/*",
"arn:aws:s3:::prod-registry-k8s-io-*",
"arn:aws:s3:::prod-${var.aws_region}-starport-layer-bucket/*",
"arn:aws:s3:::quayio-production-s3/*",
"arn:aws:s3:::repo.${var.aws_region}.amazonaws.com/*"

[prashant-tala]

@BostjanBozic Thanks,

I had added starport and k8s registry but quay and docker s3 bucket were missing, Adding them fixed the issue.