Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / Quay | OpenShift / 20 May 2020
Red Hat OpenShift / Quay | OpenShift / 20 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: What's new in Red Hat Quay 3.3: Deeper integration with Red Hat OpenShift (May, 2020)

Description

Introduction to the latest features in the Red Hat Quay 3.3 release.

To learn more about the Quay 3.3 features, please visit: https://www.redhat.com/en/blog/red-hat-quay-33-deeper-integration-red-hat-openshift

A

Hello and welcome to this what's new in cuase, we don't recession. Well, I would like to briefly show you all the great stuff which is coming out with our most recent version of redhead quake. I, hope that you are as excited as I am because there's really something for everybody in this new release. Let me start with an high-level overview of all the stuff we were introduced with this new over the big.

A

The two big features are we will ship an entirely over old, a new version of clear the vulnerability scanner which is used by Claire. We will ship the initial Claire before version as a tech preview feature to get over square. The other thing is the quake Bridge operator, which runs on all the object: a stock, we're serving content to and integrates quai into the various openshift workflows and user experience somewhat similar to the existing internal registry user experience.

A

And then there are a couple of other great features we add to delete, such as the LDAP filtering and decree build enhancements for better tagging support, and we also added a couple of things on the locking Zayat and we introduced two other features as marketers take preview or experimental, which are probably pretty important for the open source community and for overshift, and we plan to stabilize and extend them in future releases of quai as well and then there's one item we already shipped with the most recent version of openshift.

A

We again enhanced the container security operator and D console integration of ratted Quay into the object console. So let me start with clear version. Four in case you don't know, quick clear is not only used by a quake whether the hoenn project way, it's also used by various other products and offerings out there, such as a WCC, our wall be available. We are using clear as the scanning backends for both corridor and breadhead Quay, and that's why scalability and sustainability is probably really important to us and effectively.

A

We obviously skipped the version 3, because the current we are using ink way sweeter SB, and this has been caused by a decision. We made pretty early basically saying that if we want to support all the items we plan to support or all the support today, then we probably need to change Claire in such a significant way that it might make sense. We do we factor the entire application and that's that's exactly what we did right.

A

So we introduced an entirely new, manifest oriented API instead of the layer based one and we had in the past, and we also introduced an entirely new architecture consisting of Claire, coy the service well, but there is a great recording out there, which explains the technology changes. We did underneath a little bit more detail. We also introduced from an end user perspective. Probably the most important thing is that we introduced the support for programming languages and initially we were start to support pison, probably because quai has been written in Python.

A

An initial languages are planned for future releases, of both creating clear and, of course, and another change we did is the way how Claire is integrated or speaks to Quay, and this is no based on content-addressable idea to really ensure that it's uniquely identifies the image as a whole and contrast to what we did in previous versions of quick healthcare. So from a side-by-side comparison, there are a couple of big differences.

A

If you just look at what we've done with Claire version, 2 versus what we do now with learn 4, and so it's no longer in monolithic application yeah. So we extended the report of the content of the containers of significant X and M, and we introduced that package management support. We introduced his support for source rpm package, which is required in order to leverage other security metadata than the ones we've used before, and this finally helps us to detect more more availabilities.

A

Then we found in the version of clear, so this is those are two screenshots from a demo which is also available out there, where you can basically see what happens if I scan exactly the same image, first using Claire, v2 and then as a second step using Claire before, and you might notice that there is a huge difference in the number of vulnerabilities which have been formed, and this is not only caused caused by the pison application vulnerabilities, which have been fun, but also it includes a couple of vulnerabilities on the OS level stack and because we are now using the extended security me that they are provided by the vendors of those distributions, and this effectively helps us to have a broader content coverage than we had before.

A

Another big thing we introduced is the brave kwai bridge operator. In the past. We sometimes call it the Kwai open trade integration operator. We just renamed it, and this is an operator. We really build and very strong collaboration with both our internal communities and the custom and community as well so out of the box. It supports, of course, multi cluster set up.

A

It has two because the primary purpose of Quay is to sort of content to multiple chef clusters, and it also features an open shift, both integration to change a couple of things which otherwise, you would have to configure our manually so from a very high-level perspective and open shift, namespace or the equivalent to an overshift name. Space is equate organization and there are a couple of downsides associated with this simple mapping. So an organization is also used as a tenant, which means in order to create a new organization.

A

We need to ensure that the different users and teams in this organization are mapped to the corresponding permissions on the opposite side. So, basically, what we do here is if it was in open shared somebody creates a new project. We automatically create the corresponding organization, was in quake and then automatically creates. We different, robotic horns in this organization. One was white permission and two others was big permission.

A

The support for multi-class term setups is of course, important, because we need to avoid that there are any name collisions because obviously the organization name was in a crane registry needs to be unique and we also do all the magic which is required in order to have the sequence management on the on the album shift size or the robotic. Current tokens are stored as a secret automatically.

A

The service accounts are configured and we also change the build configuration in order to leverage Norquay as the output destination for all images which have been built on an outward shift. Indeed, the key takeaway is, if you're using the quadrature operator, then you probably don't need to use the whole truth. Internal registry anymore, at least not for those bills which are executed in this way using the quadrature operator yeah. So it runs on all the orbit of testers square serving hunter tools.

A

So it's not limited to the orbit of cluster where quays running on, but it's really about all the other clusters. Quake-Hit serving content, and so in a couple of sample use. Kids are shown here. So I already explained the new project. Of course the same applies to a new application in order in your deployment and so on and so on. So there are plenty of use cases we will cover with the bridge operator and we will extend the list and amount of those use cases over time in future versions.

A

It's important to call our debt in its current versions or the initial version we will ship as part of spirits. We there are a couple of manual steps required before you can initially deploy the kwai bridge operator on an oak leaf cluster. All of them are called odd in the operator description shown in the embedded operator half so you just need to go through those description. We also did a recording explaining those a little bit in further detail as well.

A

The other operator we already introduced with querida 2 is the quake operator, formerly known as decreased set of operator, but since operators are primarily to ensure a better day to experience, we effectively, we named it because obviously the Quai operator has not been written just for the initial deployment, but it's also supposed to take care on their two aspects, and this is exactly the thing we changed now with the newer version of the quake operator.

A

Now the operator becomes aware of the changes which happen in the background, either using the quake on trigger or, if really needed, the changes directly happen in the quake. Config younger file as well. So the operator now is responsible for manage a couple of quai specific items which means in the future versions those files will even with mark as read only in the config act. Will you affect? Okay, those items have to be managed. Why are the operator we simplified a couple of things?

A

We changed a couple of things we extending the capabilities, but the biggest change is really that now the boss, the config, have anything operator doesn't need to be stopped or killed anymore right. So you can continue to run both and use both side by side. Again. You also can directly edit the config Yama file, which is absolutely not recommended, but it's still an option and for some of the changes which either happen, why they can't forget all the config on the file.

A

The operator even does a reconciliation loop for those changes which is pretty powerful and, as I said, we will continue the list after all, those changes and a better management over time, and then there are two features on the lock management side. So one is the log export and the other one is the locks by elastic. So let me start with the lock explorer what the log Explorer or feature provides.

A

You can basically go through the Quai UI or you can also use the API and you can define what kind locks I wanna export, so you can define a date range and whether you're using the export, the lock exporter, feature on a repository or an annexation level. This, of course, has an impact on the amount of log files which are captured and then exported. So there are two main export methods. The first one is email.

A

Then you get effectively a JSON output attached to the email, and this of course requires that the email have been configured properly and your quaid appointment and the other method is using a callback URL and then you get notified how and where to pull those exponent log files from an s3 bucket, which is pretty powerful as well um in the on the roadmap.

A

We have another item which have hasn't found its way into these sweet as we release, which is that those lock exporting functions are triggered in the pod track in the quality lock as well. Another feature we originally developed for query their own is instead of storing all the audit logs in the database.

A

We basically move them out into an elastic search, take which allows us to, of course way better scale immediate before, and this is especially required for large-scale query deployments and we have plenty of customers who are using quite F scale, and that's why these features we do put them pretty important. So from an end-user standpoint, looking at UI, nothing changes just it's just a change which happens in the backend.

A

Instead of pushing the logs to post quest, we are pushing them to a last edge, but still in the UI, you can see the same audit logs. You can see the same information, the same statistics, nothing really changes from and from a user perspective. In addition to just moving the logs a how to elastic search, you can also use an alternative. Lock could use so currently it's kinases only in future version consider to also support Cup coverage deployment as well.

A

So, basically, you just need to configure the lock storage configuration so there's a new section in the quick config app and then you need to follow the data and the same for Kinesis. If you plan to use it and that's it and start up from there, the locks are no longer stored in the database and instead pushed to elastic search, as I mentioned, we already shipped together with the newest version of OpenShift, a couple of changes and extensions for the overshift console and effectively. We now have a couple of additional list views.

A

We have a part use really the vulnerability information associated with a particular part, and we also have a couple of other views. We added to the openshift console and there was a very good blog post out there, written by our user experience team, which describes all those changes and new things we added with openshift Snoozeville.

A

Another feature we introduced is out of filtering, so users who are using LDAP or Active Directory, as the authentication back-end, can now restrict the access to quai with a couple of things they can specify, so they can specify a specific LDAP filter and then the result is stored in the config file and starting from there, only the users which are matching those filter was can login into quai.

A

Another feature we introduced, which is pretty powerful as well, is a custom tagging for the builders. So it's important to know that in the past we have been very opinionated on the way how we defined the resulting text of an image which has been build. We're equipping automation, so it has been either the branch name of what the branch which has triggered a build or has been the latest tag.

A

If it was the default branch and now we allowed to specify custom text, so you can deselect the default walls and then you can specify your custom text and this could be a static tag or dynamically Playtex. So it's pretty powerful in order to have more sophisticated ways to take, and of course, you can combine them and use multiple of them side by side.

A

Another feature which is marked a sec preview as of today, simply because the OCI distribution spec is still not an official standard. Yet we introduced the full support of the OCI, a distribution spec as it is as it exists today, and this probably makes us the first open-source registry both hosted on on-prem, which does support it. Also yeah OCI distribution spec in its current form, and this also allows us to do a couple of things.

A

This audio CI mine turns upon has been pretty important for us because we are driving a couple of things on the reddit site, such as source container, which require the mine type support, and initially some of the OCI provided test didn't pass and we submitted plans in order to fix them any meantime, most of those PRS have been got accepted and by the OCI initiative, and that's why we are. We are really proud that this has been passed now and we don't expect any really big changes before the final or CI distribution.

A

Spec comes out so probably from day one. We will be able to support the OCI spec after it has been finalized and published. Then another feature which is not even experimental about tech AB, which is not human tech preview of an experimental, is this report for the OCI artifacts back. So this is another initiative driven by OCI, which is primarily driven by Microsoft, IBM, redhead and docker, and the goal here is that you're, the the goal of the spec is to allow that you can store arbitrary content types in the registry.

A

So it's no longer limited to images, which also includes how charts inner boundaries company's deployment templates over your diploma templates. Whatever else so one of the co-founders and the the lead architect of rennet Quay is one of the maintenance of the spec, and this, of course enabled us to have a very early implementation and effectively working closely with the young community allowed us to introduce an initial hungry sweet child support as an experimental feature, an experimental really Unbounce, the Quay and the home client side.

A

It's not available incredible yet because Queiroz, a production environment and we do not enable experimental what even take beer officials who even do see. My entire support is only enabled on selected namespace. So, which means you need to enable or switch on a feature which is clearly marked as excrement on both the quayside in the config Yama file and on the home client side, and as of today, it's it's just for us. It's a very early pilot.

A

We want to get it out as early as we can in order to get the additional feedback and input from the community and our end users. We don't have any specific UI support, which means, if you go to the query, Y and push a hump out there, then, from a UI perspective, the hump shot looks similar like an image, but if you try to dock or pull a ham child, obviously it will fail.

A

Of course we will change and improve this over time, but keep in mind there is a certain risk that there won't be any upgrade pass from the experimental stairs to the final production version. We hopefully ship in one of the future version of quake. So, technically, you should be able to run a couple of a commands against Quay 400, as you previously did for Katrina images you can log in and log over to the registry. You can push and pull those home trials as you do for container images again, it's experimental feature.

A

We are working closely with the Absalom community order to improve this over time, and this is the last slide and in addition to all the stuff we introduced, we continue to deprecated a couple of feature which are no longer used, no longer maintainable or just they don't. They are not needed anymore. With the previous version of the oddest audited, application of rocket conversion between distribution, empty dhaka, v1 push support and was no mystery is now for the apps for the downstream product we did.

A

We started replication squashing, the application registry, which is hopefully being replaced with the artefact spec support. We just talked about it and we deprecated the images API. Obviously this has been replaced by the manifest API and we started to deprecate the commercial support for NFS and was this newest version software. That way- and this brings me to an end thanks for watching and enjoy our newest version of redhead quake.