What Is Quay In OpenShift?

Quay is an enterprise-grade, secure, and highly scalable container registry that is a key component of the Red Hat OpenShift ecosystem.

Feature	OpenShift's Internal Registry	Red Hat Quay
Primary Purpose	Simple in-cluster image storage for development workflows.	Robust, enterprise-scale repository for production environments.
High Availability	Not highly available; it uses local storage.	Built for high availability, with geo-replication and a scale-out architecture.
Security Scanning	Not included by default.	Includes a built-in vulnerability scanner powered by Clair, which continuously scans images for known issues.
Storage Backend	Limited to local storage.	Supports multiple scalable object storage backends, including Amazon S3, Azure Blob Storage, and OpenShift Data Foundation.
Access Control	Uses OpenShift's RBAC system, which is less granular for registry-specific access.	Offers fine-grained, team-based access control and integrates with enterprise authentication providers like LDAP and OIDC.
Integration	Tightly integrated with OpenShift's image streams and build system.	Features deeper integrations with CI/CD systems like GitHub and GitLab and supports advanced features like repository mirroring.

Quay elevates the security of your container supply chain, which is critical for production applications.

Vulnerability Scanning (Clair): Every image pushed to a Quay repository is automatically and continuously scanned for vulnerabilities. This provides a real-time report of any known vulnerabilities, which teams can use to block images with critical issues from being deployed.
Access Controls: Quay provides a sophisticated, organization-based access model. This allows you to manage permissions for users and teams with fine-grained control over repositories, ensuring only authorized personnel can read or write to specific image repositories.
Auditability: Every security-relevant event, from image pushes to access changes, is logged. This provides a comprehensive audit trail that is essential for compliance.

For large-scale, enterprise deployments, Quay's architecture is far more robust than the standard internal registry.

High Availability: Quay is designed to run in a distributed, highly available configuration. This protects against a single point of failure and ensures that container images are always available, which is crucial for production workloads.
Geo-replication: In a geographically distributed deployment, Quay can replicate images to multiple locations. This significantly improves push and pull performance for teams and clusters in different regions, reducing network latency.
External Storage: By utilizing object storage like Amazon S3 or OpenShift Data Foundation, Quay's storage can scale independently of your cluster, providing more flexible and resilient storage for your images.

Quay integrates deeply with OpenShift and external tools to automate and secure the software delivery pipeline.

Automated Builds: Quay can automatically build new container images whenever a developer commits code to a connected Git repository, such as GitHub or GitLab.
OpenShift Build Integration: The Quay Bridge Operator automatically re-writes OpenShift Build resources to push the resulting image to Quay instead of the internal registry. It can also automatically import image stream tags from Quay after a build is completed.
Robot Accounts: Automated systems and CI/CD pipelines can use "robot accounts" with OAuth tokens to securely interact with the registry. This provides a secure and auditable way for automation to access repositories.

Deploying and managing Quay on OpenShift is simplified through the Quay Operator, which automates the entire lifecycle of the registry.

Declarative Management: The Quay Operator uses the QuayRegistry Custom Resource (CR) to declaratively manage the registry. You define the desired state, and the Operator handles deploying and configuring all the necessary components, such as PostgreSQL, Redis, and Clair.
Component Management: The Operator can manage all of Quay's dependencies by default, or you can choose to manage external components yourself, such as an existing object storage solution. This flexibility is controlled through the QuayRegistry CR.

Production Workloads: For production-grade applications that require high availability, robust security, and resilient storage, Quay is the ideal registry.
Regulated Environments: Organizations with strict compliance and security requirements benefit from Quay's continuous vulnerability scanning, audit trail, and granular access controls.
Globally Distributed Teams: Geo-replication is essential for development teams and applications distributed across multiple regions to ensure high-speed access to images.
Hybrid Cloud and Multi-cluster Deployments: Quay provides a central, universal source of truth for container images that can be accessed by multiple OpenShift clusters, whether they are on-premise or in different public clouds.
Disconnected Environments: Quay can be configured to operate in air-gapped or disconnected environments, allowing organizations to maintain full control over their software supply chain without relying on public registries.

Enjoyed this article? Share it with a friend.