Updates infra proc for Quay (quay#1439)

stevsmit · Steven Smith · web-flow · commit 3f6e5b82a9a3 · 2025-09-18T09:21:31.000-04:00
Co-authored-by: Steven Smith &lt;stevsmit@stevsmit-thinkpadt14gen4.remote.csb&gt;
diff --git a/deploy_red_hat_quay_operator/master.adoc b/deploy_red_hat_quay_operator/master.adoc
@@ -67,11 +67,18 @@ include::modules/first-user-api.adoc[leveloffset=+3]
 include::modules/operator-deploy-view-pods-cli.adoc[leveloffset=+3]
 include::modules/operator-deploy-hpa.adoc[leveloffset=+3]
 
+//infrastructure
+include::modules/operator-deploy-infrastructure.adoc[leveloffset=+1]
+include::modules/labeling-taint-nodes-for-infrastructure-use.adoc[leveloffset=+2]
+include::modules/creating-project-node-selector-toleration.adoc[leveloffset=+2]
+include::modules/installing-quay-operator-namespace.adoc[leveloffset=+2]
+include::modules/creating-registry-infra-node.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 For more information on pre-configuring your {productname} deployment, see the section xref:config-preconfigure-automation[Pre-configuring {productname} for automation]
 
-include::modules/operator-monitor-deploy-cli.adoc[leveloffset=+3]
+include::modules/operator-monitor-deploy-cli.adoc[leveloffset=+1]
 //ui
 include::modules/operator-deploy-ui.adoc[leveloffset=+2]
 include::modules/operator-first-user-ui.adoc[leveloffset=+3]
diff --git a/modules/creating-project-node-selector-toleration.adoc b/modules/creating-project-node-selector-toleration.adoc
@@ -0,0 +1,40 @@
+
+[id="creating-project-node-selector-toleration"]
+= Creating a project with node selector and tolerations
+
+Use the following procedure to create a project with the `node-selector` and `tolerations` annotations. 
+
+.Procedure
+
+. Add the `node-selector` annotation to the namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc annotate namespace <namespace> openshift.io/node-selector='node-role.kubernetes.io/infra='
+----
++
+.Example output
++
+[source,yaml]
+----
+namespace/<namespace> annotated
+----
+
+. Add the `tolerations` annotation to the namespace by entering the following command:
++
+[source,terminal]
+----
+$ oc annotate namespace <namespace> scheduler.alpha.kubernetes.io/defaultTolerations='[{"operator":"Equal","value":"reserved","effect":"NoSchedule","key":"node-role.kubernetes.io/infra"},{"operator":"Equal","value":"reserved","effect":"NoExecute","key":"node-role.kubernetes.io/infra"}]' --overwrite
+----
++
+.Example output
++
+[source,yaml]
+----
+namespace/<namespace> annotated
+----
++
+[IMPORTANT]
+====
+The tolerations in this example are specific to two taints commonly applied to infra nodes. The taints configured in your environment might differ. You must set the tolerations accordingly to match the taints applied to your infra nodes.
+====
diff --git a/modules/creating-registry-infra-node.adoc b/modules/creating-registry-infra-node.adoc
@@ -0,0 +1,163 @@
+
+[id="creating-registry-infra-node"]
+= Creating the {productname} registry
+
+After you have downloaded the {productname} Operator, you must create the {productname} registry. The registry's components, for example, `clair`, `postgres`, `redis`, and so on, must be patched with the `toleration` annotation so that they can schedule onto the `infra` worker nodes.
+
+The following procedure shows you how to create a {productname} registry that runs on infrastructure nodes.
+
+.Procedure
+
+. On the {ocp} web console, click *Operators* -> *Installed Operators* -> *Red Hat Quay*.
+
+. On the *{productname} Operator details* page, click *Quay Registry* -> *Create QuayRegistry*.
+
+. On the *Create QuayRegistry* page, set the `monitoring` and `objectstorage` fields to `false`. The monitoring component cannot be enabled when {productname} is installed in a single namespace. For example:
++
+[source,yaml]
+----
+# ...
+    - kind: monitoring
+      managed: false
+    - kind: objectstorage
+      managed: false
+# ...
+----
+
+. Click *Create*.
+
+////
+. The following condition is reported: `Condition: RolloutBlocked`. This occurs because all pods for the registry must include the `node-role.kubernetes.io/infra` nodeSelector and toleration. Apply the `node-role.kubernetes.io/infra` nodeSelector and toleration to all pods by entering the following command:
++
+[source,terminal]
+----
+$ for deploy in $(oc get deployments -n <annotated_namespace> -o name | grep -E 'example-registry-(clair|quay)'); do
+  oc patch $deploy -n annotated_namespace --type='strategic' -p '{
+    "spec": {
+      "template": {
+        "spec": {
+          "nodeSelector": {
+            "node-role.kubernetes.io/infra": ""
+          },
+          "tolerations": [
+            {
+              "key": "node-role.kubernetes.io/infra",
+              "operator": "Exists",
+              "effect": "NoSchedule"
+            }
+          ]
+        }
+      }
+    }
+  }'
+done
+----
++
+.Example output
++
+[source,terminal]
+----
+deployment.apps/example-registry-clair-app patched
+deployment.apps/example-registry-clair-postgres patched
+deployment.apps/example-registry-quay-app patched
+deployment.apps/example-registry-quay-database patched
+deployment.apps/example-registry-quay-mirror patched
+deployment.apps/example-registry-quay-redis patched
+----
+
+. Ensure that all pods include the `node-role.kubernetes.io/infra` nodeSelector and toleration by entering the following command:
++
+[source,terminal]
+----
+$ for deploy in $(oc get deployments -n <annotated_namespace> -o name | grep example-registry); do
+  echo $deploy
+  oc get -n <annotated_namespace> $deploy -o yaml | grep -A5 nodeSelector
+  oc get -n <annotated_namespace> $deploy -o yaml | grep -A5 tolerations
+done
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+example-registry-clair-app
+      nodeSelector:
+        node-role.kubernetes.io/infra: ""
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: example-registry-clair-app
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/infra
+        operator: Exists
+      volumes:
+      - configMap:
+...
+----
+////
+
+. Optional: Confirm that the pods are running on infra nodes.
+
+.. List all `Quay`-related pods along with the nodes that they are scheduled on by entering the following command:
++
+[source,terminal]
+----
+$ oc get pods -n <annotated_namespace> -o wide | grep example-registry
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+NAME                                               READY   STATUS      RESTARTS   AGE   IP             NODE                                                              NOMINATED NODE   READINESS GATES
+example-registry-clair-app-5f95d685bd-dgjf6        1/1     Running     0          52m   10.128.4.12    example-cluster-new-c5qqp-worker-b-wrhw4.c.quay-devel.internal   <none>           <none>
+...
+----
+
+.. Confirm that the nodes listed include only nodes labeled `infra` by running the following command:
++
+[source,terminal]
+----
+$ oc get nodes -l node-role.kubernetes.io/infra -o name
+----
++
+.Example output
++
+[source,terminal]
+----
+node/example-cluster-new-c5qqp-worker-b-4zxx5.c.quay-devel.internal modified
+node/example-cluster-new-c5qqp-worker-b-kz6jn.c.quay-devel.internal modified
+node/example-cluster-new-c5qqp-worker-b-wrhw4.c.quay-devel.internal modified
+----
++
+[NOTE]
+====
+If any pod appears on a non-infra node, revisit your namespace annotations and deployment patching.
+====
+
+. Restart all pods for the {productname} registry by entering the following command:
++
+[source,terminal]
+----
+$ oc delete pod -n <annotated_namespace> --all
+----
+
+. Check the status of the pods by entering the following command:
++
+[source,terminal]
+----
+$ oc get pods -n <annotated_namespace>
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+NAME                                               READY   STATUS      RESTARTS   AGE
+example-registry-clair-app-5f95d685bd-dgjf6        1/1     Running     0          5m4s
+...
+----
diff --git a/modules/installing-quay-operator-namespace.adoc b/modules/installing-quay-operator-namespace.adoc
@@ -0,0 +1,55 @@
+
+[id="installing-quay-operator-namespace"]
+= Installing the {productname} Operator on the annotated namespace
+
+After you have added the `node-role.kubernetes.io/infra=` label to worker nodes and added the `node-selector` and `tolerations` annotations to the namespace, you must download the {productname} Operator in that namespace. 
+
+The following procedure shows you how to download the {productname} Operator on the annotated namespace and how to update the subscription to ensure successful installation.
+
+.Procedure
+
+. On the {ocp} web console, click *Operators* -> *OperatorHub*.
+
+. In the search box, type *{productname}*.
+
+. Click *{productname}* -> *Install*. 
+
+. Select the update channel, for example, *stable-{producty}* and the version.
+
+. Click *A specific namespace on the cluster* for the installation mode, and then select the namespace that you applied the `node-selector` and `tolerations` annotations to.
+
+. Click *Install*.
+////
+. After a few minutes, the {productname} Operator installation fails. This occurs because the Operator itself must run on the `infra` nodes. Update the {productname} Operator subscription to run on the infra nodes by entering the following command:
++
+[source,terminal]
+----
+$ oc patch subscription quay-operator -n <annotated_namespace> \
+  --type=merge -p '{
+    "spec": {
+      "config": {
+        "nodeSelector": {"node-role.kubernetes.io/infra": ""},
+        "tolerations": [
+          {"key":"node-role.kubernetes.io/infra","operator":"Exists","effect":"NoSchedule"}
+        ]
+      }
+    }
+  }'
+----
++
+The Operator resumes downloading.
+////
+
+. Confirm that the Operator is installed by entering the following command:
++
+[source,terminal]
+----
+$ oc get pods -n <annotated_namespace> -o wide | grep quay-operator
+----
++
+.Example output
++
+[source,terminal]
+----
+quay-operator.v3.15.1-858b5c5fdc-lf5kj   1/1     Running   0          29m   10.130.6.18   example-cluster-new-c5qqp-worker-f-mhngl.c.quay-devel.internal   <none>           <none>
+----
diff --git a/modules/labeling-taint-nodes-for-infrastructure-use.adoc b/modules/labeling-taint-nodes-for-infrastructure-use.adoc
@@ -0,0 +1,69 @@
+[id="labeling-taint-nodes-for-infrastructure-use"]
+= Labeling and tainting nodes for infrastructure use
+
+Use the following procedure to label and taint nodes for infrastructure use. 
+
+[NOTE]
+====
+The following procedure labels three worker nodes with the `infra` label. Depending on the resources relevant to your environment, you might have to label more than three worker nodes with the `infra` label.
+====
+
+. Obtain a list of _worker_ nodes in your deployment by entering the following command:
++
+[source,terminal]
+----
+$ oc get nodes | grep worker
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME                                                              STATUS   ROLES                  AGE    VERSION
+---
+example-cluster-new-c5qqp-worker-b-4zxx5.c.quay-devel.internal   Ready    worker                 401d   v1.31.11
+example-cluster-new-c5qqp-worker-b-kz6jn.c.quay-devel.internal   Ready    worker                 402d   v1.31.11
+example-cluster-new-c5qqp-worker-b-wrhw4.c.quay-devel.internal   Ready    worker                 401d   v1.31.11
+---
+----
+
+. Add the `node-role.kubernetes.io/infra=` label to the worker nodes by entering the following command.
+The number of infrastructure nodes required depends on your environment. Production environments should provision enough infra nodes to ensure high availability and sufficient resources for all `quay`-related components. Monitor CPU, memory, and storage utilization to determine if additional infra nodes are required.
++
+[source,terminal]
+----
+$ oc label node --overwrite <infra_node_one> <infra_node_two> <infra_node_three> node-role.kubernetes.io/infra=
+----
+
+. Confirm that the `node-role.kubernetes.io/infra=` label has been added to the proper nodes by entering the following command:
++
+[source,terminal]
+----
+$ oc get node | grep infra
+----
++
+[source,terminal]
+----
+---
+example-cluster-new-c5qqp-worker-b-4zxx5.c.quay-devel.internal   Ready    infra,worker           405d   v1.32.8
+example-cluster-new-c5qqp-worker-b-kz6jn.c.quay-devel.internal   Ready    infra,worker           406d   v1.32.8
+example-cluster-new-c5qqp-worker-b-wrhw4.c.quay-devel.internal   Ready    infra,worker           405d   v1.32.8
+---
+----
+
+. When a worker node is assigned the `infra` role, there is a chance that user workloads could get inadvertently assigned to an infra node. To avoid this, you can apply a taint to the infra node, and then add tolerations for the pods that you want to control. Taint the worker nodes with the `infra` label by entering the following command:
++
+[source,terminal]
+----
+$ oc adm taint nodes -l node-role.kubernetes.io/infra \
+  node-role.kubernetes.io/infra=reserved:NoSchedule --overwrite
+----
++
+.Example output
++
+[source,terminal]
+----
+node/example-cluster-new-c5qqp-worker-b-4zxx5.c.quay-devel.internal modified
+node/example-cluster-new-c5qqp-worker-b-kz6jn.c.quay-devel.internal modified
+node/example-cluster-new-c5qqp-worker-b-wrhw4.c.quay-devel.internal modified
+----
diff --git a/modules/operator-deploy-infrastructure.adoc b/modules/operator-deploy-infrastructure.adoc
diff --git a/red_hat_quay_operator_features/master.adoc b/red_hat_quay_operator_features/master.adoc
