Goal: Enable automation workflows that stand up Quay completely from scratch, including the Quay bridge operator and customize the deployment via the Quay API.

Background: While the deployment of Quay can be done declaratively with the Quay operator, further customization can only be done by automating against the Quay API. In addition, users want to install the Quay bridge operator. For both, API access and QBO, an API token is required which as of today can only be obtain by interactively conducting the Oauth2 authorization handshake in the browser using the Quay UI or relying on the FEATURE_USER_INITIALIZE configuration setting, which yields an API token which is limited 150 minutes. This means that completely automating Quay non-interactively end-to-end is not possible today.

Requirements:

• a secure way exists to obtain a Quay API token non-interactively, possible options include (but are not limited to) pre-populating clientids in the Quay config file, authenticating users via their credentials (user name/password, OIDC token) or automatically created, long lived tokens as part of the initalization of a fresh deployment
• scoping the programmatically created Quay API token needs to be possible
• the API token needs to be returned in ways that allow for easy consumption of automated workflows, e.g. Ansible playbooks