Goal

Address security concerns of customers by alleviating the need to allow traffic to the quay.io domain to install / mirror OpenShift and related images within the next 6 months.

Benefit Hypothesis:

• Today the entire OCP payload is pulled directly from quay.io, this requires customers to add an exception for the quay.io domain and all subdomains (cdn*.quay.io) to their firewall / proxy
• Adding *.quay.io to the allow list of a firewall / proxy opens up usage of all of quay.io's content, not just OpenShift, which is generally trusted at the same level of content from DockerHub, which on-premise customers often block
• quay.io is not generally associated with a Red Hat domain property and therefor less trusted, customers expect to be able to allow traffic to redhat.com and/or redhat.io in order for our connected products to work
• quay.io CDN changes directly impact customers when they have to update their firewall allow lists to add new CDN endpoints we introduce

Resources

• registry.redhat.io is a reverse proxy effective for a couple of quay.io namespaces already and allows to transparently pull through that domain, including fronting the CDN that quay.io uses (alleviates adding CDN endpoints to the allow-list)
• registry.redhat.io is now owned by the Quay engineering team

Responsibilities

• Quay team: ensure registry.redhat.io and registry.access.redhat.com work on the IPv6 internet
• OCP Control Plane/OTA: replace all quay.io references with registry.redhat.io in the core payload
• Konflux: check that no quay.io references are used in OCP core payload and layered operators

Acceptance Criteria

• Customers can install OpenShift Container Platform and optional Red Hat Operators without the need to add quay.io or any of its subdomains to a allow-list in firewalls / proxy configuration
• quay.io uses AWS CloudFront as the CDN, so registry.redhat.io would need to proxy that as well
• quay.io responds with pre-signed AWS S3 blob URLs when clients ask to pull images, thus S3 also needs to be proxied by registry.redhat.io
• quay.io/openshift-release-dev/ocp-release and quay.io/openshift-release-dev/ocp-v4.0-art-dev repos continue to be the source of truth for OCP, and registry.redhat.io/openshift-release-dev (or similar namespace) simply serves as a proxy for the content.

Results

• We can remove any quay.io URL references from the official OpenShift product documentation
• Customers can mirror OCP content or run OCP including all layered offerings  in an internet-connected environment without having to allow quay.io through thier firewall / proxy