Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1815

Quay config editor can't validate the expire time of uploaded LDAPS CA Cert

    XMLWordPrintable

Details

    Description

      Description:

      This is an issue found when configure quay to LDAPS as quay authentication, after upload the SSL cert of LDAPS via quay config editor, now if the provided CA Cert's expire time is before the current time, the result is validation was passed, after triggered reconfigure quay, new quay app pod was failed to start.

      The expected behavior should be quay config editor give correct error message and block users to use this invalid SSL CA Cert. 

      Note: This issue is not FIPS specific issue.

      Quay Version:

      oc get pod quay-operator.v3.5.0-84fd6cb6d-kks9v -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-operator-rhel8@sha256:462859633951f0019092dc065e19d2d538cdfc682dde524e9c67c0ac4d90e875"
      
      oc get pod quayregistry-quay-config-editor-5bcf6b5766-gb696 -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-rhel8@sha256:559a247a810d290911ec09062ff2ae583d73d50625b6bb12d59e5e60a442ac6d"
      
      The target LDAPS CA Cert is expired:

      Quay config editor validation is passed with expired LDAPS CA Cert

      New Quay APP POD was failed to start and report SSL Cert expired error:

      Attachments

        1. image-2021-03-31-11-39-27-272.png
          image-2021-03-31-11-39-27-272.png
          1.05 MB
        2. image-2021-03-31-11-42-27-160.png
          image-2021-03-31-11-42-27-160.png
          273 kB
        3. image-2021-03-31-11-46-01-321.png
          image-2021-03-31-11-46-01-321.png
          556 kB
        4. image-2021-10-19-15-17-55-461.png
          image-2021-10-19-15-17-55-461.png
          264 kB
        5. quayldapsca.crt
          2 kB

        Activity

          People

            jonathankingfc Jonathan King
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: