Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1815

Quay config editor can't validate the expire time of uploaded LDAPS CA Cert

XMLWordPrintable

      Description:

      This is an issue found when configure quay to LDAPS as quay authentication, after upload the SSL cert of LDAPS via quay config editor, now if the provided CA Cert's expire time is before the current time, the result is validation was passed, after triggered reconfigure quay, new quay app pod was failed to start.

      The expected behavior should be quay config editor give correct error message and block users to use this invalid SSL CA Cert. 

      Note: This issue is not FIPS specific issue.

      Quay Version:

      oc get pod quay-operator.v3.5.0-84fd6cb6d-kks9v -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-operator-rhel8@sha256:462859633951f0019092dc065e19d2d538cdfc682dde524e9c67c0ac4d90e875"
      
      oc get pod quayregistry-quay-config-editor-5bcf6b5766-gb696 -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-rhel8@sha256:559a247a810d290911ec09062ff2ae583d73d50625b6bb12d59e5e60a442ac6d"
      
      The target LDAPS CA Cert is expired:

      Quay config editor validation is passed with expired LDAPS CA Cert

      New Quay APP POD was failed to start and report SSL Cert expired error:

        1. image-2021-03-31-11-39-27-272.png
          1.05 MB
          luffy zhang
        2. image-2021-03-31-11-42-27-160.png
          273 kB
          luffy zhang
        3. image-2021-03-31-11-46-01-321.png
          556 kB
          luffy zhang
        4. image-2021-10-19-15-17-55-461.png
          264 kB
          luffy zhang
        5. quayldapsca.crt
          2 kB
          luffy zhang

              jonathankingfc Jonathan King
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: