Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1883

Support OCP Re-encrypt routes

    XMLWordPrintable

Details

    Description

      Goal: Allow administrators to leverage OpenShift Routes in re-encrypt mode so they can rely on OpenShift to provide TLS endpoints using certificates form the cluster CA.

      Problem statement: Quay prefers to manage TLS termination but the Operator is currently not far enough to support picking up existing TLS certs declaratively from existing Secrets or from other sources in the OpenShift cluster (ca-signer-services). When customers want to use custom OpenShift Routes for this reason it is complicated by the Operator rotating the Operator-managed CA on every config change because for re-encrypt routes to work the CA cert needs to be in-lined in the Route definition.

      Acceptance criteria:

      • allow using re-encrypt routes effectively
      • stop rotating the CA every time the Operator updates / reconciles the Quay registry

      Open Questions:

      • is there a better way for the Operator to expose the CA it manages?

      Attachments

        Activity

          People

            rmarasch@redhat.com Ricardo Maraschini
            DanielMesser Daniel Messer
            luffy zhang luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: