Loading...

XML

Word

Printable

Details

Type: Story
Resolution: Done
Priority: Critical
Fix Version/s: quay-v3.6.0, z-stream
Affects Version/s: None
Component/s: quay-operator
Labels:

Blocked:
False
Ready:
False
Epic Link:
Operator betterment
Release Note Text:
Undefined
Git Pull Request:
https://github.com/quay/quay-operator/pull/453

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

Goal: Allow administrators to leverage OpenShift Routes in re-encrypt mode so they can rely on OpenShift to provide TLS endpoints using certificates form the cluster CA.

Problem statement: Quay prefers to manage TLS termination but the Operator is currently not far enough to support picking up existing TLS certs declaratively from existing Secrets or from other sources in the OpenShift cluster (ca-signer-services). When customers want to use custom OpenShift Routes for this reason it is complicated by the Operator rotating the Operator-managed CA on every config change because for re-encrypt routes to work the CA cert needs to be in-lined in the Route definition.

Acceptance criteria:

allow using re-encrypt routes effectively
stop rotating the CA every time the Operator updates / reconciles the Quay registry

Open Questions:

is there a better way for the Operator to expose the CA it manages?

Attachments

Activity

People

Assignee:: Ricardo Maraschini (Inactive)

Reporter:: Daniel Messer

QA Contact:: luffy zhang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2021/04/15 10:53 AM

Updated:: 2022/03/15 7:13 PM

Resolved:: 2021/06/03 10:38 PM