Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: quay-v3.6.0
Affects Version/s: quay-v3.4.6, quay-v3.5.3
Component/s: config-tool
Labels:

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Git Pull Request:
https://github.com/quay/config-tool/pull/111

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

Description:

This is an issue found when use quay config editor to configure quay to use external unmanaged database with enforced SSL to verify full cert, after upload external database's SSL Full Cert via config editor, quay config will generate new config bundle secret, but in the new config.yaml. there's no "sslmode=verify-full".

Note: This issue can also be reproduced with Quay 3.4.6

DATABASE_SECRET_KEY: VTq0OYg2SWkv-fBn8PRLpt49XLoYFoCHSwPJFb3A86xXy2iaEvRifHmyuEjHbBRQMmabZ-88dNvQPo9t
DB_CONNECTION_ARGS:
  autorollback: true
  sslrootcert: conf/stack/database.pem
  threadlocals: true
DB_URI: postgresql://quayrdsdb:quayrdsdb@terraform-20210707024818918800000001.cmqwuswughvh.us-east-2.rds.amazonaws.com:5432/quay

Quay 3.5.3 Pods:

oc get pod
NAME                                                READY   STATUS      RESTARTS   AGE
quay-operator.v3.5.3-67c59c4c84-gvqvx               1/1     Running     0          41m
quay353-clair-app-584fff96d7-zlxqq                  1/1     Running     0          35m
quay353-clair-postgres-7c6b64fbdb-2vh7j             1/1     Running     0          34m
quay353-quay-app-76c454dbf5-kqr8z                   1/1     Running     2          35m
quay353-quay-app-upgrade-8zzhq                      0/1     Completed   0          35m
quay353-quay-config-editor-868b4d8dd4-mxkrs         1/1     Running     0          35m
quay353-quay-database-58486b47d4-rqftc              1/1     Running     0          35m
quay353-quay-mirror-646fbb7cbc-tttm8                1/1     Running     0          35m
quay353-quay-postgres-init-rxfdl                    0/1     Completed   0          35m
quay353-quay-redis-646f4b4bcf-v46zf                 1/1     Running     0          35m
quayv353clair-quay-app-68cdc6844d-w5k62             1/1     Running     2          22m

oc get pod quay353-quay-config-editor-868b4d8dd4-mxkrs -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-rhel8@sha256:6bc0876415eee1daa28f04a325c3d31441b52b5b4b1a2c0aff2025627e34a551"

Steps:

Deploy Quay with Quay 3.5.3 Operator using all managed components
Login Quay config editor
Update database to use external postgresql database with enforced SSL need sslmode=verify-full
Upload the SSL Full Cert of external postgresql database
Click Validate Configurations
Click Reconfigure Change
Check the new config bundle secret used by new Quay App POD

Expected Results:

In the new config bundle secret sslmode=verify-full should be added under DB_CONNECTION_ARGS

Actual Results:

In the new config bundle secret sslmode=verify-full is not added under DB_CONNECTION_ARGS

Attachments

Issue Links

is cloned by

PROJQUAY-2208 Quay Config editor does not add sslmode=require in config.yaml after uploading database SSL CA Cert

Closed

mentioned on

Merge request - Updated US source to: 1239477 [redhat-3.9] api: Adding ignore timezone flag when parsing datetime (PROJQUAY-5360) (#2079)

Merge request - Updated US source to: a095e1f api: Adding ignore timezone flag when parsing datetime (PROJQUAY-5360) (#2027)

Activity

People

Assignee:: Jonathan King

Reporter:: luffy zhang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021/07/06 10:07 AM

Updated:: 2023/08/01 2:27 PM

Resolved:: 2021/07/19 6:39 PM