Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2200

Quay Config editor need to support sslmode=verify-full in config.yaml after uploading database SSL Cert

    XMLWordPrintable

Details

    • 0

    Description

      Description:

      This is an issue found when use quay config editor to configure quay to use external unmanaged database with enforced SSL to verify full cert, after upload external database's SSL Full Cert via config editor, quay config will generate new config bundle secret, but in the new config.yaml. there's no "sslmode=verify-full".

      Note: This issue can also be reproduced with Quay 3.4.6

      DATABASE_SECRET_KEY: VTq0OYg2SWkv-fBn8PRLpt49XLoYFoCHSwPJFb3A86xXy2iaEvRifHmyuEjHbBRQMmabZ-88dNvQPo9t
      DB_CONNECTION_ARGS:
        autorollback: true
        sslrootcert: conf/stack/database.pem
        threadlocals: true
      DB_URI: postgresql://quayrdsdb:quayrdsdb@terraform-20210707024818918800000001.cmqwuswughvh.us-east-2.rds.amazonaws.com:5432/quay
      

      Quay 3.5.3 Pods:

      oc get pod
      NAME                                                READY   STATUS      RESTARTS   AGE
      quay-operator.v3.5.3-67c59c4c84-gvqvx               1/1     Running     0          41m
      quay353-clair-app-584fff96d7-zlxqq                  1/1     Running     0          35m
      quay353-clair-postgres-7c6b64fbdb-2vh7j             1/1     Running     0          34m
      quay353-quay-app-76c454dbf5-kqr8z                   1/1     Running     2          35m
      quay353-quay-app-upgrade-8zzhq                      0/1     Completed   0          35m
      quay353-quay-config-editor-868b4d8dd4-mxkrs         1/1     Running     0          35m
      quay353-quay-database-58486b47d4-rqftc              1/1     Running     0          35m
      quay353-quay-mirror-646fbb7cbc-tttm8                1/1     Running     0          35m
      quay353-quay-postgres-init-rxfdl                    0/1     Completed   0          35m
      quay353-quay-redis-646f4b4bcf-v46zf                 1/1     Running     0          35m
      quayv353clair-quay-app-68cdc6844d-w5k62             1/1     Running     2          22m
      
      oc get pod quay353-quay-config-editor-868b4d8dd4-mxkrs -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-rhel8@sha256:6bc0876415eee1daa28f04a325c3d31441b52b5b4b1a2c0aff2025627e34a551"
      

      Steps:

      1. Deploy Quay with Quay 3.5.3 Operator using all managed components
      2. Login Quay config editor
      3. Update database to use external postgresql database with enforced SSL need sslmode=verify-full
      4. Upload the SSL Full Cert of external postgresql database
      5. Click Validate Configurations
      6. Click Reconfigure Change
      7. Check the new config bundle secret used by new Quay App POD

      Expected Results:

      In the new config bundle secret sslmode=verify-full should be added under DB_CONNECTION_ARGS

      Actual Results:

      In the new config bundle secret sslmode=verify-full is not added under DB_CONNECTION_ARGS

      Attachments

        Issue Links

          Activity

            People

              jonathankingfc Jonathan King
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: