Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2208

Quay Config editor does not add sslmode=require in config.yaml after uploading database SSL CA Cert

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Critical Critical
    • None
    • quay-v3.4.6, quay-v3.5.3
    • config-tool
    • False
    • False
    • Undefined

      Description:

      This is an issue found when use quay config editor to configure quay to use external unmanaged database with enforced SSL to verify ca cert,  after upload external database's CA Cert via config editor, quay config will generate new config bundle secret, but in the new config.yaml. there's no "sslmode=require".

      Note: This issue can also be reproduced with Quay 3.4.6

      DATABASE_SECRET_KEY: VTq0OYg2SWkv-fBn8PRLpt49XLoYFoCHSwPJFb3A86xXy2iaEvRifHmyuEjHbBRQMmabZ-88dNvQPo9t
DB_CONNECTION_ARGS:
  autorollback: true
  sslrootcert: conf/stack/database.pem
  threadlocals: true
DB_URI: postgresql://quay%40quayssl:***@quayssl.postgres.database.azure.com:5432/postgres

      Quay 3.5.3 Pods:

      oc get pod
NAME                                                READY   STATUS      RESTARTS   AGE
quay-operator.v3.5.3-67c59c4c84-gvqvx               1/1     Running     0          41m
quay353-clair-app-584fff96d7-zlxqq                  1/1     Running     0          35m
quay353-clair-postgres-7c6b64fbdb-2vh7j             1/1     Running     0          34m
quay353-quay-app-76c454dbf5-kqr8z                   1/1     Running     2          35m
quay353-quay-app-upgrade-8zzhq                      0/1     Completed   0          35m
quay353-quay-config-editor-868b4d8dd4-mxkrs         1/1     Running     0          35m
quay353-quay-database-58486b47d4-rqftc              1/1     Running     0          35m
quay353-quay-mirror-646fbb7cbc-tttm8                1/1     Running     0          35m
quay353-quay-postgres-init-rxfdl                    0/1     Completed   0          35m
quay353-quay-redis-646f4b4bcf-v46zf                 1/1     Running     0          35m
quayv353clair-quay-app-68cdc6844d-w5k62             1/1     Running     2          22m

oc get pod quay353-quay-config-editor-868b4d8dd4-mxkrs -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-rhel8@sha256:6bc0876415eee1daa28f04a325c3d31441b52b5b4b1a2c0aff2025627e34a551"

      Steps:

      1. Deploy Quay with Quay 3.5.3 Operator using all managed components
      2. Login Quay config editor
      3. Update database to use external postgresql database with enforced SSL
      4. Upload the CA Cert of external postgresql database
      5. Click Validate Configurations
      6. Click Reconfigure Change
      7. Check the new config bundle secret used by new Quay App POD

      Expected Results:

      In the new config bundle secret sslmode=verify-ca should be added under DB_CONNECTION_ARGS

      Actual Results:

      In the new config bundle secret sslmode=verify-ca is not added under DB_CONNECTION_ARGS

              Unassigned Unassigned
              rhn-support-dyan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: