Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2208

Quay Config editor does not add sslmode=require in config.yaml after uploading database SSL CA Cert

    XMLWordPrintable

Details

    • False
    • False
    • Undefined
    • 0

    Description

      Description:

      This is an issue found when use quay config editor to configure quay to use external unmanaged database with enforced SSL to verify ca cert,  after upload external database's CA Cert via config editor, quay config will generate new config bundle secret, but in the new config.yaml. there's no "sslmode=require".

      Note: This issue can also be reproduced with Quay 3.4.6

      DATABASE_SECRET_KEY: VTq0OYg2SWkv-fBn8PRLpt49XLoYFoCHSwPJFb3A86xXy2iaEvRifHmyuEjHbBRQMmabZ-88dNvQPo9t
      DB_CONNECTION_ARGS:
        autorollback: true
        sslrootcert: conf/stack/database.pem
        threadlocals: true
      DB_URI: postgresql://quay%40quayssl:***@quayssl.postgres.database.azure.com:5432/postgres
      

      Quay 3.5.3 Pods:

      oc get pod
      NAME                                                READY   STATUS      RESTARTS   AGE
      quay-operator.v3.5.3-67c59c4c84-gvqvx               1/1     Running     0          41m
      quay353-clair-app-584fff96d7-zlxqq                  1/1     Running     0          35m
      quay353-clair-postgres-7c6b64fbdb-2vh7j             1/1     Running     0          34m
      quay353-quay-app-76c454dbf5-kqr8z                   1/1     Running     2          35m
      quay353-quay-app-upgrade-8zzhq                      0/1     Completed   0          35m
      quay353-quay-config-editor-868b4d8dd4-mxkrs         1/1     Running     0          35m
      quay353-quay-database-58486b47d4-rqftc              1/1     Running     0          35m
      quay353-quay-mirror-646fbb7cbc-tttm8                1/1     Running     0          35m
      quay353-quay-postgres-init-rxfdl                    0/1     Completed   0          35m
      quay353-quay-redis-646f4b4bcf-v46zf                 1/1     Running     0          35m
      quayv353clair-quay-app-68cdc6844d-w5k62             1/1     Running     2          22m
      
      oc get pod quay353-quay-config-editor-868b4d8dd4-mxkrs -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-rhel8@sha256:6bc0876415eee1daa28f04a325c3d31441b52b5b4b1a2c0aff2025627e34a551"
      

      Steps:

      1. Deploy Quay with Quay 3.5.3 Operator using all managed components
      2. Login Quay config editor
      3. Update database to use external postgresql database with enforced SSL
      4. Upload the CA Cert of external postgresql database
      5. Click Validate Configurations
      6. Click Reconfigure Change
      7. Check the new config bundle secret used by new Quay App POD

      Expected Results:

      In the new config bundle secret sslmode=verify-ca should be added under DB_CONNECTION_ARGS

      Actual Results:

      In the new config bundle secret sslmode=verify-ca is not added under DB_CONNECTION_ARGS

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rhn-support-dyan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: