Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2335

Quay Operator should block the deployment when Route is managed, TLS is unmanaged without providing TLS Cert/key pairs

XMLWordPrintable

    • 3
    • False
    • False
    • Undefined

      Description:

      This is an issue found when use Quay Operator to deploy Quay, when create quay config bundle secret, not provide TLS cert/key pairs, and in QuayRegistry set route is managed, TLS is unmanaged, as the design docs mentioned, in this condition Quay operator should report error with message like "TLS Cert/Key must be provided". However, the results is Quay Operator continue to deploy using OCP default Cert.

      Quay Operator: quay-operator-container-v3.6.0-2

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1667063 

      Quay Config.yaml:

      SERVER_HOSTNAME: quayv360.apps.quay-perf-732.perfscale.devcluster.openshift.com
      ALLOWED_OCI_ARTIFACT_TYPES: 
          application/vnd.cncf.helm.config.v1+json: 
          - application/tar+gzip
          application/vnd.oci.image.layer.v1.tar+gzip+encrypted:
          - application/vnd.oci.image.layer.v1.tar+gzip+encrypted
          application/vnd.oci.image.layer.v1.tar+zstd:
          - application/vnd.oci.image.layer.v1.tar+zstd
          application/vnd.dev.cosign.simplesigning.v1+json:
          - application/vnd.dev.cosign.simplesigning.v1+json
      DEFAULT_TAG_EXPIRATION: 4w
      TAG_EXPIRATION_OPTIONS:
      - 2w
      - 4w
      - 8w
      FEATURE_GENERAL_OCI_SUPPORT: false
      FEATURE_HELM_OCI_SUPPORT: false
      SUPER_USERS:
        - quay
        - admin
      DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
        - default
      DISTRIBUTED_STORAGE_PREFERENCE:
        - default
      DISTRIBUTED_STORAGE_CONFIG:
        default:
          - S3Storage
          - s3_bucket: quay360
            storage_path: /quay360
            s3_access_key: *******
            s3_secret_key: ******
            host: s3.us-east-2.amazonaws.com
      

      QuayRegistry:

      apiVersion: quay.redhat.com/v1
      kind: QuayRegistry
      metadata:
        name: quay360
      spec:
        configBundleSecret: config-bundle-secret
        components:
          - kind: objectstorage
            managed: false
          - kind: route
            managed: true
          - kind: tls
            managed: false
      

      Steps:

      1. Deploy Quay Operator in Single OCP Namespace
      2. Create quay config bundle secret, run "oc create secret generic --from-file config.yaml=./config.yaml config-bundle-secret"
      3. Create QuayRegistry, run "oc create -f quayregistry.yaml"

      Expected Results:

      QuayRegistry deployment should be failed with error message "TLS Cert/Key should be provided"

      Actual Results:

      QuayRegistry deployment completed successfully by using OCP default Route Cert

       

      The following is the design Docs:

      https://github.com/quay/enhancements/blob/main/enhancements/tls-managed-component.md 

      route tls TLS cert/key pair provided Expected result
      Managed Managed No Edge Route with default wildcard cert
      Managed Managed Yes Edge Route with default wildcard cert (Ignore provided TLS)
      Managed Unmanaged No Error, TLS cert/key pair must be provided
      Managed Unmanaged Yes Edge Route with provided TLS
      Unmanaged Unmanaged No Do nothing, Quay expects HTTP traffic
      Unmanaged Unmanaged Yes Do nothing, Quay expects HTTP traffic
      Unmanaged Managed No Error, tls component can only be used with route
      Unmanaged Managed Yes Error, tls component can only be used with route

            rmarasch@redhat.com Ricardo Maraschini (Inactive)
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: