Details
-
Bug
-
Resolution: Done
-
Major
-
quay-v3.6.0
-
3
-
False
-
False
-
Undefined
-
0
Description
Description:
This is an issue found when use Quay Operator to deploy Quay, when create quay config bundle secret, not provide TLS cert/key pairs, and in QuayRegistry set route is managed, TLS is unmanaged, as the design docs mentioned, in this condition Quay operator should report error with message like "TLS Cert/Key must be provided". However, the results is Quay Operator continue to deploy using OCP default Cert.
Quay Operator: quay-operator-container-v3.6.0-2
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1667063
Quay Config.yaml:
SERVER_HOSTNAME: quayv360.apps.quay-perf-732.perfscale.devcluster.openshift.com ALLOWED_OCI_ARTIFACT_TYPES: application/vnd.cncf.helm.config.v1+json: - application/tar+gzip application/vnd.oci.image.layer.v1.tar+gzip+encrypted: - application/vnd.oci.image.layer.v1.tar+gzip+encrypted application/vnd.oci.image.layer.v1.tar+zstd: - application/vnd.oci.image.layer.v1.tar+zstd application/vnd.dev.cosign.simplesigning.v1+json: - application/vnd.dev.cosign.simplesigning.v1+json DEFAULT_TAG_EXPIRATION: 4w TAG_EXPIRATION_OPTIONS: - 2w - 4w - 8w FEATURE_GENERAL_OCI_SUPPORT: false FEATURE_HELM_OCI_SUPPORT: false SUPER_USERS: - quay - admin DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: - default DISTRIBUTED_STORAGE_PREFERENCE: - default DISTRIBUTED_STORAGE_CONFIG: default: - S3Storage - s3_bucket: quay360 storage_path: /quay360 s3_access_key: ******* s3_secret_key: ****** host: s3.us-east-2.amazonaws.com
QuayRegistry:
apiVersion: quay.redhat.com/v1 kind: QuayRegistry metadata: name: quay360 spec: configBundleSecret: config-bundle-secret components: - kind: objectstorage managed: false - kind: route managed: true - kind: tls managed: false
Steps:
- Deploy Quay Operator in Single OCP Namespace
- Create quay config bundle secret, run "oc create secret generic --from-file config.yaml=./config.yaml config-bundle-secret"
- Create QuayRegistry, run "oc create -f quayregistry.yaml"
Expected Results:
QuayRegistry deployment should be failed with error message "TLS Cert/Key should be provided"
Actual Results:
QuayRegistry deployment completed successfully by using OCP default Route Cert
The following is the design Docs:
https://github.com/quay/enhancements/blob/main/enhancements/tls-managed-component.md
| route | tls | TLS cert/key pair provided | Expected result |
|---|---|---|---|
| Managed | Managed | No | Edge Route with default wildcard cert |
| Managed | Managed | Yes | Edge Route with default wildcard cert (Ignore provided TLS) |
| Managed | Unmanaged | No | Error, TLS cert/key pair must be provided |
| Managed | Unmanaged | Yes | Edge Route with provided TLS |
| Unmanaged | Unmanaged | No | Do nothing, Quay expects HTTP traffic |
| Unmanaged | Unmanaged | Yes | Do nothing, Quay expects HTTP traffic |
| Unmanaged | Managed | No | Error, tls component can only be used with route |
| Unmanaged | Managed | Yes | Error, tls component can only be used with route |
Attachments
Issue Links
- account is impacted by
-
PROJQUAY-3028 Release v3.6.3
-
- Closed
-
- impacts account
-
-
- Closed
-
- relates to
-
-
- Closed
-
