Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2416

Quay Mirror POD was crashed when use unmanaged TLS component with provided cert/key pair

    XMLWordPrintable

Details

    • 0

    Description

      Description:

      This is an issue found when deploy quay with operator, choose to use managed route and unmanaged tls component, provide cert/key pair, after created quayregistry CR, found Quay Mirror POD was failed to start, check the logs of Mirror POD, get error message "Failed to append custom certificate: extra_ca_certs/ssl.key",see attached mirror POD logs quay_360_mirror_pod.logs 

      Note: Quay image is quay-operator-bundle-container-v3.6.0-18

      oc create secret generic --from-file config.yaml=./config.yaml --from-file ssl.cert=./ssl.cert --from-file ssl.key=./ssl.key config-bundle-secret
      
      oc create -f quayregistry_s3_tls_route_unmanaged.yaml
      oc get pod
      NAME                                          READY   STATUS             RESTARTS   AGE
      quay-operator.v3.6.0-784898d9f8-s57wc         1/1     Running            0          6h15m
      quay360-clair-app-cbb764cd9-b9swc             1/1     Running            0          22m
      quay360-clair-app-cbb764cd9-kmhv5             1/1     Running            0          22m
      quay360-clair-postgres-59cb96bfc6-jp8z4       1/1     Running            1          23m
      quay360-quay-app-5cc9777c79-nrpbc             1/1     Running            0          22m
      quay360-quay-app-5cc9777c79-r2qfv             1/1     Running            1          22m
      quay360-quay-app-upgrade-ntm5m                0/1     Completed          0          22m
      quay360-quay-config-editor-6cd5676d7b-4krp6   1/1     Running            0          22m
      quay360-quay-database-9494b4578-m4v9b         1/1     Running            1          22m
      quay360-quay-mirror-78459cf5d5-2qv4j          0/1     CrashLoopBackOff   8          21m
      quay360-quay-mirror-78459cf5d5-jbnkc          0/1     CrashLoopBackOff   8          21m
      quay360-quay-postgres-init-94czg              0/1     Completed          0          22m
      quay360-quay-redis-74d8d54b57-wh6vv           1/1     Running            0          23m
      
      oc get pod quay360-quay-mirror-78459cf5d5-2qv4j -o json | jq '.spec.containers[0].image'
      "registry.redhat.io/quay/quay-rhel8@sha256:a4cad2c70cd340029d00f468fc08cab887365d17fe22bbf31beeec36aebeb9e7"
      

      Config.yaml:

      cat config.yaml
      FEATURE_EXTENDED_REPOSITORY_NAMES: true
      CREATE_REPOSITORY_ON_PUSH_PUBLIC: true
      FEATURE_USER_INITIALIZE: true
      SERVER_HOSTNAME: quayv360.apps.quay-perf-738.perfscale.devcluster.openshift.com
      ALLOWED_OCI_ARTIFACT_TYPES: 
          application/vnd.cncf.helm.config.v1+json: 
          - application/tar+gzip
          application/vnd.oci.image.layer.v1.tar+gzip+encrypted:
          - application/vnd.oci.image.layer.v1.tar+gzip+encrypted
          application/vnd.oci.image.config.v1+json:
          - application/vnd.oci.image.layer.v1.tar+zstd
          application/vnd.oci.image.config.v1+json:
          - application/vnd.dev.cosign.simplesigning.v1+json
      DEFAULT_TAG_EXPIRATION: 4w
      TAG_EXPIRATION_OPTIONS:
      - 2w
      - 4w
      - 8w
      FEATURE_GENERAL_OCI_SUPPORT: true
      FEATURE_HELM_OCI_SUPPORT: false
      SUPER_USERS:
        - quay
        - admin
      DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
        - default
      DISTRIBUTED_STORAGE_PREFERENCE:
        - default
      DISTRIBUTED_STORAGE_CONFIG:
        default:
          - S3Storage
          - s3_bucket: quay360
            storage_path: /quay360
            s3_access_key: ******
            s3_secret_key: ******
            host: s3.us-east-2.amazonaws.com
      

      QuayRegistry CR:

      apiVersion: quay.redhat.com/v1
      kind: QuayRegistry
      metadata:
        name: quay360
      spec:
        configBundleSecret: config-bundle-secret
        components:
          - kind: objectstorage
            managed: false
          - kind: route
            managed: true
          - kind: tls
            managed: false
      

      Attachments

        Issue Links

          Activity

            People

              rmarasch@redhat.com Ricardo Maraschini (Inactive)
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: