-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
quay-v3.6.1, quay-v3.6.2
-
False
-
False
-
Description:
This is an issue when using managed Clair V4 to scan images stored in AWS S3, when Clair V4 is trying to fetch the image layer, get error from AWS "SignatureDoesNotMatch", see thee detailed message in attached Clair POD logs.
After checking, found when specifying "S3 Port: 443", hit this issue; when NOT specifying "S3 Port: 443", this issue is not existed.
Quay Version: Quay 3.6.2
Quay Image: quay-operator-bundle-container-v3.6.2-17
Note: This issue can be reproduced with released Quay 3.6.1
{"level":"error","component":"internal/indexer/controller/Controller.Index","manifest":"sha256:b004a71e38f8ace26e7554d5c2fa802a8bb39a5818cbe10ab49fd0b408a40c20","state":"FetchLayers","error":"failed to fetch layers: encountered error while fetching a layer: fetcher: unexpected status code: 403 Forbidden (body starts: \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIAUMQAHCJON275SXFZ</AWSAcc\")","time":"2021-12-14T03:02:17Z","message":"error during scan"}
Clair Version:
{"level":"info","component":"main","version":"v4.3.4","time":"2021-12-14T02:57:55Z","message":"starting"}
{"level":"info","component":"main","version":"v4.3.4","time":"2021-12-14T02:57:55Z","message":"ready"}
Quay Config.yaml:
DISTRIBUTED_STORAGE_CONFIG:
default:
- S3Storage
- host: s3.us-east-2.amazonaws.com
s3_access_key: ***
s3_bucket: quayaws1046
s3_secret_key: ***
storage_path: /datafile
S3_Port: 443
Quay config editor
