The REPO_MIRROR_TLS_VERIFY flag in Quay's config.yaml file is always set to true even though the flag is explicitly set to false in the custom config bundle:

FEATURE_USER_INITIALIZE: true
BROWSER_API_CALLS_XHR_ONLY: false
SUPER_USERS: 
 - quay-admin
FEATURE_USER_CREATION: false
EXTERNAL_TLS_TERMINATION: false
SERVER_HOSTNAME: QUAY_HOSTNAME
PREFERRED_URL_SCHEME: https
FEATURE_REPO_MIRROR: true
REPO_MIRROR_TLS_VERIFY: false

Mirror component is managed by the operator:

spec: 
  components: 
...
  - kind: mirror
    managed: true
  configBundleSecret: config-bundle-secret

However, even though the component is managed and we have REPO_MIRROR_TLS_VERIFY explicitly mentioned in the custom config bundle, no errors are present in the operator pod logs and the rendered configuration, apart from the said switch, is sound and Quay is functioning properly.

The client also informed us that changing the property via the config tool also doesn't work. Even if they click on the "redeploy" button and Quay gets restarted, the flag is still set to true.

Please check! Thanks!

NOTES FROM THE TEAM MEETING

• Operator should throw an error if this config is present and mirror is managed
• Mirror managed should always trust quay certs
• These are the fields operator owns when mirror is managed: https://github.com/quay/quay-operator/blob/d5ffd0e1159dda7b51aa1529c1d16258da3dd814/vendor/github.com/quay/config-tool/pkg/lib/fieldgroups/repomirror/repomirror_fields.go#L4