-
Epic
-
Resolution: Done-Errata
-
Major
-
None
Story: As a Quay administrator I want to disable remove the config-editor deployed by the Quay Operator so that I have a full audit-trail on the registry configuration.
Background: By default the config editor is deployed for every QuayRegistry instance which makes it difficult to establish an audit-trail over the registry's configuration. Anyone with access to the namespace, config editor secret and config editor route can use the config editor to make changes to the Quay configuration and their identity will not be logged anywhere in the system. By disabling removing the config-editor any config change will be forced through the config bundle property of the QuayRegistry resource which points to a Secret which is then subject to native Kubernetes auditing and logging.
Acceptance criteria:
the config editor becomes a managed component- the config editor is
enabled by defaultremoved and no longer available in an operator deployment the config editor can be disabled by setting its component to unmanagedduring updates from previous Quay operator versions the config editor component will be instantiated as a managed component which is enabled
- is triggered by
-
PROJQUAY-3846 Ability to log into Quay config tool using LDAP credentials
-
- Closed
-
- links to
-
RHSA-2023:7341
Red Hat Quay v3.10.0 minor release
- mentioned on
[PROJQUAY-5021] Remove the config editor
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Important: Red Hat Quay security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:7341
GitLab CEE Bot
added a comment - Sean Zhao mentioned this issue in a merge request of quay / quay-automation on branch configeditor:
OCPQE-17676: remove Config editor for Quay3.10 in pipeline
GitLab CEE Bot
added a comment - Sean Zhao mentioned this issue in a merge request of quay / quay-automation on branch configeditor : OCPQE-17676: remove Config editor for Quay3.10 in pipeline rhn-support-ibazulic DanielMesser doconnor@redhat.com Let me clarify some terms so can be clear on the changes being made here.
—
Config Tool: This is the overall go-binary that includes both config editor and config validator (described below)
Config Editor: The web UI which allows users to edit their config.yaml and redeploy their Quay instance using the operator
Config Validator: This purely validates the config.yaml that is provided, it runs before the config editor reconfiguration as well as on startup for Quay.
—
This ticket is specifically targeting the removal of the config editor. This won't remove the validation from Quay startup, but it will remove the UI for configuring the Quay config.yaml.
To respond directly to rhn-support-ibazulic comments: If we see that several users are utilizing the config editor to configure their Quay instance, that is a valid consideration as we could be disrupting some customer workflows. With that said, deprecating the config editor is essentially a hard requirement at this point, so we will probably need to find a way to smoothen this transition, either through docs or a KB article. As for the VM deployments, I don't see this change affecting these users any more than it will affect those using the Operator. Can you elaborate on this a bit? Thanks!
Daniel Messer
added a comment - To the followers of this epic: in the past we got feedback that some users want to disable the config-editor for security reasons, since it's route is always create and, though protected by password, provided external access to the config-editor. Meanwhile, the config-editor has fallen behind quite a bit in terms of coverage of Quay config tunables. Previously it was also our only way to validate the correctness of a Quay config.
Nowadays the config validation (e.g. are the storage bucket credentials correct, can I access the database etc) is baked into the Quay pod startup routine, and this way we could detect invalid configs during a rollout / re-rollout as part of a config update. On the other hand many users today prefer a GitOps approach to manage the config of Quay which is natively supported by the operator, and there is not really a need for a graphical config editor anymore when running on OpenShift.
Hence we decided to remove the config-editor from the deployment. It will still remain available as part of the Quay container image, so users who want to still use it, can do so by launching it on their workstation directly. But we will likely not add any of the newer tunables to the UI either.
Daniel Messer
added a comment - To the followers of this epic: in the past we got feedback that some users want to disable the config-editor for security reasons, since it's route is always create and, though protected by password, provided external access to the config-editor. Meanwhile, the config-editor has fallen behind quite a bit in terms of coverage of Quay config tunables. Previously it was also our only way to validate the correctness of a Quay config.
Nowadays the config validation (e.g. are the storage bucket credentials correct, can I access the database etc) is baked into the Quay pod startup routine, and this way we could detect invalid configs during a rollout / re-rollout as part of a config update. On the other hand many users today prefer a GitOps approach to manage the config of Quay which is natively supported by the operator, and there is not really a need for a graphical config editor anymore when running on OpenShift.
Hence we decided to remove the config-editor from the deployment. It will still remain available as part of the Quay container image, so users who want to still use it, can do so by launching it on their workstation directly. But we will likely not add any of the newer tunables to the UI either. 
CPaaS Service Account mentioned this issue in a merge request of quay-midstream / quay-operator-cpaas on branch quay-3.10-rhel-9_upstream_d8f2ef116d22081db6a7cfdd3af810c6: