Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: quay-v3.8.4, quay-v3.9.0
Affects Version/s: quay-v3.8.0
Component/s: quay
Labels:
- quay
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Product:
Quay Enterprise

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

If LDAP is set to be the auth backend, Quay will call it for both robot accounts and normal users. This was not hapenning before and it causes issues with LDAP setups that users have. For instance:

~/cases/inspect.local.8644177555356832513/namespaces/quay/pods# grep -i "incoming user" -rn jhb01-quay-app-78d4cfc89b-* |  cut -d "'" -f2 | sort | uniq -c
   1611 apps+mirror

~/cases/inspect.local.8644177555356832513/namespaces/quay/pods# grep -i "apps+mirror" -rn jhb01-quay-app-78d4cfc89b-* | grep "GET /v2/auth" | grep -i "skopeo" | wc -l
3222

3222 requests because we log both gunicorn-registry and nginx responses when debug logs are turned on which means exactly 1611 requests, as the previous log would suggest. This number of 1611 requests happened across a span of 3 minutes, which indicates that around 32k requests are made per hour.

This causes disruptions in LDAP functioning. Please check!