Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-5174

Quay Operator doesn't trust internal service CA when it is rotated.

XMLWordPrintable

    • False
    • None
    • False
    • Customer Facing

      This bug affects the Quay operator-based installations with managed object storage provided by ODF.

      When provisioning a new Quay registry, the operator takes care of adding the service CA used for signing the certificate used by the object storage endpoint inside the Quay certificate bundle automatically.

      There are some occasions where the service CA gets rotated[1](for example OCP upgrade) and we observed that the Quay operator does not add the new service CA inside the certificate bundle.

      This generates some SSL: CERTIFICATE_VERIFY_FAILED exceptions inside Quay logs because the certificate validation fails and the registry will stop working because it is not able to communicate with the storage anymore.

      The only possible workaround is adding the service CA to the config bundle secret manually[2]

       [1]https://docs.openshift.com/container-platform/4.12/security/certificates/service-serving-certificate.html

      [2]https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/manage_red_hat_quay/config-custom-ssl-certs-manual#config-custom-ssl-cert-kubernetes 

       

              jonathankingfc Jonathan King
              rhn-support-ggeraci Giovanni Geraci
              Votes:
              6 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: