Major Description:
This is an issue found when Quay is configured to use IBM COS, with "Proxy storage via Quay" enabled, after pushed some images to Quay, find can't see the image vulnerability scan results, checked Clair App Logs, found following error:
{"level":"error","component":"indexer/controller/Controller.Index","request_id":"b5c7836b3e675038","manifest":"sha256:5403064f94b617f7975a19ba4d1a1299fd584397f6ee4393d0e16744ed11aab1","state":"FetchLayers","error":"failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:10e6159c56c084c858f5de2416454ac0a49ddda47b764e4379c5d5a147c9bf5f: fetcher: unexpected status code: 403 Forbidden (body starts: \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" standalone=\\\"yes\\\"?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. For more informatio\")","time":"2023-09-05T05:20:10Z","message":"error during scan"}
Quay: quay-operator-bundle-container-v3.9.1-7
Can't see Image scan results when backend is IBM COS:
{"level":"error","component":"indexer/controller/Controller.Index","request_id":"b5c7836b3e675038","manifest":"sha256:5403064f94b617f7975a19ba4d1a1299fd584397f6ee4393d0e16744ed11aab1","state":"FetchLayers","error":"failed to fetch layers: encountered error while fetching a layer: error realizing layer sha256:10e6159c56c084c858f5de2416454ac0a49ddda47b764e4379c5d5a147c9bf5f: fetcher: unexpected status code: 403 Forbidden (body starts: \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" standalone=\\\"yes\\\"?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. For more informatio\")","time":"2023-09-05T05:20:10Z","message":"error during scan"}
{"level":"info","request_id":"b5c7836b3e675038","component":"libindex/Libindex.Index","manifest":"sha256:5403064f94b617f7975a19ba4d1a1299fd584397f6ee4393d0e16744ed11aab1","time":"2023-09-05T05:20:10Z","message":"index request done"}
{"level":"info","component":"httptransport/New","request_id":"b5c7836b3e675038","remote_addr":"10.129.2.22:50932","method":"POST","request_uri":"/indexer/api/v1/index_report","status":500,"duration":289.28039,"time":"2023-09-05T05:20:10Z","message":"handled HTTP request"}
{"level":"info","request_id":"edcb03a8848ee518","manifest":"sha256:930034b169a5d135367a750be2bb7ecf2d6eff2283b74fc7125c22668fad9a92","component":"libindex/Libindex.Index","time":"2023-09-05T05:20:11Z","message":"index request start"}
Quay Config.yaml:
ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false ALLOWED_OCI_ARTIFACT_TYPES: application/vnd.cncf.helm.config.v1+json: - application/tar+gzip application/vnd.oci.image.layer.v1.tar+gzip+encrypted: - application/vnd.oci.image.layer.v1.tar+gzip+encrypted AUTHENTICATION_TYPE: Database BUILDLOGS_REDIS: host: quay3910-quay-redis port: 6379 CREATE_NAMESPACE_ON_PUSH: true DATABASE_SECRET_KEY: UxVz0ZFiPqob2nUGHFeP5sDMwS4w7aENyXCdJOopypxUYEcXnppPnBSPPC32dg4y0NOtIk2vF3094cGv DB_CONNECTION_ARGS: autorollback: true threadlocals: true DB_URI: postgresql://quay3910-quay-database:SaZ34n3TpRNff2-ps19XGJQjymATJVndF6x8vZQwLhN17bKNFeO3EVBvzUXnuQtkGwquVfEK66B0NxYh@quay3910-quay-database:5432/quay3910-quay-database DEFAULT_TAG_EXPIRATION: 4w DISTRIBUTED_STORAGE_CONFIG: default: - S3Storage - host: s3.us-south.cloud-object-storage.appdomain.cloud maximum_chunk_size_gb: 2 port: "443" s3_access_key: ****** s3_bucket: quay3.3.0 s3_secret_key: ****** storage_path: /quay391ibmcos0905 DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: - default DISTRIBUTED_STORAGE_PREFERENCE: - default ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg EXTERNAL_TLS_TERMINATION: true FEATURE_BUILD_SUPPORT: false FEATURE_DIRECT_LOGIN: true FEATURE_EXTENDED_REPOSITORY_NAMES: true FEATURE_GENERAL_OCI_SUPPORT: true FEATURE_HELM_OCI_SUPPORT: true FEATURE_MAILING: false FEATURE_PROXY_CACHE: true FEATURE_PROXY_STORAGE: true FEATURE_QUOTA_MANAGEMENT: true FEATURE_REPO_MIRROR: true FEATURE_SECURITY_NOTIFICATIONS: true FEATURE_SECURITY_SCANNER: true FEATURE_SUPERUSERS_FULL_ACCESS: true FEATURE_USER_INITIALIZE: true PREFERRED_URL_SCHEME: https REGISTRY_TITLE: Red Hat Quay REGISTRY_TITLE_SHORT: Red Hat Quay REPO_MIRROR_INTERVAL: 30 REPO_MIRROR_TLS_VERIFY: true SECRET_KEY: eCEsPkMiwwr7sMLZKXnxpebYXERLFcQTYCP3ld8XMJqJmdOBRNuFtDkjiZXqBt8R2Sgx6IliKg2haczD SECURITY_SCANNER_INDEXING_INTERVAL: 30 SECURITY_SCANNER_V4_ENDPOINT: http://quay3910-clair-app.quay-enterprise-1339.svc.cluster.local SECURITY_SCANNER_V4_NAMESPACE_WHITELIST: - admin SECURITY_SCANNER_V4_PSK: b3lsbjFoOTFoSGt5cXlRWHVncGhCU25VdU5yOWp1T2s= SERVER_HOSTNAME: quay3910-quay-quay-enterprise-1339.apps.quaytest-1339.qe.devcluster.openshift.com SETUP_COMPLETE: true SUPER_USERS: - quay - admin TAG_EXPIRATION_OPTIONS: - 2w - 4w - 8w TEAM_RESYNC_STALE_TIME: 60m TESTING: false USER_EVENTS_REDIS: host: quay3910-quay-redis port: 6379 USERFILES_LOCATION: default USERFILES_PATH: userfiles/
