Goal: Allow customers to run both Quay and Clair in air-gapped environments

Problem: As of today Quay works fine air-gapped but Clair requires a persistent internet connection to fetch CVE metadata synchronously as defined in the config

Why is this important: Many customers in EMEA and NAPS run air-gapped setups but still want to leverage the high value Clair scanning there

Dependencies (internal and external):

Enhanced support for disconnected and air-gapped environments

Prioritized epics + deliverables (in scope / not in scope):

1. As a user I can override the currently hardcoded URLs for CVE data streams to provide my own copies inside my air-gapped env.
2. As a user I can control whether I’m running Quay/Clair in an air-gapped environment as part of the main deployment configuration (config app, setup operator).
3. As a user I can read documentation which describes how to deploy Quay and Clair inside an air-gapped environment including keeping it up2date (update mgt).
4. As a user I can read documentation which describes how to get the feeds used by Clair into my air-gapped environment.
5. As a user I have tooling which semi-automates the feed provisioning inside my air-gapped environment (as part of the wider repo mirroring support for air-gapped env’s).
6. As a user I can configure (enable / disable) my CVE metadata sources to ensure that I only need to sync really required feeds into my air-gapped environment.
7. As a user I can configure a warning period (X days) to trigger warnings (email, UI) if the CVE feeds used by Clair are older than X days. This is also shown on scan result pages where those feeds are used.
8. As a user I can see if a required CVE feed isn’t available (yet) such as the detector identified a RHEL based image but the corresponding OVAL or CVRF feed isn’t available or has been deselected by the user (false negatives warning).

1. PROJQUAY-1234

Estimate (XS, S, M, L, XL, XXL):

Previous Work:

1. https://github.com/quay/clair/issues/401

Open questions: