Chapter 1. Red Hat Quay release notes

1.1. RHBA-2024:6048 - Red Hat Quay 3.12.3 release

Issued 2024-09-26

Red Hat Quay release 3.12.3 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:7072 advisory.

1.1.1. Red Hat Quay 3.12.3 bug fixes

PROJQUAY-7561. Previously, pulling an image failed when using Hitachi Content Platform for Cloud Scale (HCP-CS). This issue has been resolved. This issue has been resolved, however HCP-CS is still not yet supported for use with Red Hat Quay.
PROJQUAY-7735. Previously, there was a bug on the Red Hat Quay v2 UI wherein users could not select the When the image is due to expiry in days event trigger. This issue has been resolved.
PROJQUAY-6562. Previously, too many INFO log lines were reported in the quay-app logs. This issue has been resolved. INFO log lines now return when using the debug option.

1.2. RHBA-2024:6048 - Red Hat Quay 3.12.2 release

Issued 2024-09-3

Red Hat Quay release 3.12.2 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:6048 advisory.

1.2.1. Red Hat Quay 3.12.2 bug fixes

PROJQUAY-7598. Invalid manifests are now returned when using the API.
PROJQUAY-7689. Previously, there was a bug affecting STS S3Storage engines, in which a config error was returned. This bug has been resolved.

1.3. RHBA-2024:5039 - Red Hat Quay 3.12.1 release

Issued 2024-08-14

Red Hat Quay release 3.12.1 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:5039 advisory.

1.3.1. Red Hat Quay 3.12.1 new features

With this release, NetApp ONTAP S3 object storage is now supported. For more information, see NetApp ONTAP S3 object storage.

1.3.2. Red Hat Quay 3.12.1 known issues

When using NetApp ONTAP S3 object storage, images with large layer sizes fail to push. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-7462).

1.3.3. Red Hat Quay 3.12.1 bug fixes

PROJQUAY-7177. Previously, global read-only superusers could not obtain resources from an organization when using the API. This issue has been resolved.
PROJQUAY-7446. Previously, global read-only superusers could not obtain correct information when using the listRepos API endpoints. This issue has been resolved.
PROJQUAY-7449. Previously, global read-only superusers could not use some superuser API endpoints. This issue has been resolved.
PROJQUAY-7487. Previously, when a repository had multiple notifications enabled, the wrong type of event notification could be triggered. This issue has been resolved.
PROJQUAY-7491. When using NetAPP’s OnTAP S3 implementation, the follow errors could be returned: presigned URL request computed using signature-version v2 is not supported by ONTAP-S3. This error occurred because boto iterates over a map of authentications if none is requested, and returns v2 because it is ordered earlier than v4. This issue has been fixed, and the error is no longer returned.
PROJQUAY-7578. On the 3.12.1 UI, the release notes pointed to Red Hat Quay’s 3.7 release. This has been fixed, and they now point to the current version.

1.3.4. Upgrading to Red Hat Quay 3.12.1

For information about upgrading standalone Red Hat Quay deployments, see Standalone upgrade.

For information about upgrading Red Hat Quay on OpenShift Container Platform, see Upgrading the Red Hat Quay Operator.

1.4. RHBA-2024:4525 - Red Hat Quay 3.12.0 release

Issued 2024-07-23

Red Hat Quay release 3.12 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:4525 advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations.

1.5. Red Hat Quay release cadence

With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.

For more information, see the Red Hat Quay Life Cycle Policy.

1.6. Red Hat Quay documentation changes

The following documentation changes have been made with the Red Hat Quay 3.12 release:

The Use Red Hat Quay guide now includes accompanying API procedures for basic operations, such as creating and deleting repositories and organizations by using the API, access management, and so on.

1.7. Red Hat Quay new features and enhancements

The following updates have been made to Red Hat Quay.

1.7.1. Splunk event collector enhancements

With this update, Red Hat Quay administrators can configure their deployment to forward action logs directly to a Splunk HTTP Event Collector (HEC). This enhancement enables seamless integration with Splunk for comprehensive log management and analysis.

For more information, see Configuring action log storage for Splunk.

1.7.2. API token ownership

Previously, when a Red Hat Quay organization owner created an API OAuth token, and that API OAuth token was used by another organization member, the action was logged to the creator of the token. This was undesirable for auditing purpose, notably in restricted environments where only dedicated registry administrators are organization owners.

With this release, organization administrators can now assign OAuth API tokens to be created by other users with specific permissions. This allows the audit logs to be reflected accurately when the token is used by a user that has no organization administrative permissions to create an OAuth API token.

For more information, see Reassigning an OAuth access token.

1.7.3. Image expiration notification

Previously, Red Hat Quay administrators and users had no way of being alerted when an image was about to expire. With this update, an event can be configured to notify users when an image is about to expire. This helps Red Hat Quay users avoid unexpected pull failures.

Image expiration event triggers can be configured to notify users through email, Slack, webhooks, and so on, and can be configured at the repository level. Triggers can be set for images expiring in any amount of days, and can work in conjunction with the auto-pruning feature.

For more information, see Creating an image expiration notification.

1.7.4. Red Hat Quay auto-pruning enhancements

With the release of Red Hat Quay 3.10, a new auto-pruning feature was released. With that feature, Red Hat Quay administrators could set up auto-pruning policies on namespaces for both users and organizations so that image tags were automatically deleted based on specified criteria. In Red Hat Quay 3.11, this feature was enhanced so that auto-pruning policies could be set up on specified repositories.

With this release, default auto-pruning policies can now be set up at the registry level. Default auto-pruning policies set up at the registry level can be configured on new and existing organizations. This feature saves Red Hat Quay administrators time, effort, and storage by enforcing registry-wide rules.

Red Hat Quay administrators must enable this feature by updating their config.yaml file to include the DEFAULT_NAMESPACE_AUTOPRUNE_POLICY configuration field and one of number_of_tags or creation_date methods. Currently, this feature cannot be enabled by using the v2 UI or the API.

For more information, see Red Hat Quay auto-pruning overview.

1.7.5. Open Container Initiative 1.1 implementation

Red Hat Quay now supports the Open Container Initiative (OCI) 1.1 distribution spec version 1.1. Key highlights of this update include support for the following areas:

Enhanced capabilities for handling various types of artifacts, which provides better flexibility and compliance with OCI 1.1.
Introduction of new reference types, which allows more descriptive referencing of artifacts.
Introduction of the referrers API, which aids in the retrieval and management of referrers, which helps improve container image management.
Enhance UI to better visualize referrers, which makes it easier for users to track and manage dependencies.

For more information about OCI spec 1.1, see OCI Distribution Specification.

For more information about OCI support and Red Hat Quay, see Open Container Initiative support.

1.7.6. Metadata support through annotations

Some OCI media types do not utilize labels and, as such, critical information such as expiration timestamps are not included. With this release, Red Hat Quay now supports metadata passed through annotations to accommodate OCI media types that do not include these labels for metadata transmission. Tools such as ORAS (OCI Registry as Storage) can now be used to embed information with artifact types to help ensure that images operate properly, for example, to expire.

For more information about OCI media types and how adding an annotation with ORAS works, see Open Container Initiative support.

1.7.7. Red Hat Quay v2 UI enhancements

The following enhancements have been made to the Red Hat Quay v2 UI.

1.7.7.1. Robot account creation enhancement

When creating a robot account with the Red Hat Quay v2 UI, administrators can now specify that the kubernetes runtime use a secret only for a specific organization or repository. This option can be selected by clicking the name of your robot account on the v2 UI, and then clicking the Kubernetes tab.

1.8. New Red Hat Quay configuration fields

The following configuration fields have been added to Red Hat Quay 3.12.

1.8.1. OAuth access token reassignment configuration field

The following configuration field has been added for reassigning OAuth access tokens:

Field	Type	Description
FEATURE_ASSIGN_OAUTH_TOKEN	Boolean	Allows organization administrators to assign OAuth tokens to other users.

Example OAuth access token reassignment YAML

# ...
FEATURE_ASSIGN_OAUTH_TOKEN: true
# ...

1.8.2. Notification interval configuration field

The following configuration field has been added to enhance Red Hat Quay notifications:

Field	Type	Description
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES	Integer	The interval, in minutes, that defines the frequency to re-run notifications for expiring images. By default, this field is set to notify Red Hat Quay users of events happening every 5 hours.

Example notification re-run YAML

# ...
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES: 10
# ...

1.8.3. Registry auto-pruning configuration fields

The following configuration fields have been added to Red Hat Quay auto-pruning feature:

Field	Type	Description
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES	Integer	The interval, in minutes, that defines the frequency to re-run notifications for expiring images. Default: `300`
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY	Object	The default organization-wide auto-prune policy.
.method: number_of_tags	Object	The option specifying the number of tags to keep.
.value: <integer>	Integer	When used with method: number_of_tags, denotes the number of tags to keep. For example, to keep two tags, specify `2`.
.method: creation_date	Object	The option specifying the duration of which to keep tags.
.value: <integer>	Integer	When used with creation_date, denotes how long to keep tags. Can be set to seconds (`s`), days (`d`), months (`m`), weeks (`w`), or years (`y`). Must include a valid integer. For example, to keep tags for one year, specify `1y`.
AUTO_PRUNING_DEFAULT_POLICY_POLL_PERIOD	Integer	The period in which the auto-pruner worker runs at the registry level. By default, it is set to run one time per day (one time per 24 hours). Value must be in seconds.

Example registry auto-prune policy by number of tags

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: number_of_tags
  value: 10

Example registry auto-prune policy by creation date

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: creation_date
  value: 1y

1.8.4. Vulnerability detection notification configuration field

The following configuration field has been added to notify users on detected vulnerabilities based on security level:

Field	Type	Description
NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX	String	Set minimal security level for new notifications on detected vulnerabilities. Avoids creation of large number of notifications after first index. If not defined, defaults to `High`. Available options include `Critical`, `High`, `Medium`, `Low`, `Negligible`, and `Unknown`.

Example image vulnerability notification YAML

NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX: High

1.8.5. OCI referrers API configuration field

The following configuration field allows users to list OCI referrers of a manifest under a repository by using the v2 API:

Field	Type	Description
FEATURE_REFERRERS_API	Boolean	Enables OCI 1.1’s referrers API.

Example OCI referrers enablement YAML

# ...
FEATURE_REFERRERS_API: True
# ...

1.8.6. Disable strict logging configuration field

The following configuration field has been added to address when external systems like Splunk or ElasticSearch are configured as audit log destinations but are intermittently unavailable. When set to True, the logging event is logged to the stdout instead.

Field	Type	Description
ALLOW_WITHOUT_STRICT_LOGGING	Boolean	When set to `True`, allows you to use any registry action when you are unable to write to the audit log.

Example strict logging YAML

# ...
ALLOW_WITHOUT_STRICT_LOGGING: True
# ...

1.8.7. Clair indexing layer size configuration field

The following configuration field has been added for the Clair security scanner, which allows Red Hat Quay administrators to set a maximum layer size allowed for indexing.

Field	Type	Description
SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE	String	The maximum layer size allowed for indexing. If the layer size exceeds the configured size, the Red Hat Quay UI returns the following message: `The manifest for this tag has layer(s) that are too large to index by the Quay Security Scanner`. The default is `8GB`, and the maximum recommended is `10GB`. Example: `8GB`

1.9. API endpoint enhancements

1.9.1. New changeOrganizationQuota and createOrganizationQuota endpoints:

The following optional API field has been added to the changeOrganizationQuota and createOrganizationQuota endpoints:

Name	Description	Schema
limits optional	Human readable storage capacity of the organization. Accepts SI units like Mi, Gi, or Ti, as well as non-standard units like GB or MB. Must be mutually exclusive with `limit_bytes`.	string

Use this field to set specific limits when creating or changing an organization’s quote limit. For more information about these endpoints, see changeOrganizationQuota and createOrganizationQuota.

1.9.2. New referrer API endpoint

The following API endpoint allows use to obtain referrer artifact information:

Type	Name	Description	Schema
path	orgname required	The name of the organization	string
path	repository required	The full path of the repository. e.g. namespace/name	string
path	referrers required	Looks up the OCI referrers of a manifest under a repository.	string

To use this field, you must generate a v2 API OAuth token and set FEATURE_REFERRERS_API: true in your config.yaml file. For more information, see Creating an OCI referrers OAuth access token.

1.10. Red Hat Quay 3.12 known issues and limitations

The following sections note known issues and limitations for Red Hat Quay 3.12.

1.10.1. Red Hat Quay v2 UI known issues

The Red Hat Quay team is aware of the following known issues on the v2 UI:

PROJQUAY-6910. The new UI can’t group and stack the chart on usage logs
PROJQUAY-6909. The new UI can’t toggle the visibility of the chart on usage log
PROJQUAY-6904. "Permanently delete" tag should not be restored on new UI
PROJQUAY-6899. The normal user can not delete organization in new UI when enable FEATURE_SUPERUSERS_FULL_ACCESS
PROJQUAY-6892. The new UI should not invoke not required stripe and status page
PROJQUAY-6884. The new UI should show the tip of slack Webhook URL when creating slack notification
PROJQUAY-6882. The new UI global readonly super user can’t see all organizations and image repos
PROJQUAY-6881. The new UI can’t show all operation types in the logs chart
PROJQUAY-6861. The new UI "Last Modified" of organization always show N/A after target organization’s setting is updated
PROJQUAY-6860. The new UI update the time machine configuration of organization show NULL in usage logs
PROJQUAY-6859. Thenew UI remove image repo permission show "undefined" for organization name in audit logs
PROJQUAY-6852. "Tag manifest with the branch or tag name" option in build trigger setup wizard should be checked by default.
PROJQUAY-6832. The new UI should validate the OIDC group name when enable OIDC Directory Sync
PROJQUAY-6830. The new UI should show the sync icon when the team is configured sync team members from OIDC Group
PROJQUAY-6829. The new UI team member added to team sync from OIDC group should be audited in Organization logs page
PROJQUAY-6825. Build cancel operation log can not be displayed correctly in new UI
PROJQUAY-6812. The new UI the "performer by" is NULL of build image in logs page
PROJQUAY-6810. The new UI should highlight the tag name with tag icon in logs page
PROJQUAY-6808. The new UI can’t click the robot account to show credentials in logs page
PROJQUAY-6807. The new UI can’t see the operations types in log page when quay is in dark mode
PROJQUAY-6770. The new UI build image by uploading Docker file should support .tar.gz or .zip
PROJQUAY-6769. The new UI should not display message "Trigger setup has already been completed" after build trigger setup completed
PROJQUAY-6768. The new UI can’t navigate back to current image repo from image build
PROJQUAY-6767. The new UI can’t download build logs
PROJQUAY-6758. The new UI should display correct operation number when hover over different operation type
PROJQUAY-6757. The new UI usage log should display the tag expiration time as date format

1.10.2. Red Hat Quay 3.12 limitations

The following features are not supported on IBM Power (ppc64le) or IBM Z (s390x):

Ceph RadosGW storage
Splunk HTTP Event Collector (HEC)

1.11. Red Hat Quay bug fixes

The following issues were fixed with Red Hat Quay 3.12:

PROJQUAY-6763. Quay 3.11 new UI operations of enable/disable team sync from OIDC group should be audited
PROJQUAY-6826. Log histogram can’t be hidden in the new UI
PROJQUAY-6855. Quay 3.11 new UI no usage log to audit operations under user namespace
PROJQUAY-6857. Quay 3.11 new UI usage log chart covered the operations types list
PROJQUAY-6931. OCI-compliant pagination
PROJQUAY-6972. Quay 3.11 new UI can’t open repository page when Quay has 2k orgs and 2k image repositories
PROJQUAY-7037. Can’t get slack and email notification when package vulnerability found
PROJQUAY-7069. Invalid time format error messages and layout glitches in tag expiration modal
PROJQUAY-7107. Quay.io overview page does not work in dark mode
PROJQUAY-7239. Quay logging exception when caching specific security_reports
PROJQUAY-7304. security: Add Vary header to 404 responses
PROJQUAY-6973. Add OCI Pagination
PROJQUAY-6974. Set a default auto-pruning policy at the registry level
PROJQUAY-6976. Org owner can change ownership of API tokens
PROJQUAY-6977. Trigger event on image expiration
PROJQUAY-6979. Annotation Parsing
PROJQUAY-6980. Add support for a global read only superuser
PROJQUAY-7360. Missing index on subject_backfilled field in manifest table
PROJQUAY-7393. Create backfill index concurrently
PROJQUAY-7116. Allow to ignore audit logging failures

1.12. Red Hat Quay feature tracker

New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 1.1. New features tracker
Feature	Quay 3.12	Quay 3.11	Quay 3.10
Splunk HTTP Event Collector (HEC) support	General Availability	-	-
Open Container Initiative 1.1 support	General Availability	-	-
Reassigning an OAuth access token	General Availability	-	-
Creating an image expiration notification	General Availability	-	-
Team synchronization for Red Hat Quay OIDC deployments	General Availability	General Availability	-
Configuring resources for managed components on OpenShift Container Platform	General Availability	General Availability	-
Configuring AWS STS for Red Hat Quay, Configuring AWS STS for Red Hat Quay on OpenShift Container Platform	General Availability	General Availability	-
Red Hat Quay repository auto-pruning	General Availability	General Availability	-
Configuring dark mode on the Red Hat Quay v2 UI	General Availability	General Availability	-
Disabling robot accounts	General Availability	General Availability	General Availability
Red Hat Quay namespace auto-pruning	General Availability	General Availability	General Availability
FEATURE_UI_V2	Technology Preview	Technology Preview	Technology Preview

1.12.1. IBM Power, IBM Z, and IBM® LinuxONE support matrix

Table 1.2. list of supported and unsupported features
Feature	IBM Power	IBM Z and IBM® LinuxONE
Allow team synchronization via OIDC on Azure	Not Supported	Not Supported
Backing up and restoring on a standalone deployment	Supported	Supported
Clair Disconnected	Supported	Supported
Geo-Replication (Standalone)	Supported	Supported
Geo-Replication (Operator)	Not Supported	Not Supported
IPv6	Not Supported	Not Supported
Migrating a standalone to operator deployment	Supported	Supported
Mirror registry	Not Supported	Not Supported
PostgreSQL connection pooling via pgBouncer	Supported	Supported
Quay config editor - mirror, OIDC	Supported	Supported
Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise	Not Supported	Not Supported
Quay config editor - Red Hat Quay V2 User Interface	Supported	Supported
Quay Disconnected	Supported	Supported
Repo Mirroring	Supported	Supported