Chapter 1. Clair CRDA endpoints disabled
As of September 25, 2023, the Code Ready Dependency Analytics Service for Java vulnerability matching is no longer usable with Clair. The service’s API moved to a different endpoint and there are no plans to update Clair to support this new endpoint. Instead, users should upgrade to Red Hat Quay 3.9 in order to keep getting CVE reports on Java Maven packages indexed by Clair from container images stored in Red Hat Quay, with the additional benefit of offline support and without the need for separate API keys.
1.1. RHBA-2023:5100 - Red Hat Quay 3.7.14 bug fix update
Issued: 2023-09-12
Red Hat Quay release 3.7.14 is now available. The bug fixes that are included in the update are listed in the RHBA-2023:5100 advisory.
1.1.1. Bug fixes
- PROJQUAY-6006. Quay Operator doesn’t trust internal service CA when it is rotated.
1.2. RHBA-2023:4086 - Red Hat Quay 3.7.13 bug fix update
Issued: 2023-07-20
Red Hat Quay release 3.7.13 is now available. The bug fixes that are included in the update are listed in the RHBA-2023:4086 advisory.
1.2.1. Bug fixes
- PROJQUAY-5814. Update kube-rbac-proxy.
1.3. RHBA-2023:3805 - Red Hat Quay 3.7.12 bug fix update
Issued: 2023-07-05
Red Hat Quay release 3.7.12 is now available. The bug fixes that are included in the update are listed in the RHBA-2023:3805 advisory.
1.3.1. Bug fixes
- PROJQUAY-5617. Project Quay unable to mirror registry.ci.openshift.org
- PROJQUAY-5618. Enabling quota management in Quay significantly slows down opening of the super user panel
- PROJQUAY-5620. Quay operator pod can not deploy quay pods when set horizontalpodautoscaler as managed in OCP 4.13
1.4. RHBA 2022:8786 - Red Hat Quay 3.7.11 bug fix update
Issued: 2022-12-12
Red Hat Quay release 3.7.11 is now available with Clair 4.5.1. The bug fixes that are included in the update are listed in the RHBA-2022:8786 advisory.
1.4.1. Bug fixes
- PROJQUAY-4728. CSO doesn’t create vulnerability objects for some images pulled from Quay.
- PROJQUAY-4773. Noobaa can’t assemble big layers on push.
1.5. RHBA 2022:7219 - Red Hat Quay 3.7.10 bug fix update
Issued: 2022-11-1
Red Hat Quay release 3.7.10 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:7219 advisory.
1.5.1. Bug fixes
- PROJQUAY-4004. gunicorn-web timeout when loading user data from LDAP.
- PROJQUAY-4562. RHEL vulnerabilities appear duplicated in the UI.
- PROJQUAY-4592. chore: Add server side assembly of chunked blob data for RADOSGW driver.
- PROJQUAY-4623. Quay 3.7.9 high vulnerability reported by redhat ACS.
1.6. RHBA 2022:6930 - Red Hat Quay 3.7.9 bug fix update
Issued: 2022-10-17
Red Hat Quay release 3.7.9 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:6930 advisory.
1.6.1. Bug fixes
- PROJQUAY-4328. For unmanaged clairpostgres, any changes made via config editor tool results in quay operator flipping the component back to managed.
- PROJQUAY-4002. Quay timeout during /secscan/notification.
- PROJQUAY-4561. Protect against KeyError.
- PROJQUAY-1591. Container-security-operator should take ImageContentSourcePolicy into account.
1.7. RHBA-2022:6353 - Red Hat Quay 3.7.8 bug fix update
Issued: 2022-09-12
Red Hat Quay release 3.7.8 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:6353 advisory.
1.7.1. Bug fixes
- PROJQUAY-4222. Quay can’t connect to MySQL backed by SSL certificate.
- PROJQUAY-4362. Proxy authentication fails when the upstream registry doesn’t return the correct www-authenticate header.
1.8. RHBA-2022:6154 - Red Hat Quay 3.7.7 bug fix update
Issued: 2022-08-31
Red Hat Quay release 3.7.7 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:6154 advisory.
1.8.1. New features
-
With this update, the
REPO_MIRROR_ROLLBACK
configuration field has been added. When this field is set totrue
, the repository rolls back after a failed mirror attempt. By default, this field is set tofalse
.
1.8.2. Bug fixes
Previously, users could only mirror and replicate the entirety of their upstream repository. When complex expressions for tag discovery were used, a list of several tags to be mirrored was created. If the mirroring process failed for any tag failed at any point during the replication procedure, Red Hat Quay would revert the repository to its previous state. If the mirrored repository was empty, all tags that were correctly mirrored were deleted. For example, if you mirrored 10 tags, and 8 tags were mirrored successfully, but 2 failed, all of the successful tags would be deleted from the repository because of the 2 that failed.
With this update, if a mirroring operation fails, it will no longer roll back the state of the repository. Instead, it will log the images that failed to properly mirror.
For users who want their repository rolled back upon failure, the
REPO_MIRROR_ROLLBACK
feature has been added. When the feature is set totrue
, the repository rolls back after a failed mirror attempt. By default, the feature is set tofalse
.For more information, see PROJQUAY-4296 and PROJQUAY-4357.
- PROJQUAY-4322. The image mirrored unsuccessfully can be pulled successfully.
- PROJQUAY-3976. Pull-thru gives 500 when pulling certain images.
1.9. RHBA-2022:5999 - Red Hat Quay 3.7.6 bug fix update
Issued: 2022-08-15
Red Hat Quay release 3.7.6 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:5999 advisory.
1.9.1. Bug fixes
- PROJQUAY-4277. Supported NGINX version in Quay’s container.
- PROJQUAY-2897. Ability to add annotations and labels to Quay development when using the Operator.
- PROJQUAY-3743. Pull-thru proxy repository auto-creation should respect CREATE_PRIVATE_REPO_ON_PUSH config.
- PROJQUAY-4229. Quay 3.7.5 images high vulnerability reported by Redhat ACS.
- PROJQUAY-4254. Cannot cache (pull-thru) OCI image index.
1.10. RHBA-2022:5727 - Red Hat Quay 3.7.5 bug fix update
Issued: 2022-08-2
Red Hat Quay release 3.7.5 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:5727 advisory.
1.10.1. Bug fixes
- PROJQUAY-3982. Tags reverted after mirroring.
- PROJQUAY-1569. Provide support for pod anti affinity for Quay Operator.
- PROJQUAY-4148. Add RS384 support for OIDC flow.
- PROJQUAY-1603. Container-security-operator does not take pull secrets of OpenShift into account.
- PROJQUAY-2153. Allow CSO to define proxy variables.
1.11. RHBA-2022:5559 - Red Hat Quay 3.7.4 bug fix update
Issued: 2022-07-18
Red Hat Quay release 3.7.4 is now available. The bug fixes that are included in the update are listed in the RHBA-2022:5559 advisory.
1.11.1. Bug fixes
- PROJQUAY-3145. Usage logs error out with a 500 when repo mirroring is run with DEBUGLOG=true.
- PROJQUAY-3819. Allow Builders to Use Self Signed Certificates.
- PROJQUAY-4016. PrometheusRule is not being parsed correctly.
- PROJQUAY-2649. Quay 3.6.0 Clair APP POD was failed to rolling update caused by PSQL error "FATAL: sorry, too many clients already".
1.12. Version 3.7.3
1.12.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-3965. Basic cosign signature visualization.
- PROJQUAY-3981. Unable to navigate on level up in repo-view.
- PROJQUAY-3999. Pushing big layers to Quay deployed on Azure OpenShift Cluster results in a 413.
- PROJQUAY-3979. Quay 3.7.2 Postgres image vulnerability reported by Redhat ACS.
1.13. Version 3.7.2
1.13.1. quay / clair / quay-builder
- PROJQUAY-3901. Clair 4.4.2 failed to fetch image layer from quay when image was from dockerhub.
- PROJQUAY-3905. Quay 3.7.1 can’t reconfig quota to replace system quota for super user account.
- PROJQUAY-3802. Quay 3.7.0 image vulnerability reported by Redhat ACS.
- PROJQUAY-1605. Quay 3.4 SMTP validation fails.
- PROJQUAY-3879. The Quay Config Tool is not validating configurations for Github Enterprise Login.
- PROJQUAY-3948. Show how to pull an image with podman.
- PROJQUAY-3767. Quay 3.7.0 can’t reconfig Quota to replace system default quota for user account.
- PROJQUAY-3806. Cannot pull from proxy org as non-admin member.
- PROJQUAY-3889. Quay quota consumption is not decreased in org level and image repo level after deleted image tags.
- PROJQUAY-3920. Quay 3.7.1 can’t config quota for normal user accounts by super user.
- PROJQUAY-3614. The 'build successfully completed' does not send out notification by email, slack and UI notification.
1.14. Version 3.7.1
1.14.1. quay / clair / quay-builder
- PROJQUAY-3841. Standalone UI Version is incorrect.
- PROJQUAY-2346. Pushing failure of first attempt to create non-existing org or repository by skopeo and podman.
- PROJQUAY-3701. Quay 3.7.0 API update default quota should not return 500 internal error.
- PROJQUAY-3815. Custom Quota Warning Notification.
- PROJQUAY-3818. pull-thru gives 500 when manifest list’s sub-manifest is already proxied under different tag in same repo.
- PROJQUAY-3828. Quay 3.7.0 quota consumption is not correct in image repo level when removed all tags.
- PROJQUAY-3881. cert_install.sh script incorrectly parses certificates in certain situations.
1.15. Version 3.7.0
1.15.1. quay / clair / quay-builder
Added/Changed:
- Image APIs are now deprecated. Users should move to manifest-based APIs. (PROJQUAY-3418)
- With Red Hat Quay 3.7, users have the ability to report storage consumption and to contain registry growth by establishing configured storage quota limits. With this feature, organizations can easily avoid exceeding storage limitations by rejecting pulls at a specified limit. (PROJQUAY-302, PROJQUAY-253)
- The bare-metal constraint required to run builds has been removed by adding an additional build option which does not contain the virtual machine layer. As a result, builds can be run on virtualized platforms. Backwards compatibility to run previous build configurations are also available. (PROJQUAY-295)
- Red Hat Quay can now act as a proxy cache to mitigate pull-rate limitations from upstream registries. This feature also accelerates pull performance, because images are pulled from the cache rather than upstream dependencies. Cached images are only updated when the upstream image digest differs from the cached image, reducing rate limitations and potential throttling. (PROJQUAY-465)
- Support for Microsoft Azure Government (MAG) has been added. This optional feature allows government agencies and public sector customers to select and specify a MAG endpoint in their Azure storage yaml. (PROJQUAY-891)
Introduced in Red Hat Quay 3.6, Java scanning for Clair 4.2, which requires CRDA, included a default shared CRDA key and was enabled by default. Additionally, the default CRDA configuration supported low RPS. With Red Hat Quay 3.7, Java scanning no longer includes a default CRDA shared key, and is no longer enabled by default. Users must now manually enable CRDA for scan results, and enable it in Clair’s configuration. To enable CRDA, see Clair CRDA configuration.
NoteThis feature is currently denoted as
Technology Preview
.- Red Hat Quay now accepts unsigned images. This feature can be enabled under an organization’s Repository Mirroring page. (PROJQUAY-3106)
Known issues:
- PROJQUAY-3590. Quay 3.7.0 pull from cache should return quota exceeded error rather than general 403 error code.
- PROJQUAY-3767. Quota for user accounts cannot be reconfigured using the Red Hat Quay UI.
Fixed:
- PROJQUAY-3648. OAuth2 code flow: Missing state parameters when user is asked to authorize.
- PROJQUAY-2495. Gitlab validation fails on Quay 3.5.6.
- PROJQUAY-2560. The Quay Config Tool is not validating configurations for Github Enterprise Login.
- PROJQUAY-3656. Could not verify GitHub OAuth credentials.
1.15.2. quay-operator
Added/Changed:
Advanced Clair configuration is now available for Red Hat Quay 3.7. The following features are now available to Quay administrators on the Quay Operator:
- Configuration of Clair’s updater set through the Quay Operator.
- Configuration of the database connection string through the Quay Operator.
- Configuration of custom certificates into the Clair deployment, which allows support of internal HTTPS proxies.
Support for alternative fully qualified domain names (FQDN) for Clair that can leverage a global load balancing mechanism fronting different clusters running Clair.
For more information, see PROJQUAY-2210.
- With advanced Clair configuration, users can also provide a custom Clair configuration for an unmanaged Clair database on the Red Hat Quay Operator. An unmanaged Clair database allows the Red Hat Quay Operator to work in a Geo-Replicated environment, where multiple instances of the Operator must communicate with the same database. An unmanaged Clair database can also be used when a user requires a highly-available (HA) Clair database that exists outside of a cluster. (PROJQUAY-1969)
- Geo-replication is now available with the Red Hat Quay Operator. This feature allows multiple, geographically distributed Quay deployments to work as a single registry from the perspective of a client or user. It significantly improves push and pull performance in a globally-distributed Quay setup. Image data is asynchronously replicated in the background with transparent failover / redirect for clients. (PROJQUAY-2504)
-
With Red Hat Quay 3.7, reconfiguring Quay through the UI no longer generates a new login password. The password now generates only once, and remains the same after reconciling
QuayRegistry
objects. (PROJQUAY-3318)
1.15.3. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to the table below. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
Feature | Quay 3.7 | Quay 3.6 |
---|---|---|
General Availability | - | |
General Availability | - | |
Technology Preview | - | |
General Availability | - | |
General Availability | - | |
Support for Microsoft Azure Government (MAG) | General Availability | - |
Deprecated | Deprecated | |
Deprecated | Deprecated | |
General Availability | General Availability | |
Technology Preview | Technology Preview | |
Image APIs | Deprecated | General Availability |
1.16. Version 3.6.7
1.16.1. quay / clair / quay-builder
- PROJQUAY-3812. [3.6] Failed to create non-existing repository in user account namespace by image pushing
1.17. Version 3.6.6
1.17.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-3146. Strange partial deletion of mirrored tags.
- PROJQUAY-3404. Build logs page is blank on Super User Admin panel.
- PROJQUAY-3405. Build "copy Logs" doesn’t work.
- PROJQUAY-3638. Quay config validator crashes on 3.6.5 startup.
1.18. Version 3.6.5
1.18.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-2983. Config validation fails if no AWS access keys are provided ver. 2.
- PROJQUAY-3437. CVE-2022-24761 quay-registry-container: waitress: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling').
Added/Changed:
- PROJQUAY-3421. Bump Clair to 4.4.
1.18.2. quay-operator
Added/Changed:
- PROJQUAY-3444. Adds subscription annotation to CSVs.
1.19. Version 3.6.4
1.19.1. quay-operator
Fixed:
- PROJQUAY-3317. Quay 3.6.3 APP POD was crashed when use unmanaged tls component.
1.20. Version 3.6.3
1.20.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-2080. Quay failed to delete new team with 400 error code when the team role is Admin.
- PROJQUAY-2941. Add aws-ip-ranges.json to downstream build.
- PROJQUAY-2343. LDAP validation broken in Quay 3.4.z and 3.5.z.
- PROJQUAY-3106. Issue while mirroring the images in Quay Operator v3.6.2.
- PROJQUAY-3119. Quay is not garbage collecting blobs correctly (v3.6.3).
- PROJQUAY-3179. Executor exception when username and password not specified to pull quay-builder.
Added/Changed:
- PROJQUAY-2989. Bump LDAP 3.2.0 to 3.4.0.
1.20.2. quay-operator
Fixed:
- PROJQUAY-2049. When routes are not managed a config editor endpoint is still propagated in status.
-
PROJQUAY-1812. Quay config app changes are not rolled out if QuayRegistry status is in
MigrationInProgress
. - PROJQUAY-1624. BITTORRENT_FILENAME_PEPPER has been removed from the config.yaml.
- PROJQUAY-2696. Quay 3.6.0 Operator should block the deployment when route is managed. TLS is unmanaged without providing TLS Cert/Key pair.
- PROJQUAY-2335. Quay Operator should block the deployment when Route is managed, TLS is unmanaged without providing TLS Cert/key pairs.
- PROJQUAY-2067. Operator 3.5.1 fails to check Route API on OpenShift Container Platform 4.8.
-
PROJQUAY-2869. Quay Operator on OpenShift 4.6 with
huge_pages
cannot deploy. - PROJQUAY-2409. Incorrect parsing of extraneous zero characters at the beginning of an IP address octet.
- PROJQUAY-2432. Panic due to racy read of persistConn after handler panic.
- PROJQUAY-2593. Malformed archive may cause panic or memory exhaustion.
- PROJQUAY-3169. Kubernetes executor doesn’t filter completed jobs when counting running jobs.
- PROJQUAY-3238. APP POD was failed to be ready with /health/instance check keeping report 499 Error Code.
Added/Changed:
- PROJQUAY-2973. Bump github.com/ulikunitz/xz dependency.
1.20.3. quay-openshift-bridge-operators
- PROJQUAY-2732. Faster creation of resources and permissions.
- PROJQUAY-2898. Review QBO - Issue with BuildConfig being mutated incorrectly.
- PROJQUAY-2984. Change label/selector on QBO pod and service.
1.21. Version 3.6.2
1.21.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-2416. Builder jobs not completing and timing out after 3 minutes of inactivity.
- PROJQUAY-2313. Quay is using more storage than other registries on s3.
- PROJQUAY-2681. Quay 3.6.0 registry title was not changed after changes with the config editor.
1.21.2. quay-operator
Added/Changed:
- As of Red Hat Quay v3.6.2, you can specify the desired size of storage resources provisioned for managed components. PROJQUAY-1090.
Fixed:
- PROJQUAY-2930. Quay Operator unable to reconcile when specified the PVC volume size of Clair PostgreSQL DB.
- PROJQUAY-2824. Upgrades to 3.6.1 are broken in OpenShift 4.6
1.21.3. quay-container-security-operator
- PROJQUAY-2928. CSO shows the wrong title in Operator Hub.
1.21.4. quay-openshift-bridge-operators
- PROJQUAY-2797. Quay Bridge Operator prevents deletion of builds.
1.22. Version 3.6.1
1.22.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-1936. Quay Operator reports wrong hostname in registryEndpoint status field for custom hostnames.
- PROJQUAY-2122. Use Postgres image from registry.redhat.io.
- PROJQUAY-2435. Quay should not create HPA for Clair APP and Mirror when horizontalpodautoscaler component is unmanaged.
- PROJQUAY-2563. Quay stops indexing after Clair failure.
- PROJQUAY-2603. Quay Operator should not recreate managed Postgresql DB POD when no config change happened to database.
- PROJQUAY-2653. Add standard Helm layer type to default types.
- PROJQUAY-2691. Reclassified CVE ratings show source as unknown.
- PROJQUAY-2334. Deprecate FEATURE_HELM_OCI_SUPPORT in favor of OCI artifacts config.
- PROJQUAY-2541. Enrichment data visibility fix on Quay UI.
- PROJQUAY-2636. Operator communicates healthy status per managed component.
1.23. Version 3.6.0
1.23.1. quay / clair / quay-builder
Added/Changed:
Red Hat Quay 3.6 now includes support for the following Open Container Initiative (OCI) image media types by default: CLI cosigning, Helm, and the ztsd compression scheme. Other OCI media types can be configured by the user in their config.yaml file, for example:
config.yaml
... ALLOWED_OCI_ARTIFACT_TYPES: application/vnd.oci.image.config.v1+json - application/vnd.dev.cosign.simplesigning.v1+json application/vnd.cncf.helm.config.v1+json - application/tar+gzip application/vnd.sylabs.sif.config.v1+json - application/vnd.sylabs.sif.layer.v1+tar ...
NoteWhen adding OCI media types that are not configured by default, users will also need to manually add support for cosign and Helm if desired. The ztsd compression scheme is supported by default, so users will not need to add that OCI media type to their config.yaml to enable support.
For more information, see PROQUAY-1417 and PROJQUAY-1032.
- You can now use the API to create a first user. (PROJQUAY-1926)
-
Support for nested repositories and extended repository names has been added. This change allows the use of
/
in repository names needed for certain OpenShift Container Platform use cases. (PROJQUAY-1535) -
Registry users now have the option to set
CREATE_PRIVATE_REPO_ON_PUSH
in their config.yaml toTrue
orFalse
depending on their security needs. (PROJQUAY-1929) - Pushing to a non-existent organization can now be configured to automatically create the organization. (PROJQUAY-1928)
- Users are now required to enter namespace and repository names when deleting a repository. (PROJQUAY-763)
- Support for Ceph virtual-hosted-style bucket addressing has been added. (PROJQUAY-922)
With Clair v4.2, enrichment data is now viewable in the Quay UI. Additionally, Clair v4.2 adds CVSS scores from the National Vulnerability Database for detected vulnerabilities.
With this change, if the vulnerability has a CVSS score that is within 2 levels of the distro’s score, the Quay UI present’s the distro’s score by default.
For more information, see PROJQUAY-2102 and PROJQUAY-1724.
- The Quay Repository now shows Repository Status when repository mirroring is enabled. (PROJQUAY-591)
Memory usage across Clair, notably around the
affected_manifests
call, has been improved. These changesets include:-
io.Pipe
is used to cross-wire JSON encoding and API requests in order to avoid buffering the entire body request in memory; -
encoding/JSON
has been replaced withgithub.com/ugorji/go/codec
configured for JSON in order to allow streaming the JSON encoding; affected_manifests
calls in the notifier, which should prevent large vulnerability turnovers from causing extremely large API calls.For more information, see PROJQUAY-1963.
-
- Red Hat Enterprise Linux (RHEL) 8 is strongly recommended for highly available, production quality deployments of Red Hat Quay 3.6. RHEL 7 has not been tested with Red Hat Quay 3.6, and will be deprecated in a future release.
- Podman is strongly recommended for highly available, production quality deployments of Red Hat Quay 3.6. Docker has not been tested with Red Hat Quay 3.6, and will be deprecated in a future release.
Fixed:
- PROJQUAY-2047. Clair database keeps on growing.
- PROJQUAY-1918. Clair v4.1.0.alpha2 indexer now works in Red Hat Quay 3.6.
-
PROJQUAY-1610. The
initContainer
from the Quay migration pod has been removed, which blocked the deployment process until Clair responded. As a result, Quay deployments now progress without waiting on the Clair deployment to finish. - PROJQUAY-1857. NamespaceGCWorker and RepositoryGCWorker shuts down when unable to acquire lock
- PROJQUAY-1872. GC workers will sometimes fail to grab a lock due to Redis running out of connections
- PROJQUAY-2414. Quay config editor was failed to validate AWS RDS TLS Cert
- PROJQUAY-1626. Config validation fails if no AWS access keys are provided
- PROJQUAY-1710. Notifications are getting lost
- PROJQUAY-1813. Need ratelimiter for updaters
- PROJQUAY-1815. Quay config editor can’t validate the expire time of uploaded LDAPS CA Cert
- PROJQUAY-1816. Quay export logs API return 200 when export logs mail not delivered to target address
- PROJQUAY-1912. Internal notifier queue clogging with events
- PROJQUAY-2119. Quay config validation fails on PostgreSQL 11 backed by SSL
- PROJQUAY-2167. Mirroring stopped working in 3.5.2
- PROJQUAY-2269. SecurityWorker fails when indexing a manifest layer’s location is remote
- PROJQUAY-2200. Quay Config editor need to support sslmode=verify-full in config.yaml after uploading database SSL Cert
- PROJQUAY-2185. Quay CR modified after making changes via the config tool
1.23.2. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to the table below. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
Feature | Quay 3.6 |
---|---|
Deprecated | |
Deprecated | |
General Availability | |
Java scanning with Clair | Technology Preview |
1.23.2.1. Deprecated features
-
FEATURE_HELM_OCI_SUPPORT: This option has been deprecated and will be removed in a future version of Red Hat Quay. In Red Hat Quay 3.6, Helm artifacts are supported by default and included under the
FEATURE_GENERAL_OCI_SUPPORT
property. Users are no longer required to update their config.yaml files to enable support. (PROJQUAY-2334) - MySQL and MariaDB database support: The MySQL and mariaDB databases have been deprecated as of Red Hat Quay 3.6. Support for these databases will be removed in a future version of Red Hat Quay. If starting a new Red Hat Quay installation, it is strongly recommended to use PostgreSQL. (PROJQUAY-1998)
1.23.2.2. Technology preview features
Java scanning with Clair: With Red Hat Quay 3.6, Clair 4.2 includes support for Java scanning. Java scanning is dependent on an external service (CRDA) to gather vulnerability data. Because Clair is using a shared default token to access the CRDA service, it might encounter rate limiting if too many requests are made in a short period of time. Because of this, Clair might miss certain vulnerabilities, for example, log4j.
Customers can obtain and use their own token for CRDA which might help avoid the occurrence of rate limiting by submitting the API key request form. Because of these issues, Java scanning for Clair is considered Technical Preview and will be enhanced in future Quay updates.
1.23.3. quay-operator
Added/Changed:
Red Hat Quay 3.6 adds a
disconnected
annotation to Operators. For example:metadata: annotations: operators.openshift.io/infrastructure-features: '["disconnected"]'
For more information, see PROJQUAY-1583.
-
In order to properly support Github actions,
RELATED_IMAGE
values can now be referenced by tag name (name:tag
) or by digest (name@sha256:123
). (PROJQUAY-1887), (PROJQUAY-1890) -
HorizontalPodAutoscalers
have been added to the Clair, Quay, and Mirror pods, so that they now automatically scale during load spikes. (PROJQUAY-1449) - The Quay Operator now reports the status of each managed component in a separate index inside of the same status property so that users can see the progress of a deployment or update. (PROJQUAY-1609)
-
ssl.cert
andssl.key
are now moved to a separate, persistent Secret, which ensures that the cert/key pair is not re-generated upon every reconcile. These are now formatted asedge
routes and mounted to the same directory in the Quay container. (PROJQUAY-1883) -
Support for OpenShift Container Platform Edge-Termination Routes has been added by way of a new managed component,
tls
. This separates theRoute
component from TLS and allows users to configure both separately.EXTERNAL_TLS_TERMINATION: true
is the opinionated setting. Managedtls
means that the default cluster wildcart cert is used. Unmanagedtls
means that the user provided cert/key pair will be injected into theRoute
. (PROJQUAY-2050) -
The Red Hat Quay Operator can now be directly upgraded from 3.3 to 3.6 without regressions in
Route
handling, rollout speed, stability, and reconciliation robustness. (PROJQUAY-2100) - The Quay Operator now allows for more than one Mirroring pod. Users are also no longer required to manually adjust the Mirroring Pod deployment.(PROJQUAY-1327)
- Previously, when running a 3.3.x version of Red Hat Quay with edge routing enabled, users were unable to upgrade to 3.4.x versions of Red Hat Quay. This has been resolved with the release of Red Hat Quay 3.6. (PROJQUAY-1694)
-
Users now have the option to set a minimum number of replica Quay pods when
HorizontalPodAutoscaler
is set. This reduces downtime when updating or reconfiguring Quay via the Operator during rescheduling events. (PROJQUAY-1763)
Known issues:
-
PROJQUAY-2335.
Quay
Operator deployment should be blocked when TLS cert/key pairs are unprovided. Instead, theQuay
Operator continues to deploy. - PROJQUAY-2389. Customer provided TLS certificates are lost after Red Hat Quay 3.6 Operator reconcile.
- PROJQUAY-2545. Builders are only supported when TLS is unmanaged
Fixed:
- PROJQUAY-1709. Upgrading from an older operator with edge route breaks Quay
- PROJQUAY-1974. Quay operator doesnt reconciles changes made by config app
- PROJQUAY-1838. Quay Operator creates with every restart a new root ca
- PROJQUAY-2068. Operator doesn’t check for deployment failures
- PROJQUAY-2121. Quay upgrade pods running all workers instead of just database upgrade
1.23.4. quay-container-security-operator
-
The Operator Lifecycle Manager now supports the new v1 CRD API,
apiextensions.k8s.io.v1.CustomResourceDefinition
for the Container Security Operator. This CRD should be used instead of thev1beta1
CRD, which has been deprecated as of OpenShift Container Platform 4.9. (PROJQUAY-613), (PROJQUAY-1791)
1.23.5. quay-openshift-bridge-operators
The installation experience for the Quay Bridge Operator (QBO) has been improved. Enhancements include the following:
-
MutatingAdmissionWebhook
is created automatically during install. - The QBO leverages the Operator Lifecycle Manager feature of auto-generating certificates and webhook configurations.
The number of manual steps required to get the Quay Bridge Operator running has been decreased.
For more information, see PROJQUAY-672.
-
- The certificate manager is now delegated by the Operator Lifecycle Manager. Certificates can now be valid for more than 65 days. (PROJQUAY-1062)
1.24. Version 3.5.7
1.24.1. quay / clair / quay-builders
Fixed:
- CVE-2021-3762 quay-clair-container: quay/claircore: directory traversal when scanning crafted container image layer allows for arbitrary file write PROJQUAY-2486
1.24.2. quay-operator / quay-container-security-operator / quay-openshift-bridge-operator
- Update downstream operator extensions api to "v1" for 3.5 PROJQUAY-2480
1.25. Version 3.5.6
1.25.1. quay / clair / quay-builders
Fixed:
- rpm: package scanner leaks extracted layers PROJQUAY-2315
1.26. Version 3.5.5
1.26.1. quay / clair / quay-builders
Fixed:
- Disable storing signatures during repo mirroring PROJQUAY-2312
- SecurityWorker fails when loading information when a V2 scanner is not configured PROJQUAY-2290
- SecurityWorker fails when indexing a manifest layer’s location is remote PROJQUAY-2285
- Fixed backfill replication script relies on Image table PROJQUAY-2273
- Quay builders honor proxy environment variables PROJQUAY-2147
1.27. Version 3.5.4
1.27.1. quay / clair / quay-builders
Fixed:
- Clair scan throwing 400 bad request
1.28. Version 3.5.3
1.28.1. quay / clair / quay-builder
Fixed:
- Quay config validation fails on PostgreSQL 11 backed by SSL
- Quay config validation fails on SSL database connection on PostgreSQL 12 with SCRAM password authentication
- Quay config validation fails on Azure PostgreSQL DB with SSL
- Quay repository mirroring fixed
- Quay config validation crash on startup
1.28.2. quay-operator
- Quay operator upgrade pods running all workers instead of just database upgrade
1.29. Version 3.5.2
1.29.1. quay / clair / quay-builder
Fixed:
- Fix config validation of LDAP server to prevent the server from timing out on large LDAP requests.
- Fix quay-operator Service Account permissions to allow Quay Registry deletion.
- Fix clair’s encoding of time in configuration.
- Enhance clair to discard unfixed and unaffected vulnerabilities in Red Hat OVAL v2 feed.
- Fix quay to prevent creation of empty files in storage during multi-part upload.
- Fix clair to properly start in a disconnected environment.
1.29.2. quay-operator
Known issues:
Geo-replication does not work when Quay is deployed on OpenShift using the Operator.
1.30. Version 3.5.1
1.30.1. quay / clair / quay-builder
Fixed:
Fix Clair "duplicate key value violates unique constraint" after upgrade PROJQUAY-1889
1.31. Version 3.5.0
1.31.1. quay / clair / quay-builder
Note:
Some features of Quay are not currently available when running on a FIPS-enabled OCP cluster or RHEL system:
- FEATURE_MAILING will not work for user create validation, vulnerability notifications, and export logs
- Azure object storage is not available due to hashing
- Deprecated app-registry will not function
Tech Preview
- Due to necessary changes, the existing Red Hat Quay builders had to be removed and entirely rewritten. This has resulted in a loss of functionality so the new builders are being released as Technology Preview. Currently, builds are only available on OpenShift/Kubernetes utilizing Red Hat CoreOS for the sandbox VMs. The internal build manager has also been completely re-written to use gRPC and numerous core issues have been addressed. Please follow the provided documentation carefully when setting up.
Deprecated:
- Clair V2 (clair-jwt): With the GA of Clair V4, this version of Clair is now marked as deprecated. Users are encouraged to migrate to Clair V4 with this release. Clair V2 will be removed completely in the next release.
- App Registry: Customers using the App Registry feature should begin migrating to another application storage solution such as Helm V3 which uses the OCI standard container format. App Registry will be completely removed in the next release.
Fixed:
- Fix quay running on a FIPS-enabled OCP cluster
- Fix validation of LDAP_USER_FILTER when missing from config bundle
- Upgrade internally-used jQuery
- Remove usage of TLS1.0 and TLS1.1 ciphers
- Fix build of uploaded Dockerfile when object storage is Swift
- Fix whitespace error in UI for repository count checker
- (CVE-2020-1747) Update PyYAML
- Fix quay.expires-after label for all linked images
- Helm chart support now generally available
- Fix validation of SMTP in config bundle
- Fix gitlab trigger build images now honor configured storage
- Fix OIDC session sends invalid state value in URL
- Fix custom OIDC external authentication ignores PREFERRED_URL_SCHEME configuration
- Fix config editor opening links in same page
- Fix setting USERFILES_LOCATION to valid storage if not default
- Fix typo in user confirmation screen
- Remove unused nodejs from container
- Fix default MAIL_DEFAULT_SENDER config value
- Fix config editor default tag expiration display
- (CVE-2020-13757) Remove usage of python-rsa package in favor of python-cryptography
- Added support of github action to publish to a repository
- Document clair updater URLs
1.31.2. quay-operator
Note: The new quay-operator OCP monitor dashboard requires that the operator be install in all namespaces (the default). If installed in a single namespace, the "monitoring" component will be unmanaged and not installed.
- Document using disconnected clair with quay-operator
- Fix quay-operator version displayed in OCP console
- Fix BUILDMAN_HOSTNAME in config bundle with managed route component
- Added OCP monitoring integration
1.31.3. quay-container-security-operator
- Fix reading security metadata when FEATURE_ANONYMOUS_ACCESS is set to false
1.32. Version 3.4.7
1.32.1. quay / clair / quay-builder
Fixed:
- PROJQUAY-2479. Update downstream Operator extensions API to "v1" for 3.4.
1.32.2. quay-operator
Known issues:
- PROJQUAY-2921. Quay App route hostname is changed when upgrade from 3.4.7 to 3.6.2. As a result, you should avoid upgrading from v3.4.7 to v3.5.* or to v3.6.*.
1.33. Version 3.4.6
1.33.1. quay / clair / quay-builder
Fixed:
- Quay config validation fails on PostgreSQL 11 backed by SSL
- Quay config validation fails on SSL database connection on PostgreSQL 12 with SCRAM password authentication
- Quay config validation fails on Azure PostgreSQL DB with SSL
1.33.2. quay-operator
- Quay operator upgrade pods running all workers instead of just database upgrade
1.34. Version 3.4.5
Fixed:
- Remove requirement to include Kubernetes internal service hostnames as SAN entries in user-provided TLS to fix upgrade from v3.3
1.35. Version 3.4.4
1.35.1. quay / clair / quay-builder
Fixed:
- Fix Clair python recognize known vulnerabilities PROJQUAY-1775
1.36. Version 3.4.3
1.36.1. quay / clair / quay-builder
Fixed:
- Fix Quay security scanning backfill API PROJQUAY-1613
- Fix Clair python language matching PROJQUAY-1692
1.36.2. quay-operator
Fixed:
- Fix Quay Operator handling of provided certificates related to BUILDMAN_HOSTNAME PROJQUAY-1577
1.37. Version 3.4.2
1.37.1. quay / clair / quay-builder
Fixed:
- Fix clair crash downloading RHEL content mapping
- Quay config-tool validates SMTP
- Quay config-tool now prevents SECRET_KEY from changing on config updates
1.37.2. quay-operator
Fixed:
- Fix Quay Operator reconciler loop resulting in failed mirror configurations
1.38. Version 3.4.1
1.38.1. quay / clair / quay-builder
Fixed:
- Quay config editor validates OIDC provider
- Quay config editor correctly validates MySQL database with SSL
- Quay config editor no longer requires Time Machine expiration when feature not enabled
1.38.2. quay-operator
Fixed:
- Quay Operator generates correct cert for build manager
- Quay Operator documentation link corrected to 3.4
1.38.3. quay-container-security-operator
Fixed:
-
Quay
container Security Operator upgrade to 3.4.0
1.38.4. quay-openshift-bridge-operator
Fixed:
- Quay Bridge Operator upgrade to 3.4.0
1.39. Version 3.4.0
1.39.1. quay / clair / quay-builder
Added/Changed:
- Clair V4 now GA and the default security scanner for Quay 3.4.0. New features include support for notifications and disconnected deployments.
- New ConfigTool replaces the older Config App, providing better configuration validation and integration with the new Quay Operator. Quay now uses same validator as the ConfigTool at start time to ensure its configuration is correct. You will see a table of configuration validation status (pass/fail) now when Quay boots up.
- Quay codebase now completely migrated to python 3 with numerous dependency updates.
(Tech Preview) Support for Helm V3 is no longer considered experimental. It can be enabled as follows:
# Enable Helm support- requires that general OCI support (Tech Preview) is enabled. FEATURE_GENERAL_OCI_SUPPORT: True FEATURE_HELM_OCI_SUPPORT: True
- (Tech Preview) Due to necessary changes, the existing Red Hat Quay builders had to be removed and entirely rewritten. This has resulted in a loss of functionality so the new builders are being released as Technology Preview. Currently, builds are only available on OpenShift/Kubernetes utilizing Red Hat CoreOS for the sandbox VMs. The internal build manager has also been completely re-written to use gRPC and numerous core issues have been addressed. Please follow the provided documentation carefully when setting up.
- NooBaa has graduated from Technical Preview (TP) and now has General Availability (GA) status.
Fixed:
- PROJQUAY-121 Build manager scheduling too many builds
- PROJQUAY-139 Quay starts unreasonable number of workers when running in a container
- PROJQUAY-206 Repo mirroring sometimes locks up
- PROJQUAY-357 Properly escape arguments in entrypoint config
- PROJQUAY-381 Existing tags get deleted when mirroring fails
- PROJQUAY-399 Cannot setup mysql 8 for Quay via config tool
- PROJQUAY-480 Defunct Gunicorn Processes
- PROJQUAY-551 LDAP_USER_FILTER causes errors when not quoted
- PROJQUAY-575 Broken link for webhook POST in the webhook notifications page
- PROJQUAY-607 Changing SERVER_HOSTNAME triggers storage replication and 100% database CPU
- PROJQUAY-632 Lost usage logs when set kinesis as the logs producer
- PROJQUAY-635 Error 500 on Applications tab with naboo
- PROJQUAY-659 Creating new tags via the UI on a schema 2 manifest creates a schema 1 manifest
- PROJQUAY-675 Quay export logs select date range less than a month redirect to 500 error page
- PROJQUAY-676 Wrong image vulnerabilities link in OCP4.4 Overview page
-
PROJQUAY-742
Quay
container crashes when no user exists in database - PROJQUAY-796 Mirrored images have new digest
- PROJQUAY-797 Config app does not copy database SSL file to correct place
- PROJQUAY-808 Dockerfile upload failure (LocalStorage)
- PROJQUAY-813 Quay cannot connect to mysql db when SSL/TLS is required
- PROJQUAY-822 Quay App POD log should not print out LDAP user’s password as plaintext
- PROJQUAY-850 Config app fails to generate clair security.pem
- PROJQUAY-861 Deploy Quay is failed with AWS S3 as backend storage registry
-
PROJQUAY-866 Possible name collisions when deplying multiple
QuayRegistries
- PROJQUAY-867 Restrict Quay Operator to Single Namespace
- PROJQUAY-871 Kustomize secrets broken with prefixed resource names
- PROJQUAY-884 Add support for tar.gz config bundles
- PROJQUAY-887 Error when controller processes existing QuayRegistry
- PROJQUAY-907 Repo mirror start date not calculated correctly
- PROJQUAY-915 Simultaneously pushing the same manifest can result in a manifest error
- PROJQUAY-917 Incorrect encoding of CSRF token in UI
- PROJQUAY-923 Failed to set GCS as the storage backend for Quay via config tool
- PROJQUAY-930 Config bundle contains fields for unmanaged components
- PROJQUAY-933 Quay config app failed to validate Noobaa SSL configurations
- PROJQUAY-934 Quay edit permissions of robot account redirect to quay 500 error page
- PROJQUAY-935 Quay Image Repository Mirror was stuck
- PROJQUAY-940 Quay delete in use robot account get 500 error page
- PROJQUAY-942 Quay push image was failed when backend storage is Azure Blob Storage
- PROJQUAY-948 list_manifest_layers should not fail on shared blobs
- PROJQUAY-949 Have Clair V4 indexing handle manifest layer error
- PROJQUAY-953 Quay image repository Tags page can’t display existing image tags
- PROJQUAY-958 Unhandled date token outside the given date range used for elasticsearch pagination
- PROJQUAY-973 Transaction error if the same repository is created twice during auth flow
- PROJQUAY-988 Quay update tag expiration does not work
- PROJQUAY-1002 Helm 3 OCI Support Push Fails due to invalid MIME type
- PROJQUAY-1011 Accessing build logs from super user panel doesnt work
- PROJQUAY-1015 RPM command error when getting rpm packages from layer database
- PROJQUAY-1023 oraclelinux:7 causes matcher bug
- PROJQUAY-1035 Unable to override gunicorn worker count in k8s
- PROJQUAY-1087 Fail to pull from managed objectstorage
- PROJQUAY-1101 Typo in /tools/generatekeypair.py
- PROJQUAY-1103 Remove need to modify SCC
- PROJQUAY-1112 Quay database reaches connection limit
- PROJQUAY-1122 Specify pull secret for component images
- PROJQUAY-1132 Running as config should not try to set httppasswd
Deprecated:
- Clair V2 (clair-jwt): With the GA of Clair V4, this version of Clair is now marked as deprecated. Users are encouraged to migrate to Clair V4 with this release. Clair V2 will be removed completely in the near future.
- App Registry: Customers using the App Registry feature should begin migrating to another application storage solution such as Helm V3 which uses the OCI standard container format. App Registry will be completely removed in the near future.
Note:
- Upgrading to Quay 3.4 will require a database migration which does not support downgrading back to a prior version of Quay. Please back up your database before performing a migration.
Known Issues:
- PROJQUAY-649 "openssl passwd" incorrect on OCP4 with FIPS mode enabled
- PROJQUAY-841 Provide and document an egress firewall whitelist
- PROJQUAY-888 Config App cannot connect to Postgres RDS instance via SSL
- PROJQUAY-960 Bucket addressing with Ceph in Quay
- PROJQUAY-1056 Quay deployment was failed at setup DB on GCP when use GCP SQL Postgresql
- PROJQUAY-1181 Quay config editor doesn’t validate SMTP
- PROJQUAY-1390 Quay login with Openstack Keystone user was failed
- Official Red Hat repositories may now contain "source" images which will be included in Mirrored repositories. See Getting UBI Container Image Source Code for an example of a source image tag. There is no simple way to exclude these source containers using Quay’s current tag patterns. This will be addressed in future Quay versions.
1.39.2. quay-operator
- Only supported on OCP-4.5 or newer
Added:
- Completely redesigned Quay Operator with fully supported default storage configuration using RHOCS.
- Works in conjunction with new Config Tool to reconcile configuration updates made to a running Quay cluster.
-
Handles migration from older
QuayEcosystem
Custom Resource to newQuayRegistry
Custom Resource.
Known Issues:
- PROJQUAY-1056 Quay deployment was failed at setup DB on GCP when use GCP SQL Postgresql
- PROJQUAY-1394 Quay TNG Operator was failed to start managed postgresql database POD (operator upgrades may encounter this issue, recreating your QuayRegistry CR should resolve the issue)
1.39.3. quay-container-security-operator
- Only supported on OCP-4.5 or newer
Fixed:
- PROJQUAY-676 Wrong image vulnerabilities link in OCP4.4 Overview page
1.39.4. quay-openshift-bridge-operator
- Only supported on OCP-4.5 or newer
Fixed:
- PROJQUAY-1225 bridge-operator update to go-1.15
1.40. Version 3.3.4
Fixed:
- quay-bridge-operator references correct version
1.41. Version 3.3.3
Fixed:
- clair-jwt: fixed NVD streams
- CVE-2020-27831 quay: email notifications authorization bypass
- CVE-2020-27832 quay: persistent XSS in repository notification display
1.42. Version 3.3.2
- Version unreleased due to internal tooling issues
1.43. Version 3.3.1
Release Date: August 20, 2020
Fixed:
- Config app installs supplied TLS certs at startup. This fix allows services that require certs to be configured properly (such as LDAP and storage).
- Tech preview clair-v4 correctly reindexes manifests.
- Build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)
1.44. Version 3.3.0
1.44.1. quay / clair-jwt / quay-builder / clair
Added:
- (Tech Preview) New clair image available for non-production use (see docs)
- Quay now runs as the default user inside the container instead of as root.
- New configurable tagging options for builds, including tagging templates and ability to disable default “latest” and tag/branch behavior
- Configuration UI editing after validating through the “Save Configuration” button.
- Configuration app now supports configuring Elasticsearch for usage logs (and optionally via Kinesis).
- Ability to configure how long between “fresh login” checks
- Ability to add an additional filter for LDAP users on lookup
- Manifest labels displayed in the UI with links in them are now clickable to go to the URL
- The environment variable CONFIG_READ_ONLY_FIELDS can be specified to mark redis or the hostname configuration as read-only in the Quay Configuration Application’s UI. #310
(Tech Preview) Support for OCI indexes and manifests. Add the following to your config.yaml:
# Feature Flag: Whether OCI manifest support should be enabled generally. FEATURE_GENERAL_OCI_SUPPORT = True
(Experimental) Support for pushing and pulling charts via Helm V3’s experimental system. Requires that OCI manifest support is enabled. Add the following to your config.yaml:
# Feature Flag: Whether OCI manifest support should be enabled generally. FEATURE_GENERAL_OCI_SUPPORT = True # Feature Flag: Whether to allow Helm OCI content types. # See: https://helm.sh/docs/topics/registries/ FEATURE_EXPERIMENTAL_HELM_OCI_SUPPORT = True
Fixed:
- Repository mirror tag patterns handle whitespace between comma separated values.
- Fresh login checks were being used when unnecessary
- Georeplication from one Azure region to the other now uses the correct bucket and credentials
- Auth token handling to match recent GitHub API change
- Repository and namespace deletion now occurs in the background, ensuring they don’t fail
- No longer return “down converted” manifests on pull-by-digest
- Tags expiring in the future are now marked correctly as such in the tag history panel
- A number of performance improvements around various database queries
- Status codes of various Docker V2 APIs to conform with the spec
- Repository names now conform to the standard. Only lowercase letters, numbers, underscores, and hyphens are valid.
Deprecated:
- "rkt" conversion: This feature is now marked as deprecated in the Red Hat Quay UI. Expect the feature to be removed completely in the near future.
- Bittorrent: This feature is deprecated and will not appear in theRed Hat Quay UI unless it is already configured in an existing Red Hat Quay config.yaml. This feature will be removed in the next version of Quay.
- V1 Push Support: Docker V1 protocol support has been officially deprecated. Expect this feature to be removed in the next near future.
- Squashed image support: This feature is deprecated. This feature will be removed in the next version of Quay.
- images API: This API is deprecated and replaced by the manifest APIs. Expect this API to be removed completely in the near future.
Note:
- Do not use "Locally mounted directory" Storage Engine for any production configurations. Mounted NFS volumes are not supported. Local storage is meant for test-only installations.
Known Issues:
- Containers running as repository mirrors may lock under certain conditions; restart the containers as needed.
1.44.2. quay-operator
Note:
- Only supported on OCP-4.2 or newer
- UI supported on OCP-4.3 or newer
Added:
- Enhanced logic for Quay Configuration route
- Quay SSL Certificate uses TLS secret type
- Updated example Quay Ecosystem Custom Resource examples
- Retrofitted how external access is specified and managed
- New Schema for defining externalAccess as a field in QuayEcoystem
- Support for additional external access types (LoadBalancer and Ingress)
- Add additional roles to CSV to manage ingresses.
- Always use Port 8443 for Quay Config App’s health probes.
- The Quay Config App now continues running by default.
- The Redis and Hostname configuration are marked "Read Only" in the Quay Configuration App.
- Support for managing superusers.
- Add ability to inject certificates, and any other file, into the Quay and Clair secrets.
- (OpenShift) SCC management refinement. Removal of SCCs when QuayEcosystem is deleted through the use of finalizers.
- Certificates and other secrets are now mounted in a way that is compatible with Quay and Quay’s Config App.
- The operator now verifies the configuration for the Hostname, Redis, and Postgres when Quay’s configuration secret is changed.
Fixed:
- Resolved issues with GitHub Actions CI/CD pipeline
- Resolved issue when specifying multiple replicas of a given component
- The "Repo Mirror" pod is now health-checked using the correct port.
Known Issues:
- Configuring Storage Geo-Replication for Azure in the CR causes the deployment to fail.
- The Hostname is set to an IP Address when using Load Balancers on GCP which causes the self-signed certificate validation to fail in Quay’s Config Application.
- Using the Postgres or Redis images from Dockerhub will fail.
- For advanced persistance configurations, Quay’s PROXY_STORAGE feature is not exposed through the CR and can only be managed through Quay’s Config app.
- Quay’s Config App will always using TLS; it is not possible to configure it as HTTP-only in the CR.
- Node Ports do not currently work.
- Cloudfront cannot be properly configured using the CR. It can be managed using Quay’s configuration app.
- This version of the operator cannot be used for an automatic upgrade due to schema changes in the CR.
1.44.3. quay-container-security-operator
Note:
- Only supported on OCP-4.2 or newer
Added:
- View Quay Security Scanner image vulnerability information for images running in a cluster using the OpenShift UI
1.44.4. quay-openshift-bridge-operator
Note:
- Only supported on OCP-4.2 or newer
Added:
- Synchronization of OpenShift namespaces as Quay organizations, including managing robot account credentials
- Synchronization of OpenShift ImageStreams as Quay repositories
- Automatically rewrite new Builds making use of ImageStreams to output to Quay
- Automatically import ImageStream tag once build completes
1.45. Version 3.2.2
Release Date: April 27, 2020
Fixed:
- Clair correctly downloads vulnerabilities even if one fails (see PROJQUAY-567).
1.46. Version 3.2.1
Release Date: February 10, 2020
Fixed:
- git: Remote code execution in recursive clones with nested submodules Security. (See CVE-2019-1387.)
- yarn: nodejs-yarn: Install functionality can be abused to generate arbitrary symlinks. (See CVE-2019-10773.)
1.47. Version 3.2.0
Release Date: December 17, 2019
Added:
- New required manual config.yaml entry “DATABASE_SECRET_KEY” will be used to encrypt all robot tokens in the database (CVE-2019-10205)
- New Container Security Operator integrating security scanning into OpenShift Container Platform.
- Quay Setup Operator is now generally available (GA).
- Repository mirroring is now generally available (GA).
- Support for OpenShift Container Storage 4 leveraging NooBaa Multi-Cloud Gateway.
- Improved repository mirror logging.
- Notifications enabled for repository mirror start, finish, and error.
- Remove validation from repository mirror proxy config.
- Two guides were added to Red Hat Quay documentation: Deploy Red Hat Quay on OpenShift (Setup Operator) and Red Hat Quay API Guide.
Fixed:
- Fixed for broken scrollbars in UI on pages such as repository tags.
- Fix inability to star a repository
Deprecated:
- "rkt" conversion: This feature is now marked as deprecated in the Red Hat Quay UI. Expect the feature to be removed completely in the near future.
-
Bittorrent: This feature is deprecated and will not appear in the Red Hat Quay UI unless it is already configured in an existing Red Hat Quay
config.yaml
. Expect the feature to be removed completely in the near future. V1 Push Support: This feature is deprecated. For Red Hat Quay v3.1, the config UI marked this feature as follows:
Docker V1 protocol support has been officially deprecated by Quay and support will be removed in the next major version. It is strongly suggested to have this flag enabled and to restrict access to V1 push.
1.48. Version 3.1.3
Release Date: November 22, 2019
Fixed:
- NVD stopped publishing the XML feed, Clair now consumes JSON feed
1.49. Version 3.1.2
Release Date: October 31, 2019
Fixed:
- Upgrade base image to latest rhel:7.7
- Repository mirroring properly updates status
- Application repositories in public namespaces shown in UI
- Description of log operations in UI
- Quay V3 upgrade fails with "id field missing from v1Compatibility JSON"
- Security token for storage proxy properly URL encoded
1.50. Version 3.1.1
Release Date: October 3, 2019
Fixed:
- clair-jwt image rebuilt with latest go-toolset (related to RHSA-2019:2682-05)
- Fixed repository mirror credentials properly escaped to allow special characters
- Fixed repository mirror UI cancel button enabled
- Fixed repository mirror UI change next sync date
- Removed kernel-headers package from clair-jwt and quay-builder images to elliminate false vulnerabilities
- Updated SCL rh-nginx112 (related to CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
1.51. Version 3.1.0
Release Date: September 5, 2019
Added:
- New Repository Mirror functionality (Technology Preview) to continuously synchronize repositories from external source registries into Red Hat Quay
- New Repository Mode setting (Normal, Mirrored, Read-Only) to indicate how a repository is updated
- New Red Hat Quay Setup Operator (Developer Preview) to automate configuring Red Hat Quay on OpenShift
- Configuration settings for adding NooBaa S3 were added to the configuration tool for Red Hat Quay v3.1 and are supported as Technology Preview.
- Support for using the Crunchy Data Operator to deploy Postgresql as Red Hat Quay database
- Ability to use build ARGS as first line in Dockerfiles in Red Hat Quay builds
- New Red Hat color scheme in Red Hat Quay web UI
Documentation updates:
- New Repository Mirroring section in the Manage Red Hat Quay guide
- Addition of Clair and Repository Mirroring setup to all deployment guides
- New procedure in Red Hat Quay Upgrade guide for v3.1
Fixed:
- Display of repo_verb logs in logs panel
- Ensure robot accounts being granted access actually belongs in same namespace
- Numerous documentation improvements
Known Issues:
- During repository mirroring, in order to fetch tags from a repository, at least one tag in the list of tags to sync must exist exactly as specified. See Repository Mirroring in Red Hat Quay for more details.
- Repository mirror config has known issues when remote registry username or password has characters requiring special handling for shell commands. Specifically, the tokens for registry.redhat.io with a pipe (|) character in them are incorrectly escaped. Out of an abundance of caution, a fix for this will follow in a subsequent update.
1.52. Version 3.0.5
Release Date: August 28, 2019
Added:
- Config flag to disable TLSv1.0 support
Fixed:
- LDAP config error when user search results exceeds 1000 objects
- Remove obsolete 01_copy_syslog_config.sh
- Config tool fails to set up database when password string contains "$"
1.53. Version 3.0.4
Release Date: July 15, 2019
Fixed:
- Package vulnerability notifications now shown in UI
- Fixed error while deleting manifest after pushing new tag
- Manifest now shown in UI for all types
- CSRF rotation corrected
- nginx access and error logs now to stdout
1.54. Version 3.0.3
Release Date: June 20, 2019
Fixed:
- Security scan notifications endpoint not working
- Exception raised during parallel pushes of same manifest on Postgres
- Connection pooling was ignoring environment variable
- Exception when in OAuth approval flow
1.55. Version 3.0.2
Release Date: May 20, 2019
Fixed:
- Running Red Hat Quay in config mode now works in a disconnected option which doesn’t require pulling resources from the Internet.
- Red Hat Quay’s security scan endpoint is now enabled at startup for viewing results of Clair container image scans.
- A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)
1.56. Version 3.0.1
Release Date: May 13, 2019
Fixed:
- Health API endpoint (/health/instance) now correctly checks the internal port to verify all services.
1.57. Version 3.0.0
Release Date: May 1, 2019
Red Hat Quay V3 offers the following new features:
1.57.1. Red Hat Quay Web UI configuration tool
A new Red Hat Quay configuration tool option within the quay image lets you create Red Hat Quay configuration files before starting a Red Hat Quay installation. The result of the configuration tool is a tarball of Red Hat Quay configuration files. Using that tarball greatly simplifies multi-instance deployments. The tarball contains the config.yaml file, and any optional files such as an SSL certificate (ssl.cert) and SSL key (ssl.key).
Choosing between the two different configuration tool options, you can either create a configuration file from scratch or modify an existing set of configuration files. In both cases, after you create the configuration, you can carry the tarball to each machine in your new Red Hat Quay cluster or apply it on an OpenShift or other Kubernetes cluster to use it to actually deploy Red Hat Quay.
The new Red Hat Quay configuration tool greatly simplifies the deployment of Red Hat Quay on OpenShift and other Kubernetes platforms. Using this tool helps you automatically deploy changes to nodes and can trigger Kubernetes blue-grean deployments of Red Hat Quay containers for configuration updates.
1.57.2. Support for Windows Container Images
Windows containers offer a way to run applications written for Microsoft Windows server platforms on container-enabled platforms, such as OpenShift and Kubernetes. By supporting Windows containers, Red Hat Quay V3 allows you to store your Windows containers in your Red Hat Quay registry using the same kinds of tools you use to push and pull your Linux containers.
1.57.3. Multi-Architecture Container Image Support
Red Hat Quay V3 now supports multi-architecture container manifests. The Docker Registry API spec v2_s2 container specification supports multi-architecture containers by adding an architecture label to the image manifest. Having this field set for a particular architecture allows images of the same architecture type to be pushed to a Red Hat Quay repository and later automatically accessed from a Red Hat Quay repository, while still requesting generic names for containers. Supported architectures IBM Power LE and z System workloads, ARM based IoT devices and Windows-based workloads.
1.57.4. Built on Red Hat Enterprise Linux
As part of the process of moving Red Hat Quay toward fully integrating into the Red Hat Product lineup, Red Hat Quay V3 is now delivered in a Red Hat Enterprise Linux 7.x container image. Moving Red Hat Quay into a RHEL container does not in any way change the interface or general functioning of the container, but simply allows Red Hat Quay to become better aligned with other Red Hat product offerings.
1.57.5. Red Hat Quay images now in redhat repo on Quay.io
Red Hat Quay images formerly stores in the quay.io/coreos repository are moving to quay.io/redhat for Red Hat Quay version 3. Available images include:
- quay.io/redhat/quay
- quay.io/redhat/quay-builder
- quay.io/redhat/clair-jwt
Earlier version of quay and quay-builder images will remain on quay.io/coreos. For example, quay.io/coreos/quay:v2.9.5.
Container Images based on RHEL inherit all certification and support features from RHEL. They can also take advantage of quickly leveraging security fixes and updates as they become available in RHEL.
1.57.6. Changes to support running containers in unprivileged mode
Previous versions of images required running in privileged mode. To remove this restriction, container config and ports were changed.
- clair-jwt config has moved from /config to /clair/config
- You must update references to additional files, such as certificates, in clair-jwt’s config.
- The quay HTTP port is now 8080. The HTTPS port is 8443.
- If you use the proxy port on quay, it has been moved to 7443.
The move to a RHEL base image means the certificate install path has changed to /etc/pki/ca-trust/source/anchors. Examples running the images have been updated to reflect this.
1.58. Version 2.9.5
Release Date: March 27, 2019
Added:
- Signature V4 Authentication for AWS S3
Fixed:
- Prohibit DES TLS ciphers
1.59. Version 2.9.4
Release Date: November 1, 2018
Fixed:
- Georeplication under certain failure conditions would incorrectly mark storage as replicated (#3283)
1.60. Version 2.9.3
Release Date: July 24, 2018
Fixed:
- Changed to using v4 of Gitlab API now that v3 has been deprecated and removed (#3110)
1.61. Version 2.9.2
Release Date: May 16, 2018
This release fixes a bug in which the deletion of namespaces did not result in the deletion of robot accounts under that namespace. While this is not a security issue (no permissions or credentials are leaked), it can appear unusual to users, so an upgrade is highly recommended. This change also includes a migration that cleans up the aforementioned robot accounts, so the migration step can take several minutes. Please plan accordingly.
Added:
- Support for custom query parameters on OIDC endpoints (#3050)
- Configurable options for search page length and maximum number of pages (#3060)
- Better messaging for when the maximum search page is reached (#3060)
- Support for browser notifications (#3068)
Fixed:
- Robot accounts were not being immediately deleted under namespaces (#3071)
- Setup under latest versions of Kubernetes (#3051)
- Viewing of logs in repositories with many, many logs (#3082)
- Filtering of deleting users and organizations in superuser panel (#3080)
- Incorrect information displayed for builds triggered by deleted build triggers (#3078)
- Robots could not be created with empty descriptions (#3073)
- Inability to find Dockerfile in certain archives (#3072)
- Display of empty tab in credentials dialog under certain circumstances (#3061)
- Overflow of robot names when extremely long (#3062)
- Respect CPU affinity when determining number of workers to run (#3064)
- Breakage in RECATPCHA support (#3065)
1.62. Version 2.9.1
Release Date: April 9, 2018
This release fixes the 2.9.0 migration. If you experienced an error during the 2.9.0 migration, manually rollback and then upgrade your quay instance to 2.9.1.
Fixed:
- Specify default server value for new integer fields added (#3052)
- Overflow of repository grid UI (#3049)
1.63. Version 2.9.0
Release Date: April 3, 2018
Added:
- Automatic cleanup of expired external application tokens (#3002)
- Make deletions of namespaces occur in the background (#3014)
- Ability to disable build triggers (#2892)
- Have repeatedly failing build triggers be automatically disabled (#2892)
- Automatic caching of registry Blob data for faster pull operations (#3022)
- Creation date/time, last usage date/time and other metadata for robot accounts (#3024)
- Collaborators view under organizations, for viewing non-members (#3025)
Fixed:
- Make superusers APIs for users and organizations visible in the API browser (#3017)
- Better messaging when attempting to create a team that already exists (#3006)
- Prevent possible reflected text attacks by limiting API access (#2987)
- Have checkable menus in UI respect filters (#3013)
- Users being invited to a new organization must always be invited (#3029)
- Removed all license requirements in Quay (#3031)
- Squashed images with hard links pointing to deleted files no longer fail (#3032)
- 500 error when trying to pull certain images via torrent (#3036)
1.64. Version 2.8.0
Release Date: February 13, 2018
Added:
- Support for Azure Blob Storage (#2902)
- Ability to filter out disabled users in users list API (#2954)
- Image ID in expanded tags view (#2965)
- Processes auto-scale based on CPU count (#2971, 2978)
- Health checks for all workers (#2977)
- Health checks and auto-rotation for service keys (#2909)
- Ability to back GitHub or Google login with LDAP/Keystone (#2983)
- Configurable page size for Docker Registry V2 API pagination (#2993)
Fixed:
- Anonymous calls to API discovery endpoint (#2953)
- Optimized creation of repositories
- Optimized manifest pushing
- LDAP password input is now password field (#2970)
- 500 raised when sending an invalid release name for app repos (#2979)
- Deletion of expired external app tokens (#2981)
- Sizing of OIDC login buttons (#2990)
- Hide build-related UI when builds are not enabled (#2991)
- Incorrect caching of external application token expiration (#2996)
- Warning bar should not be displayed for already expired application tokens (#3003)
1.65. Version 2.7.0
Release Date: January 8, 2018
This release removes support for the OIDC token internal authentication mechanism and replaces it with support for a new app-specific token system. All customers using the old OIDC token auth mechanism must change their configuration after updating manually in config.yaml
.
Added:
- Support for external application tokens to be used on the Docker CLI (#2942)
- Explore tab for browsing visible repositories (#2921)
- Ability to view and copy full manifest SHAs in tags view (#2898)
- Support for robot tokens in App Registry pushes and pulls (#2899)
Fixed:
- Failure when attempting to use Skopeo tool to access the registry (#2950)
- Ordering of segments in Swift to match spec (#2920)
- Squashed image downloading when using Postgres DB (#2930)
- Hide "Start Build" button if the action is not allowed (#2916)
- Exception when pushing certain labels with JSON-like contents (#2912)
- Don’t add password required notification for non-database auth (#2910)
- Tags UI spacing on small displays (#2904)
- Push updated notification now shows correct tags (#2897)
- "Restart Container" button in superuser config panel (#2928)
- Various small JavaScript security fixes
1.66. Version 2.6.2
Release Date: December 19, 2017
Added:
- License validation before config save
Fixed:
- Failure to register uploaded TLS certificates (#2946)
1.67. Version 2.6.1
Release Date: October 26, 2017
Added:
- Optimized overhead for direct downloads from Swift storage (#2889)
Fixed:
- Immediately expire image builds that fail to start (#2887)
- Failure to list all GitHub Enterprise namespaces (#2894)
- Incorrect links to builds in notifications (#2895)
- Failure to delete certain app repositories (#2893)
- Inability to display Tag Signing status (#2890)
- Broken health check for OIDC authentication (#2888)
1.68. Version 2.6.0
Release Date: October 10, 2017
Added:
- Ability to use OIDC token for CLI login (#2695)
- Documentation for OIDC callback URLs in setup tool
- Ability for users to change their family and given name and company info (#2870)
- Support for invite-only user sign up (#2867)
- Option to disable partial autocompletion of users (#2864)
- Georeplication support in Swift storage (#2874)
Fixed:
- Namespace links ending in slashes (#2871)
- Contact info setup in setup tool (#2866)
- Lazy loading of teams and robots (#2883)
- OIDC auth headers (#2695)
1.69. Version 2.5.0
Release Date: September 7, 2017
Added:
- Better TLS caching (#2860)
- Feature flag to allow read-only users to build logs (#2850)
- Feature flag to enable team sync setup when not a superuser (#2813)
- Preferred public organizations list (#2850)
- OIDC support for OIDC implementations without user info endpoint (#2817)
- Support for tag expiration, in UI and view a special quay.expires-after label (#2718)
- Health checks report failure reasons (#2638)
- Enable database connection pooling (#2834)
Fixed:
- Setting of team resync option
- Purge repository on very large repositories
1.70. Version 2.4.0
Release Date: July 10, 2017
Added:
- Kubernetes Applications Support
- Full-page search UI (#2529)
- Always generate V2 manifests for tag operations in UI (#2608)
- Option to enable public repositories in v2 catalog API (#2654)
- Disable repository notifications after 3 failures (#2652)
- Remove requirement for flash for copy button in UI (#2667)
Fixed:
- Upgrade support for Markdown (#2624)
- Kubernetes secret generation with secrets with CAPITAL names (#2640)
- Content-Length reporting on HEAD requests (#2616)
- Use configured email address as the sender in email notifications (#2635)
- Better peformance on permissions lookup (#2628)
- Disable federated login for new users if user creation is disabled (#2623)
- Show build logs timestamps by default (#2647)
- Custom TLS certificates tooling in superuser panel under Kubernetes (#2646, #2663)
- Disable debug logs in superuser panel when under multiple instances (#2663)
- External Notification Modal UI bug (#2650)
- Security worker thrashing when security scanner not available
- Torrent validation in superuser config panel (#2694)
- Expensive database call in build badges (#2688)
1.71. Version 2.3.4
Release Date: May 3, 2017
Added:
- Always show tag expiration options in superuser panel
1.72. Version 2.3.3
Release Date: May 2, 2017
Added:
- Prometheus metric for queued builds (#2596)
Fixed:
- Allow selection of Gitlab repository when Gitlab sends no permissions (#2601)
- Failure when viewing Gitlab repository with unexpected schema (#2599)
- LDAP stability fixes (#2598, #2584, #2595)
- Viewing of repositories with trust enabled caused a 500 (#2594, #2593)
- Failure in setup tool when time machine config is not set (#2589)
1.73. Version 2.3.2
Release Date: April 27, 2017
Added:
- Configuration of time machine in UI (#2516)
Fixed:
- Auth header in OIDC login UserInfo call (#2585)
- Flash of red error box on loading (#2562)
- Search under postgres (#2568)
- Gitlab namespaces with null avatars (#2570)
- Build log archiver race condition which results in missing logs (#2575)
- Team synchronization when encountering a user with a shared email address (#2580)
- Create New tooltip hiding dropdown menu (#2579)
- Ensure build logs archive lookup URL checks build permissions (#2578)
1.74. Version 2.3.1
Release Date: April 21, 2017
This release fixes the 2.3.0 migration. If you experienced an error during the 2.3.0 migration, manually rollback and then upgrade your quay instance to 2.3.1.
Fixed:
- Specify default server value for new bool field added to the repository table
1.75. Version 2.3.0
Release Date: April 20, 2017
This release has known issues, related to database migrations, and will not work for many customers. If you are using this release, upgrade your Quay cluster to 2.3.4 or later.
Added:
- LDAP Team Sync support (#2387, #2527)
- Improved search performance through pre-computed scores (#2441, #2531, #2533, #2539)
- Ability to allow pulls even if audit logging fails (#2306)
- Full error information for build errors in Superuser panel (#2505)
- Better error messages passed to the Docker client (#2499)
- Custom git triggers can specify separate build context directory (#2517, #2509)
- Improved performance on repository list API (#2542, #2544, #2546)
Fixed:
- Handle undefined case in build message (#2501)
- OIDC configuration in Superuser panel (#2520)
- Ability to invite team members by email address (#2522)
- Avatars for non-owner namespaces in GitLab (#2507, #2532)
- Update dependencies and remove warnings (#2518, #2511, #2535, #2545, #2553)
- Remove link to blog (#2523)
- Better handling for unavailable frontend dependencies (#2503)
- Top level redirect logic for missing repositories (#2540)
- Remove extra slash from missing base image permissions error in build logs (#2548)
- Backfill replication script when adjusting replication destinations (#2555)
- Errors when deleting repositories without security scanning enabled (#2554)
1.76. Version 2.2.0
Release Date: March 31, 2017
This release contains a migration that adds a new feature to the build system. This requires shutting down the entire cluster including builders and running one instance to migrate the database forward. You must use a v2.2.0 builder with a v2.2.0 Quay cluster.
Added:
- Separate build contexts from Dockerfile locations (#2398, #2410, #2438, #2449, #2480, #2481)
- Configuration and enforcement of maximum layer size (#2388)
- OIDC configuration in the Super User Panel (#2393)
- Batching of Security Scanner notifications (#2397)
- Auth Failures now display messages on the docker client (#2428, #2474)
- Redesigned Tags page to include Labels, Image ID Type, and more informative Security Scanner information (#2416)
Fixed:
- Parsing new docker client version format (#2378)
- Improved repository search performance (#2392, #2440)
- Miscellaneous Build Trigger page issues (#2405, #2406, #2407, #2408, #2409, #2414, #2418, #2445)
- Remove all actionable CVEs from the docker image (#2422, #2468)
- Minor bugs in Repository views (#2423, #2430, #2431)
- Improve performance by deleting keys in redis rather than expiring (#2439)
- Better error messages when configuring cloud storage (#2444)
- Validation and installation of custom TLS certificates (#2473)
- Garbage Collection corner case (#2404)
1.77. Version 2.1.0
Release Date: February 22, 2017
POSTGRESQL USERS: This release adds full-text searching capabilities to Quay Enterprise. In order to support this feature, the upgrade migration will attempt to create the pg_trgm
extension in the database. This operation requires superuser access to run, and requires the PostgreSQL Additional Modules to be installed. See https://coreos.com/quay-enterprise/docs/latest/postgres-additional-modules.html to learn how to install the extensions.
Added:
- Full text search support (#2272)
- OIDC support (#2300, #2348)
- API for lookup of security status of a manifest (#2334)
- More descriptive logs (#2358)
Fixed:
- Datetime bug in logs view (#2318)
- Display bug in logs view (#2345)
- Display of expiration date for licenses with multiple entries (#2354)
- V1 search compatibility (#2344)
1.78. Version 2.0.5
Release Date: January 30, 2017
Added:
- Build logs viewer in superuser panel
Fixed:
- Support for wildcard certs in the superuser config panel
1.79. Version 2.0.4
Release Date: January 26, 2017
Added:
- Expand allowed length of namespaces to be between 2 and 255 characters (#2291)
- Better messaging for namespaces (#2283)
- More customization of Message Of The Day (MOTD) (#2282)
- Configurable and default timeout for LDAP (#2247)
- Custom SSL certificate panel in superuser panel (#2271, #2274)
- User and Organization list pagination on superuser panel (#2250)
- Performance improvements for georeplication queuing (#2254)
- Automatic garbage collection in security scanner (#2257)
- RECAPTCHA support during create account flow (#2245)
- Always display full git error in build logs (#2277)
- Superuser config clarification warnings (#2279)
- Performance improvements around queues (#2276, #2286, #2287)
- Automatic retry for security scanning (#2242)
- Better error messaging on security scanner lookup failure (#2235)
- Ensure robot accounts show at top of entity autocomplete (#2243)
Fixed:
- Exception when autocompleting users in teams (#2255)
- Port mapping in ACI conversion (#2251, #2273)
- Error messaging for attempting to join a team with invalid email (#2240)
- Prometheus metrics for scale (#2237)
- Security scanner notification pagination (#2233, #2249)
Regressed:
- Support for wildcard certs in the superuser config panel
1.80. Version 2.0.3
Release Date: December 9, 2016
Added:
- Allow extra_ca_certs to be a folder or a file (#2180)
Fixed:
- Cancelling build bug (#2203)
- Allow license to be set in setup tool (#2200)
- Improve queue performance (#2207, #2211)
- Improve security scan performance (#2209)
- Fix user lookup for external auth engines (#2206)
1.81. Version 2.0.2
Release Date: December 2, 2016
Added:
- Ability to cancel builds that are already building. (#2041, #2127, #2186, #2189, #2190)
- Notifications when a build is canceled (#2173, #2184)
- Remove deprecated email flag from generated docker login commands (#2146)
- Upgrade nginx to v1.11.5 (#2140)
- Improve performance of robots management UI (#2145)
- Add data about specific manifest or tag pulled in audit logs (#2152)
- Debug nginx logs from non-proxy protocol connection (#2167)
- Accept multiple team invitations simultaneously (#2169)
- Password recovery defaults to resetting password (#2170)
- Gzip javascript and svg assets (#2171)
- Add support for custom ports in RADOS and S3 storage engines (#2185)
- Prometheus metric for number of unscanned images (#2183)
Fixed:
- Fix entity search under Postgres (regression in v2.0.0) (#2172)
- Error displayed for OAuth if an existing token already matches scopes (#2139)
- Reduce timeouts of the build manager when under heavy load (#2143, #2157)
- Fix guage metrics on prometheus endpoint (#2153)
- Disable CoreOS update-engine on ephemeral Kubernetes builders (#2159)
- Fix notifications generated by the build manager (#2163)
- JSON encoding for chunk cleanup in Swift storage engine (#2162)
- Fix configuration validator when setting up storage engine (#2176)
- Multiline message of the day to not cover the search box (#2181)
Regressed:
- User lookup for external auth engines broken
1.82. Version 2.0.1
Release Date: November 17, 2016
Added:
- A defined timeout on all HTTP calls in notification methods
- Customized Build start timeouts and better debug logs
- A warning bar when the license will become invalid in a week
- Collection of user metadata: name and company
- New Prometheus metrics
- Support for temp usernames and an interstitial to confirm username
- Missing parameter on RADOS storage
- Stagger worker startup
- Make email addresses optional in external auth if email feature is turned off
- External auth emails to entity search
- Banner bar message when license has expired or is invalid
Fixed:
- Make sure to check for user before redirecting in update user
- 500 on get label endpoint and add a test
- KeyError in Github trigger setup
- Change LDAP errors into debug statements to reduce log clutter
- Bugs due to conflicting operation names in the API
- Cannot-use-robot for private base image bug in build dialog
- Swift exception reporting on deletion and add async chunk cleanup
- Logs view for dates that start in zero
- Small JS error fixes
- A bug with accessing the su config panel without a license
- Buildcomponent: raise heartbeat timeout to 60s
- KeyError in config when not present in BitBucket trigger
- Namespace lookup in V1 registry search
- Build notification ref filtering setup in UI
- Entity search API to not IndexError
- Remove setup and superuser routes when SUPER_USERS is not enabled
- TypeError in Gitlab trigger when user not found
Regressed:
- Superuser config panel cannot save
1.83. Version 2.0.0
Release Date: October 26, 2016
This release is a required release and must be run before attempting an upgrade to v2.0.0+.
In order to upgrade to this version, your cluster must contain a valid license.
Added:
- Require valid license to enable registry actions (#2009, #2018)
- The ability to delete users and organizations (#1698)
- Add option to properly handle TLS terminated outside of the container (#1986)
- Updated run trigger/build dialog (#1895)
- Update dependencies to latest versions (#2012)
- Ability to use dots and dashes in namespaces intended for use with newer Docker clients (#1852)
- Changed dead queue item cleanup from 7 days to 1 day (#2019)
- Add a default database timeout to prevent failed DB connections from hanging registry and API operations (#1764)
Fixed:
- Fix error if a vulnerability notification doesn’t have a level filter (#1995)
- Registry WWW-Authenticate and Link headers are now Registry API compliant (#2004)
- Small fixes for Message of the Day feature (#2005, #2006)
- Disallow underscores at the beginning of namespaces (#1852)
- Installation tool liveness checks during container restarts (#2023)
Regressed:
- Entity search broken under Postgres
1.84. Version 1.18.1
Release Date: October 31, 2016
Fixed:
- Exception when using RADOS GW Storage driver (#2057)
1.85. Version 1.18.0
Release Date: October 13, 2016
Changed:
- Add message of the day (#1953)
- Add repository list pagination (#1858)
- Add better 404 (and 403) pages (#1857)
Fixed:
- Improved reliability of several JS functions (#1959) (#1980) (#1981)
- Handle unicode in entity search (#1939)
- Fix tags API pagination (#1926)
- Add configurable timeout and debug flags to Keystone users (#1867)
- Build notifications were failing to fire (#1859)
- Add feature flag to turn off requirement for team invitations (#1845)
- Don’t exception log for expected 404s in Swift storage (#1851)
1.86. Version 1.17.1
Release Date: September 22, 2016
Changed:
- Repository admins can now invoke build triggers manually (#1822)
- Improved notifications UI and features (#1839)
- Improved UX for managing teams (#1509)
Fixed:
- Timeline’s delete-then-tag display bug (#1824)
- Add .well-known endpoint for Quay (#1790)
- .tar.gz does not work when building from archive via web UI (#1832)
- Delete empty Swift chunks (#1844)
- Handling of custom LDAP cert (#1846)
1.87. Version 1.17.0
Release Date: September 12, 2016
Changed:
- Added Labels API (#1631)
- Kubernetes namespace existence check (#1771)
- New UI and permissions handling for robots and teams (#1754, #1815)
- Retry attempts to the S3-like storages (#1748, #1801, #1802)
- Improved messaging when changing email addresses (#1735)
- Emails now include logos (#1691)
- Improved messaging around expired builds (#1681)
Fixed:
- Logs inside the container failing to rotate (#1812)
- Filtering of repositories only visible to organization admins (#1795)
- Invalid HTTP response when creating a duplicate tag (#1780)
- Asynchronous Worker robustness (#1778, #1781)
- Manual build failure when using Bitbucket triggers (#1767)
- Missing "Sign Out" link on mobile UI (#1765)
- Miscellaneous changes to title usage (#1763)
- Repository star appearing when not logged in (#1758)
- Invalid AppC manifests generated when missing an ENV (#1753)
- Timezones now incorporated into audit logs (#1747)
- Fixed redirection to specific tags using short URLs (#1743)
- Broken pagination over only public repositories (#1724, #1726, #1730)
- Invisible glyph icons on date selectors (#1717)
- Possibility storage of duplicate images (#1706)
- Broken "Your Account" links in emails (#1694)
- Non-admin users no longer default to organization-wide read (#1685)
- Database performance (#1680, #1688, #1690, #1722, #1744, #1772)
1.88. Version 1.16.6
Release Date: August 17, 2016
Changed:
- Added ability to override secure cookie setting when using HTTPS protocol (#1712)
1.89. Version 1.16.5
Release Date: August 3, 2016
Changed:
- Better logging for delete issues in Swift (#1676)
- Storage validation on /status endpoint (#1660)
- Better logging for upload issues (#1639, #1670)
- Support for Swift retries (#1638)
- Support for Swift timeouts (#1634)
Fixed:
- Pagination off-by-one issue in repository tags API (#1672)
- Missing requires_cors on archived build logs URL (#1673)
- Tutorial disconnect UI (#1657)
- Enter key in password dialogs in Firefox (#1655)
- Custom trigger links in UI (#1652)
- GC database query optimizations (#1645, 1662)
- Multipart refs on builds (#1651)
- Invalid tags on builds (#1648)
- Fresh login check failure (#1646)
- Support for empty RDN in LDAP configuration (#1644)
- Error raised on duplicate placements when replicating (#1633)
1.90. Version 1.16.4
Release Date: July 18, 2016
Changed:
- Configuration of multiple RDNs for LDAP login (#1601)
- Key Server health check (#1598)
- Prometheus endpoint (#1596)
- Upgrade to latest upstream PyGitHub (#1592)
Fixed:
- Race condition around starting builds (#1621)
- Geo-replication for CAS objects (#1608)
- Popularity metrics on list repositories API endpoint (#1599)
- Removed redundant namespaces from repository listings (#1595)
- Internal error when paginating a PostgreSQL-backed Quay (#1593, #1622)
- GitHub API URLs are properly stripped of trailing slashes (#1590)
- Tutorial fails gracefully without Redis (#1587)
1.91. Version 1.16.3
Release Date: June 27, 2016
Changed:
- Repository Activity Heatmap (#1569, #1571)
- Restyled Robots View (#1568)
- LDAP certificates specified by name (#1549)
- Multiselect toggles for permissions (#1562)
- Dynamically generated sitemap.txt (#1552)
Fixed:
- Fixed URLs missing ports in setup process (#1583)
- OAuth key not found error when setting up Dex (#1583)
- Timestamps in syslog now display the proper time (#1579)
- Added offset for clock skew in JWT expiration (#1578)
- Replacement of illegal characters in usernames (#1565)
- Differentiate between different tags on generated ACIs (#1523)
- Decreased lifetime of various redis keys (#1561)
- Build pages now robust to redis outage (#1560)
- Validation of build arguments before contacting a build worker (#1557)
- Removed hosted Quay.io status from Enterprise 500 page (#1548)
- Performance of database queries (#1512)
1.92. Version 1.16.2
Release Date: June 16, 2016
Changed:
- Ability for admins to "Take Ownership" of a namespace (#1526)
Fixed:
- Encrypted Password Dialog can use External Auth Usernames (#1541)
- Logging race condition in container startup (#1537)
- Improved database performance on various pages (#1511, #1514)
- The 'Return' key now works in password dialogs (#1533)
- Repository descriptions breaking log page styles (#1532)
- Styles on Privacy and Terms of Service pages (#1531)
1.93. Version 1.16.1
Release Date: June 8, 2016
Changed:
- Registry JWT now uses Quay’s Service Keys (#1498, #1527)
- Upgrade to Ubuntu 16.04 LTS base image (#1496)
- Storage Replication for Registry v2 images (#1502)
- Better error messaging for build logs (#1500)
- Granting of OAuth tokens for users via xAuth (#1457)
- Random generation of key configuration values (#1485)
- Upgrade to AngularJS v1.5 (#1473)
- Swift API v3 storage support (#1472)
- Clarification on various tool tip dialogs (#1468)
- Various backend performance increases (#1459, #1493, #1510, #950)
- New Credentials, Team, Robot Dialogs (#1421, #1455)
Fixed:
- Pagination keys must be url-safe base64 encoded (#1485)
- Sign In to work with more password managers (#1508)
- Role deletion UI (#1491)
- UI expansion when large HTML "pre" tags are used in markdown (#1489)
- Usernames not properly linking with external auth providers (#1483)
- Display of dates in action logs UI (#1486)
- Selection bug with checkboxes in the setup process (#1458)
- Display error with Sign In (#1466)
- Race condition in ACI generation (#1463, #1490)
- Incorrect calculation of the actions log archiver
- Displaying many image tracks on the Repository tags page (#1451)
- Handling of admin OAuth Scope (#1447)
1.94. Version 1.16.0
Release Date: May 6, 2016
Changed:
- Unified dashboard for viewing vulnerabilities and packages (#268)
- Expose createOrganization API endpoint (#1246)
- ACI key setup to the setup tool (#1211)
- JWT Key Server (#1332)
- New Login Screen UI (#1346)
- API errors return application/problem+json format (#1361)
- JWT Proxy for authenticating services (#1380)
- New design for user and org settings (#1409)
- Sescan configuration to setup tool (#1428)
Fixed:
- Remove uses of target="_blank" anchors (#1411)
- Bulk operations don’t allow "shift selection" (#1389)
- Add tag pushed to usage log (#798)
- Increase timeout on V2 (#1377)
- Save rotated logs to storage via userfiles (#1356)
- Include all possible response codes in Swagger document (#1018)
- Improve notification lookup performance (#1329)
- Future-proof uncompressed size calculation for blob store (#1325)
- Client side chunk paths (#1306)
- ACI Volume Names (#1308)
- Issue when linking to a parent with a different blob (#1291)
- Not all 401s set www-authenticate header (#1254)
- Key error when updating V1 Ids (#1240)
- Unicode error when calculating new V1 IDs (#1239)
- Error when turning on receipt emails (#1209)
1.95. Version 1.15.5
Release Date: February 12, 2016
Fixed:
- Docker pushes with v2 sha mismatch were breaking v2 functionality (#1236)
1.96. Version 1.15.4
Release Date: February 11, 2016
Changed:
- Check that will fail if Quay tries to mislink V1 layers with Docker 1.10 (#1228)
Fixed:
- Backfill of V2 checksums (#1229)
- 'BlobUpload' Migration (2015-12-14) for MySQL 5.5 (#1227)
- Minor UI error in tag specific image view (#1222)
- Notification logo (#1223)
1.97. Version 1.15.3
Release Date: February 3, 2016
Changed:
- 502 page (#1198)
- Token based pagination (#1196, #1095)
Fixed:
- Trust upstream QE proxies to specify https scheme in X-Forwarded-Proto (#1201)
- Refreshed dependencies to address security issues (#1195, #1192, #1186, #1182)
- Tests (#1190, #1184)
- Setup tool storage engine validation (#1194)
1.98. Version 1.15.2
Release Date: January 25, 2016
This release tracks changes in the Docker v2 image format and adds official support for library repositories.
Changed:
- Formal support for library repositories (#1160)
Fixed:
- Content-Type of V2 manifests to match updated Docker V2 spec (#1169)
- Scope handling for Docker 1.8.3 (#1162)
- Typos in docs (#1163, #1164)
1.99. Version 1.15.0
Release Date: January 12, 2016
This release repairs a bug in torrent hash calculations.
Fixed:
- Fix torrent hash calculation (#1142)
1.100. Version 1.14.1
Release Date: January 6, 2016
This release is primarily to address a bug in a migration found in v.1.14.0 related to migrating v1 data to the new format for v2 in the database.
Changes:
- Removed image diff feature (#1102, #1116)
- Added list view of repositories in all displays (#1109)
- Added better recovery of organizations (#1108)
- Added QE version in footer
- Improved database query performance (#1068, #1097)
- Added namespaces in docker search results (#1086)
Bug Fixes:
- Fixed migration of V1 metadata (#1120)
- Fixed log bug around month handling (#1114)
- Fixed Content-Type on errors with JSON bodies (#1107)
- Fixed unhandled exceptions in Queue
- Fixed UI for dismissing notifications (#1094)
1.101. Version 1.14.0
Release Date: December 18, 2015
This new release introduces Docker Registry v2 support and makes Quay Enterprise fully backward and forward compatible with both v1 and v2. Push and pull your images securely with any version of Docker Engine (≥0.10) and enjoy the performance boost that registry v2 delivers.
Changes:
- Added Docker Registry v2 support (#885)
- Added the ability to blacklist v2 for specific versions (#1065)
- Added HTTP2 support (#1031)
- Added automatic action logs rotation (#618)
- Made garbage collection frequency configurable (#1074)
- Added storage preferences configuration (#725, #807)
- Added Gitlab, Bitbucket and Github schema support to custom triggers (#525)
Bug fixes:
- Fixed user, repositories and images under MySQL (#830, #843, #1075)
- Fixed ACI volumes (#1007)
- Fixed date display in Firefox (#937)
- Fixed page titles (#952)
- Fixed numerous builder failures
1.102. Version 1.13.3
Release Date: November 10, 2015
Bug Fixes:
- Various issues related to upgrading previous versions of Quay Enterprise have been fixed
Quay Enterprise v1.13.x contains long-running migrations and should be updated during a maintenance window where administrators will have several hours of time to dedicate to the database migrating. Quay Enterprise will not be available while these migrations run.
1.103. Version 1.13.2
Release Date: November 3, 2015
- Fixed 404 API calls redirecting to 404 page (#762)
1.104. Version 1.13.1
Release Date: November 3, 2015
- Fixed broken database migration (#759)
- Added OpenGraph preview image (#750, #758)
1.105. Version 1.13.0
Release Date: November 2, 2015
- Added new Quay Enterprise rebranding (#723, #738, #735, #745, #746, #748, #747, #751)
- Added a styled 404 page (#683)
- Hid the run button from users that haven’t created a trigger (#727)
- Added timeouts to calls to GitLab, Bitbucket, GitHub APIs (#636, #633, #631, #722)
- Added more fields to responses from user API (#681)
- Fixed bug where every repository appeared private in repository listings (#680)
- Added an error when geo-replication is enabled with local storage (#667)
- Enabled asynchronous garbage collection for all repositories (#665)
- Improved UX uploading Dockerfiles (#656)
- Improved registry resiliancy to missing image sizes (#643)
- Improved Teams UI (#647)
- Added a limit to logs pagination API (#603)
- Upgrade docker search to use the new search system (#595)
- Fixed database hostname validation to include "." and "" (#579)
- Improved build system’s resiliancy if operating without redis (#571)
- Updated repository name and namespace validation to match new docker behavior (#535, #644)
- Refactored and improved Build Trigger validation (#478, #523, #524, #527, #544, #561, #657, #686, #693, #734)
- Optimized moving tags (#520)
- Optimized database usage (#517, #518, #519, #598, #601, #605, #615, #641, #675)
- Migrated all GitHub triggers to use deploy keys (#503)
- Added ability to 'RUN cat .git/HEAD' to get git SHAs in builds (#504)
- Improved repository count limitations UI (#492, #529)
- Added a releases table to database (#495)
- Made repository deletion more robust (#497)
- Optimized Swift storage to support direct downloads (#484)
- Improved build logs UX (#482, #507)
- Add basic Kubernetes secret-store support (#272)
- Improved internal test suite (#470, #511, #526, #514, #545, #570, #572, #573, #583, #711, #728, #730)
- Improved background worker stability (#471)
1.106. Version 1.12.0
Release Date: September 10, 2015
- Added experimental Dex login support (#447, #468)
- Fixed tag pagination in API (#463)
- Improved performance for archiving build logs (#462, #466)
- Optimized cloud storage copying (#460)
- Fixed bug where LDN directory was given a relative domain not absolute (#458)
- Allow robot account names to have underscores (#453)
- Added missing SuperUser aggregate logs endpoint (#449)
- Made JWT validation more strict (#446, #448)
- Added dialog around restarting the container after setup (#441)
- Added selection of Swift API version (#444)
- Improved UX around organization name validation (#437)
- Stopped relying on undocumented behavior for OAuth redirects (#432)
- Hardened against S3 upload failures (#434)
- Added experimental automatic storage replication (#191)
- Deduplicated logging to syslog (#431, #440)
- Added list org member permissions back to API (#429)
- Fixed bug in parsing unicode Dockerfiles (#426)
- Added CloudWatch metrics for multipart uploads (#419)
- Updated CloudWatch metrics to send the max metrics per API call (#412)
- Limited the items auto-loaded from GitHub in trigger setup to 30 (#382)
- Tweaked build UX (#381, #386, #384, #410, #420, #422)
- Changed webhook notifications to also send client SSL certs (#374)
- Improved internal test suite (#381, #374, #388, #455, #457)