Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 5. Adding additional Certificate Authorities to the Red Hat Quay container

The extra_ca_certs directory is the directory where additional Certificate Authorities (CAs) can be stored to extend the set of trusted certificates. These certificates are used by Red Hat Quay to verify SSL/TLS connections with external services. When deploying Red Hat Quay, you can place the necessary CAs in this directory to ensure that connections to services like LDAP, OIDC, and storage systems are properly secured and validated.

For standalone Red Hat Quay deployments, you must create this directory and copy the additional CA certificates into that directory.

Prerequisites

  • You have a CA for the desired service.

Procedure

  1. View the certificate to be added to the container by entering the following command: 

    $ cat storage.crt
    Copy to Clipboard Toggle word wrap

    Example output

    -----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV...
-----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap

  2. Create the extra_ca_certs in the /config folder of your Red Hat Quay directory by entering the following command: 

    $ mkdir -p /path/to/quay_config_folder/extra_ca_certs
    Copy to Clipboard Toggle word wrap

  3. Copy the CA file to the extra_ca_certs folder. For example: 

    $ cp storage.crt /path/to/quay_config_folder/extra_ca_certs/
    Copy to Clipboard Toggle word wrap

  4. Ensure that the storage.crt file exists within the extra_ca_certs folder by entering the following command: 

    $ tree /path/to/quay_config_folder/extra_ca_certs
    Copy to Clipboard Toggle word wrap

    Example output

    /path/to/quay_config_folder/extra_ca_certs
├── storage.crt----
    Copy to Clipboard Toggle word wrap

  5. Obtain the CONTAINER ID of your Quay consider by entering the following command: 

    $ podman ps
    Copy to Clipboard Toggle word wrap

    Example output

    CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS              PORTS
5a3e82c4a75f        <registry>/<repo>/quay:{productminv} "/sbin/my_init"          24 hours ago        Up 18 hours         0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 443/tcp   grave_keller
    Copy to Clipboard Toggle word wrap

  6. Restart the container by entering the following command 

    $ podman restart 5a3e82c4a75f
    Copy to Clipboard Toggle word wrap

  7. Confirm that the certificate was copied into the container namespace by running the following command: 

    $ podman exec -it 5a3e82c4a75f cat /etc/ssl/certs/storage.pem
    Copy to Clipboard Toggle word wrap

    Example output

    -----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV...
-----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap

When deployed on Kubernetes, Red Hat Quay mounts in a secret as a volume to store config assets. Currently, this breaks the upload certificate function of the superuser panel.

As a temporary workaround, base64 encoded certificates can be added to the secret after Red Hat Quay has been deployed.

Use the following procedure to add custom SSL/TLS certificates when Red Hat Quay is deployed on Kubernetes.

Prerequisites

  • Red Hat Quay has been deployed.
  • You have a custom ca.crt file.

Procedure

  1. Base64 encode the contents of an SSL/TLS certificate by entering the following command: 

    $ cat ca.crt | base64 -w 0
    Copy to Clipboard Toggle word wrap

    Example output

    ...c1psWGpqeGlPQmNEWkJPMjJ5d0pDemVnR2QNCnRsbW9JdEF4YnFSdVd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    Copy to Clipboard Toggle word wrap

  2. Enter the following kubectl command to edit the quay-enterprise-config-secret file: 

    $ kubectl --namespace quay-enterprise edit secret/quay-enterprise-config-secret
    Copy to Clipboard Toggle word wrap

  3. Add an entry for the certificate and paste the full base64 encoded stringer under the entry. For example: 

      custom-cert.crt:
c1psWGpqeGlPQmNEWkJPMjJ5d0pDemVnR2QNCnRsbW9JdEF4YnFSdVd3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    Copy to Clipboard Toggle word wrap

  4. Use the kubectl delete command to remove all Red Hat Quay pods. For example: 

    $ kubectl delete pod quay-operator.v3.7.1-6f9d859bd-p5ftc quayregistry-clair-postgres-7487f5bd86-xnxpr quayregistry-quay-app-upgrade-xq2v6  quayregistry-quay-database-859d5445ff-cqthr quayregistry-quay-redis-84f888776f-hhgms
    Copy to Clipboard Toggle word wrap

    Afterwards, the Red Hat Quay deployment automatically schedules replace pods with the new certificate data.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat