Skip to content

PROJQUAY-RNs 3.6 #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Sep 16, 2021
Merged

PROJQUAY-RNs 3.6 #242

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5dd3692
Adds a known issue and deprecated feature to 3.6 release notes
stevsmit Aug 30, 2021
eb139e8
Notes MySQL deprecation in 3.6
stevsmit Sep 13, 2021
ade5511
Adds 3.6 RNs
stevsmit Sep 14, 2021
fbd0a15
Adds RN links to Jira
stevsmit Sep 15, 2021
3d08f8e
Minor formatting changes
stevsmit Sep 15, 2021
8812d6b
Minor changes
stevsmit Sep 15, 2021
cc7a68d
Minor chanes
stevsmit Sep 15, 2021
42c1755
Adds bugs doc text
stevsmit Sep 15, 2021
2308c93
RN changes
stevsmit Sep 15, 2021
a649757
RN Changes
stevsmit Sep 15, 2021
8b2de57
RN minor edits
stevsmit Sep 15, 2021
c0a1a85
RN additions
stevsmit Sep 15, 2021
01f0be5
Minor edits
stevsmit Sep 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 121 additions & 3 deletions modules/rn_3_60.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,137 @@

=== quay / clair / quay-builder

Deprecated:
Added/Changed:

* {productname} 3.6 now includes support for Open Container Initiative (OCI) mimetypes, including CLI cosigning, helm, and alternate compression schemes such as ztsd. (https://issues.redhat.com/browse/PROJQUAY-1417?filter=12382147[PROQUAY-1417]), (link:https://issues.redhat.com/browse/PROJQUAY-1032?filter=12382147[PROJQUAY-1032])

* You can now use the API to create a first user. (link:https://issues.redhat.com/browse/PROJQUAY-1926?filter=12382147[PROJQUAY-1926])

* Support for nested repositories and extended repository names has been added. This change allows the use of `/` in repository names needed for certain OpenShift Container Platform use cases. (link:https://issues.redhat.com/browse/PROJQUAY-1535?filter=12382147[PROJQUAY-1535])

* Registry users now have the option to set `CREATE_PRIVATE_REPO_ON_PUSH` in their config.yaml to `True` or `False` depending on their security needs. (link:https://issues.redhat.com/browse/PROJQUAY-1929?filter=12382147[PROJQUAY-1929])

* Pushing to a non-existent organization can now be configured to automatically create the organization. (link:https://issues.redhat.com/browse/PROJQUAY-1928?filter=12382147[PROJQUAY-1928])

* Users are now required to enter namespace and repository names when deleting a repository. (link:https://issues.redhat.com/browse/PROJQUAY-763?filter=12382147[PROJQUAY-763])

* Support for Ceph virtual-hosted-style bucket addressing has been added. (link:https://issues.redhat.com/browse/PROJQUAY-922?filter=12382147[PROJQUAY-922])

* Users can now view Clair v4.2 enrichment data in the Quay UI. Additionally, Clair v4.2 shows vulnerability status for detected vulnerabilities in Alpine Images. (link:https://issues.redhat.com/browse/PROJQUAY-2102?filter=12382147[PROJQUAY-2102])

* The Quay Repository now shows *Repository Status* when repository mirroring is enabled. (link:https://issues.redhat.com/browse/PROJQUAY-591?filter=12382147[PROJQUAY-591])

* Memory usage across Clair, notably around the `affected_manifests` call, has been improved. These changesets include:

** `io.Pipe` is used to cross-wire JSON encoding and API requests in order to avoid buffering the entire body request in memory;
** `encoding/JSON` has been replaced with `github.com/ugorji/go/codec` configured for JSON in order to allow streaming the JSON encoding;
** `affected_manifests` calls in the notifier, which should prevent large vulnerability turnovers from causing extremely large API calls.

For more information, see link:https://issues.redhat.com/browse/PROJQUAY-1693?filter=12382147[PROJQUAY-1963].

Fixed:

Known issues:
* link:https://issues.redhat.com/browse/PROJQUAY-1918?filter=12382147[PROJQUAY-1918]. Clair v4.1.0.alpha2 indexer now works in {productname} 3.6.

* link:https://issues.redhat.com/browse/PROJQUAY-1610?filter=12382147[PROJQUAY-1610]. The `initContainer` from the Quay migration pod has been removed, which blocked the deployment process until Clair responded. As a result, Quay deployments now progress without waiting on the Clair deployment to finish.

* link:https://issues.redhat.com/browse/PROJQUAY-1857?filter=12382147[PROJQUAY-1857]. NamespaceGCWorker and RepositoryGCWorker shuts down when unable to acquire lock

* link:https://issues.redhat.com/browse/PROJQUAY-1872?filter=12382147[PROJQUAY-1872]. GC workers will sometimes fail to grab a lock due to Redis running out of connections

* link:https://issues.redhat.com/browse/PROJQUAY-2414?filter=12382147[PROJQUAY-2414]. Quay config editor was failed to validate AWS RDS TLS Cert

* link:https://issues.redhat.com/browse/PROJQUAY-1626?filter=12382147[PROJQUAY-1626]. Config validation fails if no AWS access keys are provided

* link:https://issues.redhat.com/browse/PROJQUAY-1710?filter=12382147[PROJQUAY-1710]. Notifications are getting lost

* link:https://issues.redhat.com/browse/PROJQUAY-1813?filter=12382147[PROJQUAY-1813]. Need ratelimiter for updaters

* link:https://issues.redhat.com/browse/PROJQUAY-1815?filter=12382147[PROJQUAY-1815]. Quay config editor can't validate the expire time of uploaded LDAPS CA Cert

* link:https://issues.redhat.com/browse/PROJQUAY-1816?filter=12382147[PROJQUAY-1816]. Quay export logs API return 200 when export logs mail not delivered to target address

* link:https://issues.redhat.com/browse/PROJQUAY-1912?filter=12382147[PROJQUAY-1912]. Internal notifier queue clogging with events

* link:https://issues.redhat.com/browse/PROJQUAY-2119?filter=12382147[PROJQUAY-2119]. Quay config validation fails on PostgreSQL 11 backed by SSL

* link:https://issues.redhat.com/browse/PROJQUAY-2167?filter=12382147[PROJQUAY-2167]. Mirroring stopped working in 3.5.2

* link:https://issues.redhat.com/browse/PROJQUAY-2269?filter=12382147[PROJQUAY-2269]. SecurityWorker fails when indexing a manifest layer's location is remote

* link:https://issues.redhat.com/browse/PROJQUAY-2200?filter=12382147[PROJQUAY-2200]. Quay Config editor need to support sslmode=verify-full in config.yaml after uploading database SSL Cert

* link:https://issues.redhat.com/browse/PROJQUAY-2185?filter=12382147[PROJQUAY-2185]. Quay CR modified after making changes via the config tool


Deprecated:

* *FEATURE_HELM_OCI_SUPPORT*: This feature has been deprecated as of {productname} 3.6 and will be removed in a future release. Instead, `OCI artifact config` should be used, which offers the same features. (link:https://issues.redhat.com/browse/PROJQUAY-2334[PROJQUAY-2334])

* *MySQL and MariaDB database support*: The MySQL and mariaDB databases have been deprecated as of {productname} 3.6. Support for these databases will be removed in a future version of {productname}. If starting a new {productname} installation, it is strongly recommended to use PostgreSQL. (link:https://issues.redhat.com/browse/PROJQUAY-1998?filter=12382147[PROJQUAY-1998])

=== quay-operator

* {productname} 3.6 adds a `disconnected` annotation to Operators. For example:
+
[source,yaml]
----
metadata:
annotations:
operators.openshift.io/infrastructure-features: '["disconnected"]'
----
+
For more information, see link:https://issues.redhat.com/browse/PROJQUAY-1583?filter=12382147[PROJQUAY-1583].

=== quay-container-security-operator
* In order to properly support Github actions, `RELATED_IMAGE` values can now be referenced by tag name (`name:tag`) or by digest (`name@sha256:123`). (link:https://issues.redhat.com/browse/PROJQUAY-1887?filter=12382147[PROJQUAY-1887]), (link:https://issues.redhat.com/browse/PROJQUAY-1890?filter=12382147[PROJQUAY-1890])

* `HorizontalPodAutoscalers` have been added to the Clair, Quay, and Mirror pods, so that they now automatically scale during load spikes. (link:https://issues.redhat.com/browse/PROJQUAY-1449?filter=12382147[PROJQUAY-1449])

* The Quay Operator now reports the status of each managed component in a separate index inside of the same status property so that users can see the progress of a deployment or update. (link:https://issues.redhat.com/browse/PROJQUAY-1609?filter=12382147[PROJQUAY-1609])

* `ssl.cert` and `ssl.key` are now moved to a separate, persistent Secret, which ensures that the cert/key pair is not re-generated upon every reconcile. These are now formatted as `edge` routes and mounted to the same directory in the Quay container. (link:https://issues.redhat.com/browse/PROJQUAY-1883?filter=12382147[PROJQUAY-1883])

* Support for OpenShift Container Platform Edge-Termination Routes has been added by way of a new managed component--`tls`. This separates the `Route` component from TLS and allows users to configure both separate. `EXTERNAL_TLS_TERMINATION: true` is the opinionated setting. Managed `tls` means that the default cluster wildcart cert is used. Unamanged `tls` means that the user provided cert/key pair will be injected into the `Route`. (link:https://issues.redhat.com/browse/PROJQUAY-2050?filter=12382147[PROJQUAY-2050])

* The {productname} Operator can now be directly upgraded from 3.3 to 3.6 without regressions in `Route` handling, rollout speed, stability, and reconciliation robustness. (link:https://issues.redhat.com/browse/PROJQUAY-2100?filter=12382147[PROJQUAY-2100])

* The Quay Operator now allows for more than one Mirroring pod. Users are also no longer required to manually adjust the Mirroring Pod deployment.(link:https://issues.redhat.com/browse/PROJQUAY-1327?filter=12382147[PROJQUAY-1327])

* Previously, when running a 3.3.x version of {productname} with edge routing enabled, users were unable to upgrade to 3.4.x versions of {productname}. This has been resolved with the release of {productname} 3.6. (link:https://issues.redhat.com/browse/PROJQUAY-1694?filter=12382147[PROJQUAY-1694])

* Users now have the option to set a minimum number of replica Quay pods when `HorizontalPodAutoscaler` is set. This reduces downtime when updating or reconfiguring Quay via the Operator during rescheduling events. (link:https://issues.redhat.com/browse/PROJQUAY-1763?filter=12382147[PROJQUAY-1763])

Known issues:

* link:https://issues.redhat.com/browse/PROJQUAY-2335[PROJQUAY-2335]. `Quay` Operator deployment should be blocked when TLS cert/key pairs are unprovided. Instead, the `Quay` Operator continues to deploy.

* link:https://issues.redhat.com/browse/PROJQUAY-2389[PROJQUAY-2389]. Customer provided TLS certificates are lost after {productname} 3.6 Operator reconcile.

Fixed:

* link:https://issues.redhat.com/browse/PROJQUAY-1709?filter=12382147[PROJQUAY-1709]. Upgrading from an older operator with edge route breaks Quay

* link:https://issues.redhat.com/browse/PROJQUAY-1974?filter=12382147[PROJQUAY-1974]. Quay operator doesnt reconciles changes made by config app

* link:https://issues.redhat.com/browse/PROJQUAY-1838?filter=12382147[PROJQUAY-1838]. Quay Operator creates with every restart a new root ca

* link:https://issues.redhat.com/browse/PROJQUAY-2068?filter=12382147[PROJQUAY-2068]. Operator doesn't check for deployment failures

* link:https://issues.redhat.com/browse/PROJQUAY-2121?filter=12382147[PROJQUAY-2121]. Quay upgrade pods running all workers instead of just database upgrade


=== quay-container-security-operator

* The Operator Lifecycle Manager now supports the new v1 CRD API, `apiextensions.k8s.io.v1.CustomResourceDefinition` for the Container Security Operator. This CRD should be used instead of the `v1beta1` CRD, which has been deprecated as of OpenShift Container Platform 4.9. (link:https://issues.redhat.com/browse/PROJQUAY-613?filter=12382147[PROJQUAY-613]), (link:https://issues.redhat.com/browse/PROJQUAY-1791?filter=12382147[PROJQUAY-1791])


=== quay-openshift-bridge-operators

* The installation experience for the Quay Bridge Operator (QBO) has been improved. Enhancements include the following:
** `MutatingAdmissionWebhook` is created automatically during install.
** The QBO leverages the Operator Lifecycle Manager feature of auto-generating certificates and webhook configurations.
** The number of manual steps required to get the Quay Bridge Operator running has been decreased.
+
For more information, see link:https://issues.redhat.com/browse/PROJQUAY-672?filter=12382147[PROJQUAY-672].

* The certificate manager is now delegated by the Operator Lifecycle Manager. Certificates can now be valid for more than 65 days. (link:https://issues.redhat.com/browse/PROJQUAY-1062?filter=12382147[PROJQUAY-1062])