quay · ricardomaraschini · Oct 4, 2021 · Oct 1, 2021
diff --git a/controllers/redhatcop/quayecosystem_controller.go b/controllers/redhatcop/quayecosystem_controller.go
@@ -535,6 +535,21 @@ func (r *QuayEcosystemReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	if canHandleExternalAccess(quayEcosystem) {
 		log.Info("attempting to migrate external access", "type", quayEcosystem.Spec.Quay.ExternalAccess.Type)
 
+		// if user has provided their own certs we gonna configure TLS as unmanaged. this
+		// should happen most of the times, exception made when quay is acessed directly
+		// without any kind of key (plain http). if not cert and key were found then we
+		// gonna migrate it using a Route with "edge" termination.
+		_, hasKey := configBundle.Data["ssl.key"]
+		_, hasCrt := configBundle.Data["ssl.cert"]
+		if hasKey && hasCrt {
+			quayRegistry.Spec.Components = append(
+				quayRegistry.Spec.Components, quay.Component{
+					Kind:    "tls",
+					Managed: false,
+				},
+			)
+		}
+
 		// NOTE: Assume that if using edge `Route`, there is no custom TLS cert/key pair.
 		// Docs state that custom TLS can be provided to an edge `Route`: (https://access.redhat.com/documentation/en-us/red_hat_quay/3.3/html/deploy_red_hat_quay_on_openshift_with_quay_operator/customizing_your_red_hat_quay_cluster#user_provided_certificates)
 		// But this doesn't seem to be implemented: (https://sourcegraph.com/github.com/quay/quay-operator@v1/-/blob/pkg/controller/quayecosystem/resources/routes.go#L64).
@@ -712,12 +727,15 @@ func canHandleDatabase(q redhatcop.QuayEcosystem) bool {
 	return q.Spec.Quay.Database.Server == "" && q.Spec.Quay.Database.VolumeSize != ""
 }
 
+// canHandleExternalAccess returs true if the operator can manage quay's external access. This is
+// useful while migrating from a QuayEcosystem and we need to determine if we set Route component
+// as managed or unmanaged. We will set Route component to managed if QuayEcosystem has external
+// access configured using an OpenShift's Route object.
 func canHandleExternalAccess(q redhatcop.QuayEcosystem) bool {
-	return q.Spec.Quay.ExternalAccess != nil &&
-		q.Spec.Quay.ExternalAccess.Type == redhatcop.RouteExternalAccessType &&
-		q.Spec.Quay.ExternalAccess.TLS != nil &&
-		(q.Spec.Quay.ExternalAccess.TLS.Termination == redhatcop.PassthroughTLSTerminationType ||
-			q.Spec.Quay.ExternalAccess.TLS.Termination == redhatcop.EdgeTLSTerminationType)
+	if q.Spec.Quay.ExternalAccess == nil {
+		return false
+	}
+	return q.Spec.Quay.ExternalAccess.Type == redhatcop.RouteExternalAccessType
 }
 
 func canHandleRedis(q redhatcop.QuayEcosystem) bool {

diff --git a/controllers/redhatcop/quayecosystem_controller_test.go b/controllers/redhatcop/quayecosystem_controller_test.go
@@ -239,6 +239,60 @@ var _ = Describe("Reconciling a QuayEcosystem", func() {
 		})
 
 		When("the external access component", func() {
+			Context("uses key and cert", func() {
+				JustBeforeEach(func() {
+					Expect(k8sClient.Create(context.Background(), quayEcosystem)).Should(Succeed())
+					quayConfig := types.NamespacedName{
+						Name:      quayEnterpriseConfigSecretName,
+						Namespace: quayEcosystem.Namespace,
+					}
+
+					var secret corev1.Secret
+					Expect(k8sClient.Get(context.Background(), quayConfig, &secret)).Should(Succeed())
+					secret.Data["ssl.key"] = []byte(" ")
+					secret.Data["ssl.cert"] = []byte(" ")
+					Expect(k8sClient.Update(context.Background(), &secret)).Should(Succeed())
+					result, err = controller.Reconcile(context.Background(), reconcile.Request{NamespacedName: quayEcosystemName})
+				})
+
+				It("does not return an error", func() {
+					Expect(err).NotTo(HaveOccurred())
+					Expect(result.Requeue).To(BeFalse())
+				})
+
+				It("marks `route` component as managed", func() {
+					var quayRegistry v1.QuayRegistry
+					Expect(k8sClient.Get(context.Background(), quayRegistryName, &quayRegistry)).Should(Succeed())
+					Expect(quayRegistry.Spec.Components).NotTo(ContainElement(v1.Component{Kind: "route", Managed: false}))
+					Expect(quayRegistry.Spec.Components).To(ContainElement(v1.Component{Kind: "tls", Managed: false}))
+				})
+			})
+
+			Context("is using http protocol", func() {
+				JustBeforeEach(func() {
+					quayEcosystem.Spec.Quay.ExternalAccess = &redhatcop.ExternalAccess{
+						Type: redhatcop.RouteExternalAccessType,
+						TLS: &redhatcop.TLSExternalAccess{
+							Termination: redhatcop.NoneTLSTerminationType,
+						},
+					}
+					Expect(k8sClient.Create(context.Background(), quayEcosystem)).Should(Succeed())
+					result, err = controller.Reconcile(context.Background(), reconcile.Request{NamespacedName: quayEcosystemName})
+				})
+
+				It("does not return an error", func() {
+					Expect(err).NotTo(HaveOccurred())
+					Expect(result.Requeue).To(BeFalse())
+				})
+
+				It("marks `route` component as unmanaged", func() {
+					var quayRegistry v1.QuayRegistry
+					Expect(k8sClient.Get(context.Background(), quayRegistryName, &quayRegistry)).Should(Succeed())
+					Expect(quayRegistry.Spec.Components).NotTo(ContainElement(v1.Component{Kind: "tls", Managed: false}))
+					Expect(quayRegistry.Spec.Components).NotTo(ContainElement(v1.Component{Kind: "tls", Managed: true}))
+				})
+			})
+
 			Context("is unsupported for migration", func() {
 				JustBeforeEach(func() {
 					quayEcosystem.Spec.Quay.ExternalAccess = &redhatcop.ExternalAccess{Type: redhatcop.LoadBalancerExternalAccessType}