Red Hat Quay Release Notes
Red Hat Quay
Abstract
Preface
Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:
- Granular security management
- Fast and robust at any scale
- High velocity CI/CD
- Automated installation and upates
- Enterprise authentication and team-based access control
- OpenShift Container Platform integration
Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.
Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.
Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.
Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.
Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.
Chapter 1. Red Hat Quay release notes
The following sections detail y and z stream release information.
1.1. RHBA-2024:1475 - Red Hat Quay 3.11.0 release
Issued 2024-04-02
Red Hat Quay release 3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:1475 advisory.
1.2. Red Hat Quay release cadence
With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.
For more information, see the Red Hat Quay Life Cycle Policy.
1.3. Red Hat Quay documentation changes
The Red Hat Quay configuration tool has been deprecated since version 3.10. With this release, references and procedures that use the configuration tool have been, or will be, removed. These procedures will remain in older versions of Red Hat Quay.
1.4. Red Hat Quay new features and enhancements
The following updates have been made to Red Hat Quay.
1.4.1. Support for AWS STS on Red Hat Quay
Support for Amazon Web Services (AWS) Security Token Service (STS) is now offered for Red Hat Quay. AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized. This feature is also available for OpenShift Container Platform deployments.
For more information about configuring AWS STS for standalone Red Hat Quay deployments, see Configuring AWS STS for Red Hat Quay
1.4.2. Red Hat Quay auto-pruning enhancements
With the release of Red Hat Quay 3.10, a new auto-pruning feature was released. With that feature, Red Hat Quay administrators could set up auto-pruning policies on namespaces for both users and organizations.
With this release, auto-pruning policies can now be set up on specified repositories. This feature allows for image tags to be automatically deleted within a repository based on specified criteria. Additionally, Red Hat Quay administrators can set auto-pruning policies on repositories that they have admin privileges for.
For more information, see Red Hat Quay auto-pruning overview.
1.4.3. Red Hat Quay v2 UI enhancements
In Red Hat Quay 3.8, a new UI was introduced as a technology preview feature. With Red Hat Quay 3.11, the following enhancements have been made to the v2 UI.
1.4.3.1. Red Hat Quay v2 UI usage logs
Red Hat Quay 3.11 adds functionality for usage logs when using the v2 UI. Usage logs provide the following information about your Red Hat Quay deployment:
- Monitoring of team activities. Allows administrators to view team activities, such as team creation, membership changes, and role assignments.
- Auditing of tag history actions. Allows security auditors to audit tag history actions, including tag creations, updates, and deletions.
- Tracking of repository label changes. Allows repository owners to track changes to labels, including additions, modifications, and removals.
- Monitoring of expiration settings. Allows engineers to monitor actions related to tag expiration settings, such as setting expiration dates or disabling expiration for specific tags.
Logs can be exported to an email address or to a callback URL, and are available at the Organization, repository, and namespace levels.
For more information, see Viewing usage logs on the Red Hat Quay v2 UI.
1.4.3.2. Red Hat Quay v2 UI dark mode
Red Hat Quay 3.11 offers users the ability to switch between light and dark modes when using the v2 UI. This feature also includes an automatic mode selection, which chooses between light or dark modes depending on the user’s browser preference.
For more information, see Selecting color theme preference on the Red Hat Quay v2 UI.
1.4.3.3. Builds support on Red Hat Quay v2 UI
Red Hat Quay Builds are now supported when using the v2 UI. This feature must be enabled prior to building container images by setting FEATURE_BUILD_SUPPORT: true in your config.yaml file.
For more information, see Creating a new build.
1.4.3.4. Auto-pruning repositories v2 UI
Red Hat Quay 3.11 offers users the ability to create auto-pruning policies using the v2 UI.
For more information, see Red Hat Quay auto-pruning overview.
1.4.4. Team synchronization support via Red Hat Quay OIDC
This release allows administrators to leverage an OpenID Connect (OIDC) identity provider to synchronization team, or group, settings, so long as their OIDC provider supports the retrieval of group information from ID token or the /userinfo endpoint. Administrators can easily apply repository permissions to sets of users without having to manually create and sync group definitions between Red Hat Quay and the OIDC group, which is not scalable.
For more information, see Team synchronization for Red Hat Quay OIDC deployments
1.5. Red Hat Quay Operator updates
The following updates have been made to the Red Hat Quay Operator:
1.5.1. Configurable resource requests for Red Hat Quay on OpenShift Container Platform managed components
With this release, users can manually adjust the resource requests on Red Hat Quay on OpenShift Container Platform for the following components that have pods running:
-
quay -
clair -
mirroring -
clairpostgres -
postgres
This feature allows users to run smaller test clusters, or to request more resources upfront in order to avoid partially degraded Quay pods.
For more information, see Configuring resources for managed components on OpenShift Container Platform
1.5.2. Support for AWS STS on Red Hat Quay on OpenShift Container Platform
Support for Amazon Web Services (AWS) Security Token Service (STS) is now offered for Red Hat Quay deployments on OpenShift Container Platform. AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.
For more information about AWS STS for Red Hat Quay on OpenShift Container Platform, see Configuring AWS STS for Red Hat Quay on OpenShift Container Platform
1.6. New Red Hat Quay configuration fields
The following configuration fields have been added to Red Hat Quay 3.
1.6.1. Configuration fields for AWS S3 STS deployments
The following configuration fields have been added when configuring AWS STS for Red Hat Quay. These fields are used when configuring AWS S3 storage for your deployment.
- .sts_role_arn. The unique Amazon Resource Name (ARN) required when configuring AWS STS for Red Hat Quay.
- .sts_user_access_key. The generated AWS S3 user access key required when configuring AWS STS for Red Hat Quay.
- .sts_user_secret_key. The generated AWS S3 user secret key required when configuring AWS STS for Red Hat Quay.
For more information, see AWS STS S3 storage.
1.6.2. Team synchronization configuration field
The following configuration field has been added for the team synchronization via OIDC feature:
- PREFERRED_GROUP_CLAIM_NAME: The key name within the OIDC token payload that holds information about the user’s group memberships.
1.7. New API endpoints
The following API endpoints have been added to Red Hat Quay 3:
1.7.1. Repository auto-pruning policy endpoints:
The repository auto-pruning policy feature introduces the following API endpoint:
*/api/v1/repository/<organization_name>/<repository_name>/autoprunepolicy/This API endpoint can be used with
POST,GET, andDELETEcalls to create, see, and delete auto-pruning policies on a repository, respectively.*/api/v1/repository/<user_account>/<user_repository>/autoprunepolicy/This API endpoint can be used with
POST,GET, andDELETEcalls to create, see, and delete auto-pruning policies on a repository for specific users in your organization. Note that you must haveadminprivileges on the repository that you are creating the policy for when using these commands.
1.8. Red Hat Quay 3.11 known issues and limitations
The following sections note known issues and limitations for Red Hat Quay 3.
1.8.1. Red Hat Quay OIDC team synchronization known issues
1.8.1.1. Unable to set user passwords via the User Settings page
There is a known issue when Red Hat Quay uses OIDC as the authentication type with Microsoft Entra ID (previously Azure Active Directory).
After logging in to Red Hat Quay, users are unable to set a password via the User Settings page. This is necessary for authentication when using Docker/Podman CLI to perform image push or pull operations to the registry.
As a workaround, you can use Docker CLI and App Token as credentials when authenticating via OIDC. These tokens, alongside robot tokens, serve as an alternative to passwords and are considered the prescribed method for providing access to Red Hat Quay when authenticating via OIDC.
For more information, see PROJQUAY-6754.
1.8.1.2. Unable to sync change when OIDC user is removed from OIDC
Currently, when an OIDC user is removed from their OIDC provider, the user is not removed from the team on Red Hat Quay. Consequently, they are still have to use the robot account token and app token to push and pull images from the registry. The expected behavior is that, when removed from the OIDC group, they, and their related tokens, should be removed from the Red Hat Quay. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6842)
1.8.1.3. Object ID must be used when OIDC provider is Microsoft Entra ID
When using Microsoft Entra ID as your OIDC provider, Red Hat Quay administrators must input the Object ID of the OIDC group instead of the group name. The v2 UI does not currently alert users that Microsoft Entra ID users must input the Object ID of the OIDC group. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6917)
1.8.2. STS S3 storage known issue
When using Amazon Web Services (AWS) Security Token Service (STS) with proxy storage enabled, users are unable to pull images and the following error is returned: Error: copying system image from manifest list: parsing image configuration: fetching blob: received unexpected HTTP status: 502 Bad Gateway. This is a known issue and will be fixed in a future version of Red Hat Quay.
1.8.3. Upgrading Red Hat Quay on OpenShift Container Platform 3.8 directly to 3.11 limitation
Upgrading Red Hat Quay on OpenShift Container Platform from 3.8 to 3.11 does not work. Users must upgrade from Red Hat Quay on OpenShift Container Platform from 3.8 to 3.9 or 3.10, and then proceed with the upgrade to 3.11.
For more information, see Upgrade Red Hat Quay.
1.8.4. Configurable resource request limitation
Attempting to set resource limitations for the Quay pod too low results in the pod being unable to boot up with the following statuses returned: OOMKILLED and CrashLoopBackOff. Resource limitations can not be set lower than the minimum requirement, which can be found on the Configuring resources for managed components on OpenShift Container Platform page.
1.8.5. Red Hat Quay v2 UI known issues
The Red Hat Quay team is aware of the following known issues on the v2 UI:
- PROJQUAY-6910. The new UI can’t group and stack the chart on usage logs
- PROJQUAY-6909. The new UI can’t toggle the visibility of the chart on usage log
- PROJQUAY-6904. "Permanently delete" tag should not be restored on new UI
- PROJQUAY-6899. The normal user can not delete organization in new UI when enable FEATURE_SUPERUSERS_FULL_ACCESS
- PROJQUAY-6892. The new UI should not invoke not required stripe and status page
- PROJQUAY-6884. The new UI should show the tip of slack Webhook URL when creating slack notification
- PROJQUAY-6882. The new UI global readonly super user can’t see all organizations and image repos
- PROJQUAY-6881. The new UI can’t show all operation types in the logs chart
- PROJQUAY-6861. The new UI "Last Modified" of organization always show N/A after target organization’s setting is updated
- PROJQUAY-6860. The new UI update the time machine configuration of organization show NULL in usage logs
- PROJQUAY-6859. Thenew UI remove image repo permission show "undefined" for organization name in audit logs
- PROJQUAY-6854. "Device-based theme" doesn’t work as design in Firefox
- PROJQUAY-6852. "Tag manifest with the branch or tag name" option in build trigger setup wizard should be checked by default.
- PROJQUAY-6832. The new UI should validate the OIDC group name when enable OIDC Directory Sync
- PROJQUAY-6831. The new UI should not show invited tab when the team is configured sync from OIDC group
- PROJQUAY-6830. The new UI should show the sync icon when the team is configured sync team members from OIDC Group
- PROJQUAY-6829. The new UI team member added to team sync from OIDC group should be audited in Organization logs page
- PROJQUAY-6825. Build cancel operation log can not be displayed correctly in new UI
- PROJQUAY-6812. The new UI the "performer by" is NULL of build image in logs page
- PROJQUAY-6810. The new UI should highlight the tag name with tag icon in logs page
- PROJQUAY-6808. The new UI can’t click the robot account to show credentials in logs page
- PROJQUAY-6807. The new UI can’t see the operations types in log page when quay is in dark mode
- PROJQUAY-6770. The new UI build image by uploading Docker file should support .tar.gz or .zip
- PROJQUAY-6769. The new UI should not display message "Trigger setup has already been completed" after build trigger setup completed
- PROJQUAY-6768. The new UI can’t navigate back to current image repo from image build
- PROJQUAY-6767. The new UI can’t download build logs
- PROJQUAY-6758. The new UI should display correct operation number when hover over different operation type
- PROJQUAY-6757. The new UI usage log should display the tag expiration time as date format
1.8.5.1. Red Hat Quay v2 UI dark mode known issue
If you are using the the automatic mode selection, which chooses between light or dark modes depending on the user’s browser preference, your operating system appearance is overridden by the browser website appearance setting. If you find that the device-based theme is not working as expect, check your browser appearance setting. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6903)
1.9. Notable technical changes
The following technical changes have been made to Red Hat Quay in 3.11.
1.9.1. Removal of support for PgBouncer
Red Hat Quay 3.11 does not support PgBouncer.
1.9.2. IBM Power, IBM Z, and IBM® LinuxONE support matrix changes
Support has changed for some IBM Power, IBM Z, and IBM® LinuxONE features. For more information, see the "IBM Power, IBM Z, and IBM® LinuxONE support matrix" table.
1.10. Red Hat Quay bug fixes
The following issues were fixed with Red Hat Quay 3.11:
- PROJQUAY-6586. Big layer upload fails on Ceph/RADOS driver.
- PROJQUAY-6648. Application token Docker/Podman login command fails on windows.
- PROJQUAY-6673. Apply IGNORE_UNKNOWN_MEDIATYPE to child manifests in manifest lists.
- PROJQUAY-6619. Duplicate scrollbars in various UI screens.
- PROJQUAY-6235. mirror and readonly repositories should not be pruned.
- PROJQUAY-6243. Unable to edit repository description on Quay.io.
- PROJQUAY-5793. Next page button in tags view does not work correctly when the repo contains manifests and manifests lists.
- PROJQUAY-6442. new ui: Breadcrumb for teams page.
- PROJQUAY-6247. [New UI] Menu item naming convention doesn’t follow "First Letter Capital" style.
- PROJQUAY-6261. Throw Robot Account exist error when entering existing robot account.
- PROJQUAY-6577. Quay operator does not render proper Clair config.yaml if customization is applied.
- PROJQUAY-6699. Broken links in Red hat Quay operator description.
- PROJQUAY-6841. Unable to upload dockerfile for build with 405.
1.11. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
Table 1.1. New features tracker
| Feature | Quay 3.11 | Quay 3.10 | Quay 3.9 |
|---|---|---|---|
| General Availability | - | - | |
| Configuring resources for managed components on OpenShift Container Platform | General Availability | - | - |
| Configuring AWS STS for Red Hat Quay, Configuring AWS STS for Red Hat Quay on OpenShift Container Platform | General Availability | - | - |
| General Availability | - | - | |
| General Availability | - | - | |
| General Availability | General Availability | - | |
| General Availability | General Availability | - | |
| General Availability | General Availability | General Availability | |
| General Availability | General Availability | General Availability | |
| General Availability | General Availability | General Availability | |
| Technology Preview | Technology Preview | Technology Preview | |
| Technology Preview | Technology Preview | Technology Preview |
1.11.1. IBM Power, IBM Z, and IBM® LinuxONE support matrix
Table 1.2. list of supported and unsupported features
| Feature | IBM Power | IBM Z and IBM® LinuxONE |
|---|---|---|
| Allow team synchronization via OIDC on Azure | Not Supported | Not Supported |
| Backing up and restoring on a standalone deployment | Supported | Supported |
| Geo-Replication (Standalone) | Not Supported | Supported |
| Geo-Replication (Operator) | Not Supported | Not Supported |
| IPv6 | Not Supported | Not Supported |
| Migrating a standalone to operator deployment | Supported | Supported |
| Mirror registry | Not Supported | Not Supported |
| PostgreSQL connection pooling via pgBouncer | Supported | Supported |
| Quay config editor - mirror, OIDC | Supported | Supported |
| Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise | Not Supported | Not Supported |
| Quay config editor - Red Hat Quay V2 User Interface | Supported | Supported |
| Repo Mirroring | Supported | Supported |
