Red Hat Quay Release Notes

Red Hat Quay 3

Red Hat Quay

Red Hat OpenShift Documentation Team

Abstract

Red Hat Quay Release Notes

Preface

Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:

  • Granular security management
  • Fast and robust at any scale
  • High velocity CI/CD
  • Automated installation and upates
  • Enterprise authentication and team-based access control
  • OpenShift Container Platform integration

Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.

Important

Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.

Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.

Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.

Note

Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.

Chapter 1. Red Hat Quay release notes

The following sections detail y and z stream release information.

1.1. RHBA-2024:1475 - Red Hat Quay 3.11.0 release

Issued 2024-04-02

Red Hat Quay release 3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:1475 advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations.

1.2. Red Hat Quay release cadence

With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.

For more information, see the Red Hat Quay Life Cycle Policy.

1.3. Red Hat Quay documentation changes

The Red Hat Quay configuration tool has been deprecated since version 3.10. With this release, references and procedures that use the configuration tool have been, or will be, removed. These procedures will remain in older versions of Red Hat Quay.

1.4. Red Hat Quay new features and enhancements

The following updates have been made to Red Hat Quay.

1.4.1. Support for AWS STS on Red Hat Quay

Support for Amazon Web Services (AWS) Security Token Service (STS) is now offered for Red Hat Quay. AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized. This feature is also available for OpenShift Container Platform deployments.

For more information about configuring AWS STS for standalone Red Hat Quay deployments, see Configuring AWS STS for Red Hat Quay

1.4.2. Red Hat Quay auto-pruning enhancements

With the release of Red Hat Quay 3.10, a new auto-pruning feature was released. With that feature, Red Hat Quay administrators could set up auto-pruning policies on namespaces for both users and organizations.

With this release, auto-pruning policies can now be set up on specified repositories. This feature allows for image tags to be automatically deleted within a repository based on specified criteria. Additionally, Red Hat Quay administrators can set auto-pruning policies on repositories that they have admin privileges for.

For more information, see Red Hat Quay auto-pruning overview.

1.4.3. Red Hat Quay v2 UI enhancements

In Red Hat Quay 3.8, a new UI was introduced as a technology preview feature. With Red Hat Quay 3.11, the following enhancements have been made to the v2 UI.

1.4.3.1. Red Hat Quay v2 UI usage logs

Red Hat Quay 3.11 adds functionality for usage logs when using the v2 UI. Usage logs provide the following information about your Red Hat Quay deployment:

  • Monitoring of team activities. Allows administrators to view team activities, such as team creation, membership changes, and role assignments.
  • Auditing of tag history actions. Allows security auditors to audit tag history actions, including tag creations, updates, and deletions.
  • Tracking of repository label changes. Allows repository owners to track changes to labels, including additions, modifications, and removals.
  • Monitoring of expiration settings. Allows engineers to monitor actions related to tag expiration settings, such as setting expiration dates or disabling expiration for specific tags.

Logs can be exported to an email address or to a callback URL, and are available at the Organization, repository, and namespace levels.

For more information, see Viewing usage logs on the Red Hat Quay v2 UI.

1.4.3.2. Red Hat Quay v2 UI dark mode

Red Hat Quay 3.11 offers users the ability to switch between light and dark modes when using the v2 UI. This feature also includes an automatic mode selection, which chooses between light or dark modes depending on the user’s browser preference.

For more information, see Selecting color theme preference on the Red Hat Quay v2 UI.

1.4.3.3. Builds support on Red Hat Quay v2 UI

Red Hat Quay Builds are now supported when using the v2 UI. This feature must be enabled prior to building container images by setting FEATURE_BUILD_SUPPORT: true in your config.yaml file.

For more information, see Creating a new build.

1.4.3.4. Auto-pruning repositories v2 UI

Red Hat Quay 3.11 offers users the ability to create auto-pruning policies using the v2 UI.

For more information, see Red Hat Quay auto-pruning overview.

1.4.4. Team synchronization support via Red Hat Quay OIDC

This release allows administrators to leverage an OpenID Connect (OIDC) identity provider to synchronization team, or group, settings, so long as their OIDC provider supports the retrieval of group information from ID token or the /userinfo endpoint. Administrators can easily apply repository permissions to sets of users without having to manually create and sync group definitions between Red Hat Quay and the OIDC group, which is not scalable.

For more information, see Team synchronization for Red Hat Quay OIDC deployments

1.5. Red Hat Quay Operator updates

The following updates have been made to the Red Hat Quay Operator:

1.5.1. Configurable resource requests for Red Hat Quay on OpenShift Container Platform managed components

With this release, users can manually adjust the resource requests on Red Hat Quay on OpenShift Container Platform for the following components that have pods running:

  • quay
  • clair
  • mirroring
  • clairpostgres
  • postgres

This feature allows users to run smaller test clusters, or to request more resources upfront in order to avoid partially degraded Quay pods.

For more information, see Configuring resources for managed components on OpenShift Container Platform

1.5.2. Support for AWS STS on Red Hat Quay on OpenShift Container Platform

Support for Amazon Web Services (AWS) Security Token Service (STS) is now offered for Red Hat Quay deployments on OpenShift Container Platform. AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.

For more information about AWS STS for Red Hat Quay on OpenShift Container Platform, see Configuring AWS STS for Red Hat Quay on OpenShift Container Platform

1.6. New Red Hat Quay configuration fields

The following configuration fields have been added to Red Hat Quay 3.

1.6.1. Configuration fields for AWS S3 STS deployments

The following configuration fields have been added when configuring AWS STS for Red Hat Quay. These fields are used when configuring AWS S3 storage for your deployment.

  • .sts_role_arn. The unique Amazon Resource Name (ARN) required when configuring AWS STS for Red Hat Quay.
  • .sts_user_access_key. The generated AWS S3 user access key required when configuring AWS STS for Red Hat Quay.
  • .sts_user_secret_key. The generated AWS S3 user secret key required when configuring AWS STS for Red Hat Quay.

For more information, see AWS STS S3 storage.

1.6.2. Team synchronization configuration field

The following configuration field has been added for the team synchronization via OIDC feature:

  • PREFERRED_GROUP_CLAIM_NAME: The key name within the OIDC token payload that holds information about the user’s group memberships.

1.7. New API endpoints

The following API endpoints have been added to Red Hat Quay 3:

1.7.1. Repository auto-pruning policy endpoints:

The repository auto-pruning policy feature introduces the following API endpoint:

  • */api/v1/repository/<organization_or_user_name>/<repository_name>/autoprunepolicy/

    This API endpoint can be used with POST, GET, and DELETE calls to create, see, and delete auto-pruning policies on a repository for specific users in your organization. Note that you must have admin privileges on the repository that you are creating the policy for when using these commands.

1.8. Red Hat Quay 3.11 known issues and limitations

The following sections note known issues and limitations for Red Hat Quay 3.

1.8.1. Red Hat Quay OIDC team synchronization known issues

1.8.1.1. Unable to set user passwords via the User Settings page

There is a known issue when Red Hat Quay uses OIDC as the authentication type with Microsoft Entra ID (previously Azure Active Directory).

After logging in to Red Hat Quay, users are unable to set a password via the User Settings page. This is necessary for authentication when using Docker/Podman CLI to perform image push or pull operations to the registry.

As a workaround, you can use Docker CLI and App Token as credentials when authenticating via OIDC. These tokens, alongside robot tokens, serve as an alternative to passwords and are considered the prescribed method for providing access to Red Hat Quay when authenticating via OIDC.

For more information, see PROJQUAY-6754.

1.8.1.2. Unable to sync change when OIDC user is removed from OIDC

Currently, when an OIDC user is removed from their OIDC provider, the user is not removed from the team on Red Hat Quay. They are still able to use the robot account token and app token to push and pull images from the registry. This is the expected behavior, however this behavior will be changed in a future version of Red Hat Quay. (PROJQUAY-6842)

1.8.1.3. Object ID must be used when OIDC provider is Microsoft Entra ID

When using Microsoft Entra ID as your OIDC provider, Red Hat Quay administrators must input the Object ID of the OIDC group instead of the group name. The v2 UI does not currently alert users that Microsoft Entra ID users must input the Object ID of the OIDC group. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6917)

1.8.2. STS S3 storage known issue

When using Amazon Web Services (AWS) Security Token Service (STS) with proxy storage enabled, users are unable to pull images and the following error is returned: Error: copying system image from manifest list: parsing image configuration: fetching blob: received unexpected HTTP status: 502 Bad Gateway. This is a known issue and will be fixed in a future version of Red Hat Quay.

1.8.3. Upgrading Red Hat Quay on OpenShift Container Platform 3.8 directly to 3.11 limitation

Upgrading Red Hat Quay on OpenShift Container Platform from 3.8 to 3.11 does not work. Users must upgrade from Red Hat Quay on OpenShift Container Platform from 3.8 to 3.9 or 3.10, and then proceed with the upgrade to 3.11.

For more information, see Upgrade Red Hat Quay.

1.8.4. Configurable resource request limitation

Attempting to set resource limitations for the Quay pod too low results in the pod being unable to boot up with the following statuses returned: OOMKILLED and CrashLoopBackOff. Resource limitations can not be set lower than the minimum requirement, which can be found on the Configuring resources for managed components on OpenShift Container Platform page.

1.8.5. Red Hat Quay v2 UI known issues

The Red Hat Quay team is aware of the following known issues on the v2 UI:

  • PROJQUAY-6910. The new UI can’t group and stack the chart on usage logs
  • PROJQUAY-6909. The new UI can’t toggle the visibility of the chart on usage log
  • PROJQUAY-6904. "Permanently delete" tag should not be restored on new UI
  • PROJQUAY-6899. The normal user can not delete organization in new UI when enable FEATURE_SUPERUSERS_FULL_ACCESS
  • PROJQUAY-6892. The new UI should not invoke not required stripe and status page
  • PROJQUAY-6884. The new UI should show the tip of slack Webhook URL when creating slack notification
  • PROJQUAY-6882. The new UI global readonly super user can’t see all organizations and image repos
  • PROJQUAY-6881. The new UI can’t show all operation types in the logs chart
  • PROJQUAY-6861. The new UI "Last Modified" of organization always show N/A after target organization’s setting is updated
  • PROJQUAY-6860. The new UI update the time machine configuration of organization show NULL in usage logs
  • PROJQUAY-6859. Thenew UI remove image repo permission show "undefined" for organization name in audit logs
  • PROJQUAY-6854. "Device-based theme" doesn’t work as design in Firefox
  • PROJQUAY-6852. "Tag manifest with the branch or tag name" option in build trigger setup wizard should be checked by default.
  • PROJQUAY-6832. The new UI should validate the OIDC group name when enable OIDC Directory Sync
  • PROJQUAY-6831. The new UI should not show invited tab when the team is configured sync from OIDC group
  • PROJQUAY-6830. The new UI should show the sync icon when the team is configured sync team members from OIDC Group
  • PROJQUAY-6829. The new UI team member added to team sync from OIDC group should be audited in Organization logs page
  • PROJQUAY-6825. Build cancel operation log can not be displayed correctly in new UI
  • PROJQUAY-6812. The new UI the "performer by" is NULL of build image in logs page
  • PROJQUAY-6810. The new UI should highlight the tag name with tag icon in logs page
  • PROJQUAY-6808. The new UI can’t click the robot account to show credentials in logs page
  • PROJQUAY-6807. The new UI can’t see the operations types in log page when quay is in dark mode
  • PROJQUAY-6770. The new UI build image by uploading Docker file should support .tar.gz or .zip
  • PROJQUAY-6769. The new UI should not display message "Trigger setup has already been completed" after build trigger setup completed
  • PROJQUAY-6768. The new UI can’t navigate back to current image repo from image build
  • PROJQUAY-6767. The new UI can’t download build logs
  • PROJQUAY-6758. The new UI should display correct operation number when hover over different operation type
  • PROJQUAY-6757. The new UI usage log should display the tag expiration time as date format

1.8.5.1. Red Hat Quay v2 UI dark mode known issue

If you are using the the automatic mode selection, which chooses between light or dark modes depending on the user’s browser preference, your operating system appearance is overridden by the browser website appearance setting. If you find that the device-based theme is not working as expect, check your browser appearance setting. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6903)

1.9. Notable technical changes

The following technical changes have been made to Red Hat Quay in 3.11.

1.9.1. Removal of support for PgBouncer

Red Hat Quay 3.11 does not support PgBouncer.

1.9.2. IBM Power, IBM Z, and IBM® LinuxONE support matrix changes

Support has changed for some IBM Power, IBM Z, and IBM® LinuxONE features. For more information, see the "IBM Power, IBM Z, and IBM® LinuxONE support matrix" table.

1.10. Red Hat Quay bug fixes

The following issues were fixed with Red Hat Quay 3.11:

  • PROJQUAY-6586. Big layer upload fails on Ceph/RADOS driver.
  • PROJQUAY-6648. Application token Docker/Podman login command fails on windows.
  • PROJQUAY-6673. Apply IGNORE_UNKNOWN_MEDIATYPE to child manifests in manifest lists.
  • PROJQUAY-6619. Duplicate scrollbars in various UI screens.
  • PROJQUAY-6235. mirror and readonly repositories should not be pruned.
  • PROJQUAY-6243. Unable to edit repository description on Quay.io.
  • PROJQUAY-5793. Next page button in tags view does not work correctly when the repo contains manifests and manifests lists.
  • PROJQUAY-6442. new ui: Breadcrumb for teams page.
  • PROJQUAY-6247. [New UI] Menu item naming convention doesn’t follow "First Letter Capital" style.
  • PROJQUAY-6261. Throw Robot Account exist error when entering existing robot account.
  • PROJQUAY-6577. Quay operator does not render proper Clair config.yaml if customization is applied.
  • PROJQUAY-6699. Broken links in Red hat Quay operator description.
  • PROJQUAY-6841. Unable to upload dockerfile for build with 405.

1.11. Red Hat Quay feature tracker

New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 1.1. New features tracker

FeatureQuay 3.11Quay 3.10Quay 3.9

Team synchronization for Red Hat Quay OIDC deployments

General Availability

-

-

Configuring resources for managed components on OpenShift Container Platform

General Availability

-

-

Configuring AWS STS for Red Hat Quay, Configuring AWS STS for Red Hat Quay on OpenShift Container Platform

General Availability

-

-

Red Hat Quay repository auto-pruning

General Availability

-

-

Configuring dark mode on the Red Hat Quay v2 UI

General Availability

-

-

Disabling robot accounts

General Availability

General Availability

-

Red Hat Quay namespace auto-pruning

General Availability

General Availability

-

Single site geo-replication removal

General Availability

General Availability

General Availability

Splunk log forwarding

General Availability

General Availability

General Availability

Nutanix Object Storage

General Availability

General Availability

General Availability

FEATURE_UI_V2

Technology Preview

Technology Preview

Technology Preview

Java scanning with Clair

Technology Preview

Technology Preview

Technology Preview

1.11.1. IBM Power, IBM Z, and IBM® LinuxONE support matrix

Table 1.2. list of supported and unsupported features

FeatureIBM PowerIBM Z and IBM® LinuxONE

Allow team synchronization via OIDC on Azure

Not Supported

Not Supported

Backing up and restoring on a standalone deployment

Supported

Supported

Geo-Replication (Standalone)

Not Supported

Supported

Geo-Replication (Operator)

Not Supported

Not Supported

IPv6

Not Supported

Not Supported

Migrating a standalone to operator deployment

Supported

Supported

Mirror registry

Not Supported

Not Supported

PostgreSQL connection pooling via pgBouncer

Supported

Supported

Quay config editor - mirror, OIDC

Supported

Supported

Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise

Not Supported

Not Supported

Quay config editor - Red Hat Quay V2 User Interface

Supported

Supported

Repo Mirroring

Supported

Supported

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.