Project Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Project Quay includes the following features and benefits:

  • Granular security management

  • Fast and robust at any scale

  • High velocity CI/CD

  • Automated installation and updates

  • Enterprise authentication and team-based access control

  • OpenShift Container Platform integration

Project Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Project Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Project Quay.

Important

Project Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, {producty-n1}.2 → {producty-n1}.1. Rolling back to previous y-stream versions (3.16 → {producty-n1}) is not supported. This is because Project Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Project Quay. Database schema upgrades are not considered backwards compatible.

Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Project Quay deployment must be made in conjunction with the Project Quay support and development teams. For more information, contact Project Quay support.

Project Quay release notes

The following sections detail y and z stream release information.

RHBA-2025:xxxx - Project Quay 3.16.0 release

Issued 2025-12-09

Project Quay release 3.16 is now available with Clair 4.8. The bug fixes that are included in the update are listed in the RHBA-2025:xxxx advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations. For information on the release cadence of Project Quay, see the Project Quay Life Cycle Policy.

Project Quay documentation changes

The following documentation changes have been made with the Project Quay 3.16 release:

The Deploying Project Quay on OpenShift Container Platform documentation has been refactored. This book is now organized as follows:

  • Introduction to the Project Quay Operator

  • Installing the Project Quay Operator from the OperatorHub

  • Deploying the Project Quay registry

  • Creating the first user

  • Modifying the QuayRegistry CR after deployment

  • Enabling features after deployment

  • Deploying Project Quay on infrastructure nodes

  • Advanced configuration

  • Troubleshooting

This refactor streamlines the process of deploying a registry before introducing more advanced topics.

Project Quay new features and enhancements

The following updates have been made to Project Quay.

Project Quay default UI

With this release, the v2, React-based UI is now the default UI. Procedures throughout this documentation have been updated to reflect these changes.

Image pull activity tracking

Previously, determining whether an image tag was safe to delete was difficult because usage data was not easily accessible. Although pull events were recorded in audit logs, analyzing that information was often inefficient or impractical.

With this release, Project Quay introduces image pull activity tracking in the v2 UI. This feature provides clear visibility into how often and when image tags are pulled, giving users valuable insight into image usage and popularity across repositories. It can be enabled by setting FEATURE_IMAGE_PULL_STATS: true in your config.yaml file.

For more information, see Managing auto-pruning policies using the Project Quay UI.

v2 UI Superuser panel

With this update, a new Superuser panel is available on the Project Quay v2 UI. When you are logged in to the v2 UI as a superuser, this panel is available in the navigation pane.

The following information can be viewed from the Superuser panel:

  • Service keys

  • Change log

  • Usage logs

  • Messages

  • Build logs

This panel is nearly equivalent to the Superuser Admin Panel on the v1 UI with one exception: Project Quay superusers now create new users from the Organizations page of the v2 UI.

Proof Key for Code Exchange support for OIDC authentication

Previously, Project Quay could not authenticate with Proof Key for Code Exchange (PKCE) providers, such as Azure AD or Okta. This led to a loss of service for affected customers.

With this release, PKCE is now supported for OpenID Connect (OIDC) authentication. Project Quay administrators can enable PKCE on a per-OIDC provider basis in their config.yaml file.

For more information, see Configuring OIDC for Project Quay.

Global read-only superuser enhancements

With this release, global read-only superusers that are configured through the GLOBAL_READONLY_SUPER_USERS field can now view the following information within the registry:

  • All Project Quay API v1 resources

  • All Project Quay API v2 resources

  • Layers, CVEs, and pull statistics

  • All actions on tenant content

  • All organization settings, such as storage quota or pull-through proxy cache states

  • All information under the Superuser panel on the v2 UI

Red Hat Quay on OpenShift Container Platform new features and enhancements

The following updates have been made to Red Hat Quay on OpenShift Container Platform.

Support for optional storage class customization

This update provides the option to specify a custom storageClassName for the managed Postgres and ClairPostgres Persistent Volume Claims (PVCs). It also enhances the Operator’s resilience by adding dedicated PVC health monitoring and event tracking, ensuring faster detection and reporting of storage provisioning failures. Lastly, it streamlines internal component health checks for improved maintainability.

The following example YAML shows you how to set the storageClassName field in your QuayRegistry CR:

# ...
    - kind: postgres
      managed: true
      overrides:
        storageClassName: "local-path"
# ...
    - kind: clairpostgres
      managed: true
      overrides:
        storageClassName: "local-path"
# ...
Important

The storageClassName field is immutable for a bound PersistentVolumeClaim (PVC). You must define the custom storage class during the initial installation of the component. Changing this value after the component has been created causes the Operator’s reconciliation to fail.

For more information about configuring resource requests for the QuayRegistry CR, see Configuring QuayRegistry CR resources.

Project Quay configuration fields updates and changes

The following configuration fields have been added to Project Quay 3.16.

Image pull statistics API endpoints

The following configuration options have been added to track image activities. When enabled, clear visibility into how often and when image tags are pulled are provided in the UI.

Table 1. Image activity configuration fields
Field Type Description

FEATURE_IMAGE_PULL_STATS

Boolean

Whether to track and display image pull statistics.

Default: False

REDIS_FLUSH_INTERVAL_SECONDS

Integer

Interval, in seconds, at which the Redis flush worker clears old data. Shorter intervals keep data fresher and help prevent Redis from bloating, while longer intervals reduce flush frequency.

Default: 300 (5 minutes)

PULL_METRICS_REDIS

Object

Connection settings for the Redis database used to store image pull metrics. The host field specifies the Redis server hostname, and the optional db field identifies the Redis database index to use.

Default: {"host": "<redis_host>", "password": "<redis_password>", "port": "<port>", "db": 1}
Splunk HEC timeout configuration field

A new parameter, timeout, has been added to the splunk_config object for when you configure Splunk HTTP Event Collector (HEC) for Project Quay

Table 2. Splunk HEC timeout configuration field
Field Type Description

.timeout

Integer

Timeout in seconds for HTTP requests to Splunk HEC endpoint. Prevents requests from hanging indefinitely when Splunk is unresponsive.

For more information, see Configuring action log storage for Splunk.

Disabling the Project Quay legacy UI completely

The Project Quay v2 UI is now the default UI. Users can toggle between the v1/legacy UI and the v2 UI by clicking their username and the Legacy UI / Current UI toggle when FEATURE_UI_V2: true is set in their config.yaml file.

The following configuration fields are available to completely disable the legacy UI, or to set it as the default UI. However, users and administrators should remain aware that the v1 legacy UI is deprecated and planned for removal in a future version of Project Quay.

Table 3. UI fields
Field Type Description

DISABLE_ANGULAR_UI

Boolean

Disable legacy Angular UI pages and redirects. Defaults to False.

DEFAULT_UI

String

Allows Project Quay administrators the option to set the default UI to the angular theme (legacy) or react theme (v2 UI).
Enabling PKCE for OIDC authentication

With this release, Proof Key for Code Exchange (PKCE) is now supported for OpenID Connect (OIDC) authentication. Project Quay administrators can enable PKCE with the following configuration fields.

Table 4. PKCE configuration fields
Field Type Description

USE_PKCE

Boolean

Whether to enable support for Proof Key for Code Exchange. Defaults to False.

PKCE_METHOD

Integer

The code challenge method used to generate the code_challenge sent in the initial authorization request. Defaults to S256.

PUBLIC_CLIENT

Boolean

Whether to omit client_secret during token request when the client is public. Defaults to False.

For more information, see Configuring OIDC for Project Quay.

API endpoint enhancements

The following API endpoints were added in Project Quay 3.16.

Image pull statistics API endpoints

New tag API parameters, getTagPullStatistics and getManifestPullStatistics, have been added to the Project Quay API. With these fields, users can return image pull statistics for tags and manifests. Statistics include the last date that the tag or manifest was pulled, and how many times the tag or manifest has been pulled.

Name

Description

Schema

getTagPullStatistics

Retrieve pull statistics for a specific repository tag.

object

getManifestPullStatistics

Retrieve pull statistics for a specific manifest digest in a repository.

object

See Chapter 22. tag for more information, including example commands.

App token API endpoint

A new API parameter, listAllAppTokens, has been added to the Project Quay API. This endpoint enables superusers to manage and audit application-specific tokens.

Name

Description

Schema

listAllAppTokens

List all application tokens across all users in the system. Requires superuser or global read-only superuser privileges.

object

See Chapter 22. superuser for more information, including example commands.

Notable technical changes

The following section highlights notable technical changes for Project Quay 3.16.

Nginx upgrade

Nginx version 1.22 went end-of-life (EOL) in November, 2025. With this update, Nginx references have been upgraded to version 1.24.

Project Quay 3.16 deprecation notices

This section lists features, configuration options, and APIs that are deprecated in Project Quay 3.16. Deprecated functionality remains available for now but is planned for removal in a future release. You should migrate away from these features to ensure compatibility with upcoming versions.

v1 UI deprecation notice

With this release, the Project Quay v1 UI (legacy UI or angular UI) is deprecated.

Deprecation serves as an official notice that the v1 UI will be removed in a future release. Customers should begin planning their transition to the v2 UI. The exact version in which the v1 UI will be completely removed has not yet been determined, but it will be after version 3.16.

The new v2 react-based UI is now the default UI. We encourage customers to explore the updated interfaces and workflows in preparation for this transition.

Container Security Operator deprecation notice

The Container Security Operator has been deprecated and is planned for removal in a future release of Project Quay and OpenShift Container Platform. The official replacement product of the Container Security Operator is Red Hat Advanced Cluster Security for Kubernetes.

Known issues and limitations

The following sections note known issues and limitations for Project Quay 3.16.

Cannot download build logs from the v2 UI

After an image is built successfully when using the Project Quay v2 UI, users are unable to download the build logs. Attempting to click the Download button on the v2 UI results in the following error: 404 Not Found.

As a temporary work around, you can download build logs by using the v1 UI.

Project Quay bug fixes

The following issues were fixed with Project Quay 3.16:

  • PROJQUAY-6106. Before this update, Project Quay development on newer Macs was blocked due to Rehash library incompatibility with OpenSSL 3.

    With this release, Quay now supports OpenSSL 3, resolving compatibility issues on newer Macs and enabling UBI 9 development.

  • PROJQUAY-9732. Before this update, the bug occurred when configuring remote registry ghcr.io without a valid token, resulting in 401 or 403 responses. This prevented users from saving organization config for remote registry.

    With this release, the fix allows saving proxy config for ghcr.io with 401 or 403 responses. As a result, end users can now save and configure remote registry ghcr.io during organization creation.

  • PROJQUAY-9579. Before this update, the Quay new UI image tags management did not display the Cosign icon for signed images, due to a lack of the necessary behavior. As a consequence, users could not see the Cosign tag indication in the Quay new UI, affecting the visibility of signed images.

    With this release, the Quay new UI now displays the Cosign-signed tag icon, matching the behavior of the Quay Current UI. As a result, the Quay new UI correctly displays the "Signed by Cosign" icon for images.

  • PROJQUAY-9525, PROJQUAY-9461. Before this update, the Quay new UI failed to display customized registry titles on the browser tab, causing user recognition issues.

    With this release, the browser tab name in the new UI now correctly displays customized registry titles. As a result, the customized registry title is displayed correctly in the Quay new UI browser tab.

  • PROJQUAY-9272, PROJQUAY-9060. Before this update, the removal of the dropdown option for regular expression search in search fields caused the bug. As a consequence, the regular expression search option was missing from search fields, affecting user experience.

    With this release, the search field regular expression option is now functional again. As a result, search regular expression option has been restored, enabling advanced search functionality for users.

  • PROJQUAY-7538. Before this update, repository path with multiple slashes caused unpacking error in util/jinjautil.py. As a consequence, users received incomplete email notifications for repository updates with slash-separated names. With this release, email notifications for repositories with slashes have been fixed by adjusting the repository path splitting in util/jinjautil.py. As a result, email notifications for repositories with slashes are now working correctly.

Project Quay feature tracker

New features have been added to Project Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Project Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Project Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 5. Features tracker
Feature Quay 3.16 Quay 3.15 Quay 3.14

Proof Key for Code Exchange support for OIDC

General Availability

-

-

v1 UI

Deprecated

Deprecated

General Availability

Viewing model card information by using the v2 UI.

General Availability

General Availability

General Availability

FEATURE_UI_V2

General Availability

Technology Preview

Technology Preview
IBM Power, IBM Z, and IBM® LinuxONE support matrix
Table 6. list of supported and unsupported features
Feature IBM Power IBM Z and IBM® LinuxONE

Allow team synchronization via OIDC on Azure

Not Supported

Not Supported

Backing up and restoring on a standalone deployment

Supported

Supported

Clair Disconnected

Supported

Supported

Geo-Replication (Standalone)

Supported

Supported

Geo-Replication (Operator)

Supported

Not Supported

IPv6

Not Supported

Not Supported

Migrating a standalone to operator deployment

Supported

Supported

Mirror registry

Supported

Supported

Quay config editor - mirror, OIDC

Supported

Supported

Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise

Not Supported

Not Supported

Quay config editor - Red Hat Quay V2 User Interface

Supported

Supported

Quay Disconnected

Supported

Supported

Repo Mirroring

Supported

Supported