From 28304f80cd3ae418e75234b195cc71966dbfd966 Mon Sep 17 00:00:00 2001 From: Steven Smith Date: Tue, 24 Jun 2025 10:58:22 -0400 Subject: [PATCH] Adds new api config endpoint --- api_reference/master.adoc | 1 + config_quay/master.adoc | 4 ++ modules/api-superuser-configDump.adoc | 43 +++++++++++++++ modules/config-fields-user.adoc | 5 ++ modules/config-updates-315.adoc | 23 +++++++- modules/retrieving-config-api.adoc | 61 +++++++++++++++++++++ modules/rn_3_15_0.adoc | 76 ++++++++++++++++++++++++--- 7 files changed, 204 insertions(+), 9 deletions(-) create mode 100644 modules/api-superuser-configDump.adoc create mode 100644 modules/retrieving-config-api.adoc diff --git a/api_reference/master.adoc b/api_reference/master.adoc index 5d35387f3..680a6014a 100644 --- a/api_reference/master.adoc +++ b/api_reference/master.adoc @@ -207,6 +207,7 @@ include::modules/api-secscan.adoc[leveloffset=+1] include::modules/api-secscan-getRepoManifestSecurity.adoc[leveloffset=+2] //done include::modules/api-superuser.adoc[leveloffset=+1] +include::modules/api-superuser-configDump.adoc[leveloffset=+2] include::modules/api-superuser-createInstallUser.adoc[leveloffset=+2] include::modules/api-superuser-deleteInstallUser.adoc[leveloffset=+2] include::modules/api-superuser-listAllUsers.adoc[leveloffset=+2] diff --git a/config_quay/master.adoc b/config_quay/master.adoc index c73c76bb6..244a9bc8a 100644 --- a/config_quay/master.adoc +++ b/config_quay/master.adoc @@ -25,6 +25,10 @@ include::modules/operator-config-bundle-secret.adoc[leveloffset=+3] include::modules/modifying-config-bundle-secret-ui.adoc[leveloffset=+4] include::modules/operator-config-cli-download.adoc[leveloffset=+4] +//Obtaining config field by using the API +include::modules/retrieving-config-api.adoc[leveloffset=+1] + + //include::modules/config-updates-313.adoc[leveloffset=+2] //include::modules/config-updates-312.adoc[leveloffset=+2] //include::modules/config-updates-311.adoc[leveloffset=+2] diff --git a/modules/api-superuser-configDump.adoc b/modules/api-superuser-configDump.adoc new file mode 100644 index 000000000..010176416 --- /dev/null +++ b/modules/api-superuser-configDump.adoc @@ -0,0 +1,43 @@ += getConfigDump +Returns the full configuration dump of the Quay instance. + +[discrete] +== GET /api/v1/superuser/config + +Authorizations: oauth2_implicit (super:user) + +[discrete] +== Responses + +[options="header", width=100%, cols=".^2a,.^14a,.^4a"] +|=== +|HTTP Code|Description|Schema +|201|Successful creation| +|400|Bad Request|<<_apierror,ApiError>> +|401|Session required|<<_apierror,ApiError>> +|403|Unauthorized access|<<_apierror,ApiError>> +|404|Not found|<<_apierror,ApiError>> +|=== + +[discrete] +== Response structure + +The JSON response includes the following top-level keys: + +[cols="3a,9a,4a",options="header"] +|=== +|Name|Description|Schema +|.config|All config.yaml and defaulted parameters used by the Flask app that are part of the defined schema.|object +|.warning|Any parameters from config.yaml or defaults that are not defined in the schema.|object +|.env|All environment variables available to the Flask app.|object +|.schema|The complete config schema (CONFIG_SCHEMA) defining expected keys and types.|object +|=== + +[discrete] +== Example command + +[source,terminal] +---- +$ curl -X GET -H "Authorization: Bearer " +"https:///api/v1/superuser/config" | jq -r .config +---- \ No newline at end of file diff --git a/modules/config-fields-user.adoc b/modules/config-fields-user.adoc index 73e38b74c..df6b2a5ff 100644 --- a/modules/config-fields-user.adoc +++ b/modules/config-fields-user.adoc @@ -58,6 +58,10 @@ The user configuration fields define how user accounts behave in your {productna *Default:* `False` +|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. + + + +**Default:** `false` + | **FEATURE_RESTRICTED_USERS** | Boolean | When set to `True` with `RESTRICTED_USERS_WHITELIST`: * All normal users and superusers are restricted from creating organizations or content in their own namespace unless they are allowlisted via `RESTRICTED_USERS_WHITELIST`. @@ -82,6 +86,7 @@ FEATURE_INVITE_ONLY_USER_CREATION: false FEATURE_USER_RENAME: true FEATURE_SUPERUSERS_FULL_ACCESS: true FEATURE_SUPERUSERS_ORG_CREATION_ONLY: false +FEATURE_SUPERUSER_CONFIGDUMP: true FEATURE_RESTRICTED_USERS: true RESTRICTED_USERS_WHITELIST: <1> - user1 diff --git a/modules/config-updates-315.adoc b/modules/config-updates-315.adoc index acac098dd..a1547f37e 100644 --- a/modules/config-updates-315.adoc +++ b/modules/config-updates-315.adoc @@ -16,8 +16,29 @@ The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {pr **Default:** `300` |=== -.Skopeo timeout xample YAML +.Skopeo timeout example YAML [source,yaml] ---- SKOPEO_TIMEOUT_INTERVAL: 300 +---- + +[id="superuser-config-dump"] +== Superuser configDump + +The `FEATURE_SUPERUSER_CONFIGDUMP` configuration field has been added. With this field, {productname} superusers can leverage the `configDump` API field to return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. To use this field, superusers must be defined in the `config.yaml` file via the `SUPER_USERS` configuration field. + +.configDump configuration field +|=== +| Field | Type | Description +|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. + + + +**Default:** `false` +|=== + +.Superuser configDump example YAML +[source,yaml] +---- +# ... +FEATURE_SUPERUSER_CONFIGDUMP: true +# ... ---- \ No newline at end of file diff --git a/modules/retrieving-config-api.adoc b/modules/retrieving-config-api.adoc new file mode 100644 index 000000000..1e1fced73 --- /dev/null +++ b/modules/retrieving-config-api.adoc @@ -0,0 +1,61 @@ +// Document included in the following assemblies: + +// Configuring Red hat Quay + +:_content-type: REFERENCE +[id="retrieving-config-file-api"] += Retrieving the configuration file by using the API + +The `config.yaml` file can be returned on the CLI by leveraging the `FEATURE_SUPERUSER_CONFIGDUMP` configuration field alongside the `v1/superuser/config` API endpoint. Together, {productname} superusers can return all Flask configuration fields that are set, which can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. + +.Prerequisites + +* You have set `FEATURE_SUPERUSER_CONFIGDUMP: true` in your `config.yaml` file. +* You have set `BROWSER_API_CALLS_XHR_ONLY: false` in your `config.yaml` file. +* You have assigned the superuser role to a user in your `config.yaml` file. +* You have generated an OAuth 2 access token for the superuser. + +.Procedure + +* Retrieve the `config.yaml` file by using the `v1/superuser/config` API endpoint. For example: ++ +[source,terminal] +---- +$ curl -X GET -H "Authorization: Bearer " "http:///api/v1/superuser/config" | jq -r .config +---- ++ +.Example output ++ +[source,terminal] +---- +... + "TEAM_RESYNC_STALE_TIME": "30m", + "UI_DELAY_AFTER_WRITE_SECONDS": 3, + "UI_MODELCARD_ANNOTATION": {}, + "UI_MODELCARD_ARTIFACT_TYPE": "application/x-mlmodel", + "UI_MODELCARD_LAYER_ANNOTATION": { + "org.opencontainers.image.title": "README.md" + } +... +---- + +* You can pass in one of `.config`, `.env`, `.warning`, or `.schema` to return specific information. For example: ++ +[source,terminal] +---- +$ curl -X GET -H "Authorization: Bearer " "http:///api/v1/superuser/config" | jq -r .warning +---- ++ +.Example output ++ +[source,terminal] +---- +... + "BILLING_TYPE": "FakeStripe", + "BUILDLOGS_OPTIONS": [], + "BUILD_MANAGER": null, + "CDN_SPECIFIC_NAMESPACES": [], + "CHANNEL_COLORS": [ + ] +... +---- \ No newline at end of file diff --git a/modules/rn_3_15_0.adoc b/modules/rn_3_15_0.adoc index 797ace367..63c020ef7 100644 --- a/modules/rn_3_15_0.adoc +++ b/modules/rn_3_15_0.adoc @@ -40,9 +40,6 @@ Previously, when pulling from a proxied repository, only the layers explicitly r With this release, {productname} now caches all layers when an image is pulled from a proxied repository. This enhancement ensures that Clair can scan all images and that images remain pullable even if the upstream registry becomes unavailable. -[id="clair-enhancements"] -=== Clair enhancements - [id="new-quay-config-fields-315"] == {productname} configuration fields updates and changes @@ -51,8 +48,9 @@ The following configuration fields have been added to {productname} 3.15. [id="skopeo-timeout-configuration-field"] === Skopeo timeout interval -The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {productname} administrators can adjust the time, in seconds, that a mirroring job runs before it times out. This field is required and defaults at `300` seconds, or 5 minutes. It cannot be set lower than `300` seconds. +The `SKOPEO_TIMEOUT_INTERVAL` configuration field has been added. With this field, {productname} administrators can adjust the time, in seconds, that a mirroring job runs before it times out. This field is required and defaults at `300` seconds, or 5 minutes. It cannot be set lower than `300` seconds. +.Skopeo timeout configuration field |=== | Field | Type | Description |*SKOPEO_TIMEOUT_INTERVAL* |Integer | Number of seconds mirroring job will run before timing out. + @@ -63,15 +61,40 @@ The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {pr .Skopeo timeout example YAML [source,yaml] ---- +# ... SKOPEO_TIMEOUT_INTERVAL: 300 +# ... +---- + +For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/manage_red_hat_quay/index#repo-mirroring-in-red-hat-quay[Repository mirroring]. + +[id="superuser-config-dump"] +=== Superuser configDump + +The `FEATURE_SUPERUSER_CONFIGDUMP` configuration field has been added. With this field, {productname} superusers can leverage the `configDump` API field to return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. To use this field, superusers must be defined in the `config.yaml` file via the `SUPER_USERS` configuration field. + +.configDump configuration field +|=== +| Field | Type | Description +|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. + + + +**Default:** `false` +|=== + +.Superuser configDump example YAML +[source,yaml] +---- +# ... +FEATURE_SUPERUSER_CONFIGDUMP: true +# ... ---- -For more information, see +For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/configure_red_hat_quay/index#retrieving-config-file-api[Retrieiving the configuration file by using the API]. [id="new-api-endpoints-315"] == API endpoint enhancements -No the following API endpoints were added in {productname} 3.15. +The following API endpoints were added in {productname} 3.15. [id="skopeo-timeout-api-endpoint"] === Skopeo timeout interval @@ -83,10 +106,47 @@ A new parameter, `SKOPEO_TIMEOUT_INTERVAL`, has been added to the `createRepoMir |*skopeo_timeout_interval* |Number of seconds mirroring job will run before timing out | Integer |=== -See the link:https://docs.redhat.com/en/documentation/red_hat_quay/3.14/html/red_hat_quay_api_reference/mirror#createrepomirrorconfig[createRepoMirrorConfig] endpoint for more information. +See the link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html/red_hat_quay_api_reference/mirror#createrepomirrorconfig[createRepoMirrorConfig] endpoint for more information. + +[id="api-v1-superuser-config"] +=== Superuser configDump + +A new superuser API parameter, `v1/superuser/config`, has been added to the {productname} API. With this field, superusers can return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. + +|=== +|Name|Description|Schema + +|**configDump** + +_optional_|Returns a structured JSON dump of the current configuration, including values from `config.yaml` (`.config`), default parameters (`.warning`), environment variables (`.env`), and schema (`.schema`) types. Sensitive fields are obfuscated. Useful for audit/compliance validation (e.g., PCI-DSS 4.0). |object + +|=== + +For example API commands, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/red_hat_quay_api_reference/index#superuser[Red Hat Quay API superuser commands]. + + +[id="notable-technical-changes-315"] +== Notable technical changes + +The following section highlights notable technical changes for {productname} 3.15. + +[id="model-card-disable"] +=== Model card rendering disabled by default + +In {productname} 3.14, model card rendering was made available on the v2 UI for machine learning models. This feature was enabled by default via the `FEATURE_UI_MODELCARD` parameter. + +With {productname} 3.15, this feature is now disabled by default. To view model cards on the v2 UI, you must set the `FEATURE_UI_MODELCARD` field to `true`. For example: + +[source,yaml] +---- +# ... +FEATURE_UI_MODELCARD: true +# ... +---- + +This change will be reverted in a future version of {productname}. [id="known-issues-and-limitations-315"] -== {productname} {producty} known issues and limitations +== Known issues and limitations The following sections note known issues and limitations for {productname} 3.15.