Starts postgresql SSL procedure (quay#1127)

Co-authored-by: Steven Smith <[email protected]>

Author: stevsmit

modules/arch-intro-security.adoc

@@ -9,7 +9,7 @@
 [id="arch-tls-ssl-config"]
 == TLS/SSL configuration
 
-You can configure SSL/TLS for the {productname} registry in the configuration tool UI or in the configuration bundle. SSL/TSL connections to the database, to image storage, and to Redis can also be specified through the configuration tool.
+You can configure SSL/TLS for the {productname} registry in the configuration tool UI or in the configuration bundle. SSL/TLS connections to the database, to image storage, and to Redis can also be specified through the configuration tool.
 
 Sensitive fields in the database and at run time are automatically encrypted. You can also require HTTPS and verify certificates for the {productname} registry during mirror operations.
 

modules/configuring-cert-based-auth-quay-cloudsql.adoc

@@ -0,0 +1,116 @@
+:_content-type: PROCEDURE
+[id="configuring-cert-based-auth-quay-sql"]
+= Configuring certificate-based authentication with SQL
+
+The following procedure demonstrates how to connect {productname} with an SQL database using secure client-side certificates. This method ensures both connectivity and authentication through Certificate Trust Verification, as it verifies the SQL server's certificate against a trusted Certificate Authority (CA). This enhances the security of the connection between {productname} and your SQL server while simplifying automation for your deployment. Although the example uses Google Cloud Platform's CloudSQL, the procedure also applies to PostgreSQL and other supported databases.
+
+.Prerequisites
+
+* You have generated custom Certificate Authorities (CAs) and your SSL/TLS certificates and keys are available in `PEM` format that will be used to generate an SSL connection with your CloudSQL database. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/securing_red_hat_quay/index#ssl-tls-quay-overview[SSL and TLS for {productname}].
+* You have `base64 decoded` the original config bundle into a `config.yaml` file. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/deploying_the_red_hat_quay_operator_on_openshift_container_platform/index#operator-config-cli-download[Downloading the existing configuration].
+* You are using an externally managed PostgreSQL or CloudSQL database. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/deploying_the_red_hat_quay_operator_on_openshift_container_platform/index#operator-unmanaged-postgres[Using and existing PostgreSQL database] with the `DB_URI` variable set.
+* Your externally managed PostgreSQL or CloudSQL database is configured for SSL/TLS.
+* The `postgres` component of your `QuayRegistry` CRD is set to `managed: false`, and your CloudSQL database is set with the `DB_URI` configuration variable. The following procedure uses `postgresql://<cloudsql_username>:<dbpassword>@<database_host>:<port>/<database_name>`.
+
+.Procedure
+
+. After you have generated the CAs and SSL/TLS certificates and keys for your CloudSQL database and ensured that they are in `.pem` format, test the SSL connection to your CloudSQL server:
+
+.. Initiate a connection to your CloudSQL server by entering the following command:
++
+[source,terminal]
+----
+$ psql "sslmode=verify-ca sslrootcert=<ssl_server_certificate_authority>.pem sslcert=<ssl_client_certificate>.pem sslkey=<ssl_client_key>.pem hostaddr=<34.29.130.58> port=<5432> user=<cloudsql_username> dbname=<cloudsql_database_name>"
+----
+
+. In your {productname} directory, create a new YAML file, for example, `quay-config-bundle.yaml`, by running the following command:
++
+[source,terminal]
+----
+$ touch quay-config-bundle.yaml
+----
+
+. Create a `postgresql-client-certs` resource by entering the following command:
++
+[source,terminal]
+----
+$ oc -n <quay_namespace> create secret generic postgresql-client-certs \
+--from-file config.yaml=<path/to/config.yaml> <1>
+--from-file=tls.crt=<path/to/ssl_client_certificate.pem> <2>
+--from-file=tls.key=<path/to/ssl_client_key.pem> <3>
+--from-file=ca.crt=<path/to/ssl_server_certificate.pem> <4>
+----
+<1> Where` <config.yaml>` is your `base64 decoded` `config.yaml` file.
+<2> Where `ssl_client_certificate.pem` is your SSL certificate in `.pem` format.
+<3> Where `ssl_client_key.pem` is your SSL key in `.pem` format.
+<4> Where `ssl_server_certificate.pem` is your SSL root CA in `.pem` format.
+
+. Edit your ``quay-config-bundle.yaml` file to include the following database connection settings:
++
+[IMPORTANT]
+====
+* The information included in the `DB_CONNECTION_ARGS` variable, for example, `sslmode`, `sslrootcert`, `sslcert`, and `sslkey` *must* match the information appended to the `DB_URI` variable. Failure to match might result in a failed connection. 
+* You cannot specify custom filenames or paths. Certificate file paths for `sslrootcert`, `sslcert`, and `sslkey` are hardcoded defaults and mounted into the `Quay` pod from the Kubernetes secret. You must adhere to the following naming conventions or it will result in a failed connection.
+====
++
+[source,yaml]
+----
+DB_CONNECTION_ARGS:
+    autorollback: true
+    sslmode: verify-ca <1>
+    sslrootcert: /.postgresql/root.crt <2>
+    sslcert: /.postgresql/postgresql.crt <3>
+    sslkey: /.postgresql/postgresql.key <4>
+    threadlocals: true <5>
+DB_URI: postgresql://<dbusername>:<dbpassword>@<database_host>:<port>/<database_name>?sslmode=verify-full&sslrootcert=/.postgresql/root.crt&sslcert=/.postgresql/postgresql.crt&sslkey=/.postgresql/postgresql.key <6>
+----
+<1> Using `verify-ca` ensures that the database connection uses SSL/TLS and verifies the server certificate against a trusted CA. This can work with both trusted CA and self-signed CA certificates. However, this mode does not verify the hostname of the server. For full hostname and certificate verification, use `verify-full`. For more information about the configuration options available, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/configure_red_hat_quay/index#config-fields-postgres[PostgreSQL SSL/TLS connection arguments].
+<2> The `root.crt` file contains the root certificate used to verify the SSL/TLS connection with your CloudSQL database. This file is mounted in the `Quay` pod from the Kubernetes secret.
+<3> The `postgresql.crt` file contains the client certificate used to authenticate the connection to your CloudSQL database. This file is mounted in the `Quay` pod from the Kubernetes secret.
+<4> The `postgresql.key` file contains the private key associated with the client certificate. This file is mounted in the `Quay` pod from the Kubernetes secret.
+<5> Enables auto-rollback for connections.
+<6> The URI that accesses your CloudSQL database appended with your `root.crt`, `postgresql.crt`, and `postgresql.key` files. The SSL/TLS information included in `DB_URI` must match the information provided in `DB_CONNECTION_ARGS`. If you are using CloudSQL, you must include your database username and password in this variable.
+
+. Create the `configBundleSecret` resource by entering the following command:
++
+[source,terminal]
+----
+$ oc create -n <namespace> -f quay-config-bundle.yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+secret/quay-config-bundle created
+----
+
+. Update the `QuayRegistry` YAML file to reference the `quay-config-bundle` object by entering the following command:
++
+[source,terminal]
+----
+$ oc patch quayregistry <registry_name> -n <namespace> --type=merge -p '{"spec":{"configBundleSecret":"quay-config-bundle"}}'
+----
++
+.Example output
++
+[source,terminal]
+----
+quayregistry.quay.redhat.com/example-registry patched
+----
+
+. Ensure that your `QuayRegistry` YAML file has been updated to use the extra CA certificate `configBundleSecret` resource by entering the following command:
++
+[source,terminal]
+----
+$ oc get quayregistry <registry_name> -n <namespace> -o yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+# ...
+  configBundleSecret: quay-config-bundle
+# ...
+----

modules/configuring-custom-clair-database.adoc

@@ -12,7 +12,7 @@ Use the following procedure to create a custom Clair database.
 
 [NOTE]
 ====
-The following procedure sets up Clair with SSL/TLS certifications. To view a similar procedure that does not set up Clair with SSL/TSL certifications, see "Configuring a custom Clair database with a managed Clair configuration".
+The following procedure sets up Clair with SSL/TLS certifications. To view a similar procedure that does not set up Clair with SSL/TLS certifications, see "Configuring a custom Clair database with a managed Clair configuration".
 ====
 
 .Procedure

modules/georepl-prereqs.adoc

@@ -18,7 +18,7 @@
 +
 Geo-replication does not replicate the database. In the event of an outage, {productname} with geo-replication enabled will not failover to another database.
 
-* A single Redis cache is shared across the entire {productname} setup and needs to accessible by all {productname} pods.
+* A single Redis cache is shared across the entire {productname} setup and needs to be accessible by all {productname} pods.
 
 * The exact same configuration should be used across all regions, with exception of the storage backend, which can be configured explicitly using the `QUAY_DISTRIBUTED_STORAGE_PREFERENCE` environment variable.
 

modules/rn_3_13_0.adoc

@@ -9,21 +9,18 @@ The following sections detail _y_ and _z_ stream release information.
 
 Issued 2024-10-zz
 
-{productname} release 3.13 is now available with Clair {clairproductminv}. The bug fixes that are included in the update are listed in the link:https://access.redhat.com/errata/RHBA-2024:XXXX[RHBA-2024:XXXX] advisory. For the most recent compatibility matrix, see link:https://access.redhat.com/articles/4067991[Quay Enterprise 3.x Tested Integrations].
-
-[id="release-cadence-313"]
-== {productname} release cadence 
-
-With the release of {productname} 3.10, the product has begun to align its release cadence and lifecycle with {ocp}. As a result, {productname} releases are now generally available (GA) within approximately four weeks of the most recent version of {ocp}. Customers can not expect the support lifecycle phases of {productname} to align with {ocp} releases. 
-
-For more information, see the link:https://access.redhat.com/support/policy/updates/rhquay/[{productname} Life Cycle Policy].
+{productname} release 3.13 is now available with Clair {clairproductminv}. The bug fixes that are included in the update are listed in the link:https://access.redhat.com/errata/RHBA-2024:XXXX[RHBA-2024:XXXX] advisory. For the most recent compatibility matrix, see link:https://access.redhat.com/articles/4067991[Quay Enterprise 3.x Tested Integrations]. For information the release cadence of {productname}, see the link:https://access.redhat.com/support/policy/updates/rhquay/[{productname} Life Cycle Policy].
 
 [id="documentation-changes-313"]
 == {productname} documentation changes
 
 The following documentation changes have been made with the {productname} {producty} release:
 
-* 
+* The {productname} _Builders_ feature that was originally documented in the link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/use_red_hat_quay/index[Using {productname} guide] has been moved into a new, dedicated book titled "link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/builders_and_image_automation/index[Builders and image automation]".
+
+* A new book titled "link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/securing_red_hat_quay/index[Securing {productname}]" has been created. This book covers SSL and TLS for {productname}, and adding additional certificate authorities (CAs) to your deployment. More content will be added to this book in the future.
+
+* A new book titled "link:https://docs.redhat.com/en/documentation/red_hat_quay/3.13/html-single/managing_access_and_permissions/index[Managing access and permissions]" has been created. This book covers topics related to access controls, repository visibility, and robot accounts by using the UI and the API. More content will be added to this book in the future.
 
 [id="new-features-and-enhancements-313"]
 == {productname} new features and enhancements
@@ -66,6 +63,18 @@ This feature greatly enhances the security of your {productname} registry by mit
 
 For more information, see https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/manage_red_hat_quay/index#keyless-authentication-robot-accounts[Keyless authentication with robot accounts].
 
+[id="quay-operator-updates-313"]
+== {productname-ocp} new features and enhancements
+
+The following updates have been made to {productname-ocp}.
+
+[id="certificate-based-auth-quay-postgresql"]
+=== Support for certificate-based authentication between {productname} and PostgreSQL
+
+With this release, support for certificate-based authentication between {productname} and PostgreSQL has been added. This allows {productname} administrators to supply their own SSL/TLS certificates that can be used for client-side authentication with PostgreSQL or CloudSQL. This provides enhanced security and allows for easier automation for your {productname} registry.
+
+For more information, see. . .
+
 [id="v2-ui-enhancement"]
 === {productname} v2 UI enhancements
 

modules/ssl-tls-sql.adoc

@@ -0,0 +1,7 @@
+:_content-type: PROCEDURE
+[id="cert-based-auth-quay-sql"]
+= Certificate-based authentication between {productname} and SQL
+
+{productname} administrators can configure certificate-based authentication between {productname} and SQL (PostgreSQL and GCP CloudSQL) by supplying their own SSL/TLS certificates for client-side authentication. This provides enhanced security and allows for easier automation for your {productname} registry.
+
+The following sections shows you how to configure certificate-based authentication between {productname} and PostgreSQL, and {productname} and CloudSQL.  

securing_quay/master.adoc

@@ -26,6 +26,12 @@ include::modules/ssl-trust-ca-system.adoc[leveloffset=+3]
 include::modules/operator-custom-ssl-certs-config-bundle.adoc[leveloffset=+2]
 include::modules/creating-custom-ssl-certs-config-bundle.adoc[leveloffset=+3]
 
+//PostgreSQL SSL/TLS certificates
+include::modules/ssl-tls-sql.adoc[leveloffset=+1]
+include::modules/configuring-cert-based-auth-quay-sql.adoc[leveloffset=+2]
+include::modules/configuring-cert-based-auth-quay-cloudsql.adoc[leveloffset=+2]
+
+
 //additional ca certificates
 include::modules/config-extra-ca-certs-quay.adoc[leveloffset=+1]
 //Additional CA Certificates standalone