Adds new api config endpoint (quay#1363)

Co-authored-by: Steven Smith <[email protected]>

Author: stevsmit

api_reference/master.adoc

@@ -207,6 +207,7 @@ include::modules/api-secscan.adoc[leveloffset=+1]
 include::modules/api-secscan-getRepoManifestSecurity.adoc[leveloffset=+2]
 //done
 include::modules/api-superuser.adoc[leveloffset=+1]
+include::modules/api-superuser-configDump.adoc[leveloffset=+2]
 include::modules/api-superuser-createInstallUser.adoc[leveloffset=+2]
 include::modules/api-superuser-deleteInstallUser.adoc[leveloffset=+2]
 include::modules/api-superuser-listAllUsers.adoc[leveloffset=+2]

config_quay/master.adoc

@@ -25,6 +25,10 @@ include::modules/operator-config-bundle-secret.adoc[leveloffset=+3]
 include::modules/modifying-config-bundle-secret-ui.adoc[leveloffset=+4]
 include::modules/operator-config-cli-download.adoc[leveloffset=+4]
 
+//Obtaining config field by using the API
+include::modules/retrieving-config-api.adoc[leveloffset=+1]
+
+
 //include::modules/config-updates-313.adoc[leveloffset=+2]
 //include::modules/config-updates-312.adoc[leveloffset=+2]
 //include::modules/config-updates-311.adoc[leveloffset=+2]

modules/api-superuser-configDump.adoc

@@ -0,0 +1,43 @@
+= getConfigDump
+Returns the full configuration dump of the Quay instance.
+
+[discrete]
+== GET /api/v1/superuser/config
+
+Authorizations: oauth2_implicit (super:user)
+
+[discrete]
+== Responses
+
+[options="header", width=100%, cols=".^2a,.^14a,.^4a"]
+|===
+|HTTP Code|Description|Schema
+|201|Successful creation|
+|400|Bad Request|<<_apierror,ApiError>>
+|401|Session required|<<_apierror,ApiError>>
+|403|Unauthorized access|<<_apierror,ApiError>>
+|404|Not found|<<_apierror,ApiError>>
+|===
+
+[discrete]
+== Response structure
+
+The JSON response includes the following top-level keys:
+
+[cols="3a,9a,4a",options="header"]
+|===
+|Name|Description|Schema
+|.config|All config.yaml and defaulted parameters used by the Flask app that are part of the defined schema.|object
+|.warning|Any parameters from config.yaml or defaults that are not defined in the schema.|object
+|.env|All environment variables available to the Flask app.|object
+|.schema|The complete config schema (CONFIG_SCHEMA) defining expected keys and types.|object
+|===
+
+[discrete]
+== Example command
+
+[source,terminal]
+----
+$ curl -X GET -H "Authorization: Bearer <bearer_token>"
+"https://<quay-server.example.com>/api/v1/superuser/config" | jq -r .config
+----

modules/config-fields-user.adoc

@@ -58,6 +58,10 @@ The user configuration fields define how user accounts behave in your {productna
 
 *Default:* `False`
 
+|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. +
+ +
+**Default:** `false`
+
 | **FEATURE_RESTRICTED_USERS** | Boolean | When set to `True` with `RESTRICTED_USERS_WHITELIST`:
 
 * All normal users and superusers are restricted from creating organizations or content in their own namespace unless they are allowlisted via `RESTRICTED_USERS_WHITELIST`.
@@ -82,6 +86,7 @@ FEATURE_INVITE_ONLY_USER_CREATION: false
 FEATURE_USER_RENAME: true
 FEATURE_SUPERUSERS_FULL_ACCESS: true
 FEATURE_SUPERUSERS_ORG_CREATION_ONLY: false
+FEATURE_SUPERUSER_CONFIGDUMP: true
 FEATURE_RESTRICTED_USERS: true
 RESTRICTED_USERS_WHITELIST: <1>
       - user1

modules/config-updates-315.adoc

@@ -16,8 +16,29 @@ The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {pr
 **Default:** `300`
 |===
 
-.Skopeo timeout xample YAML
+.Skopeo timeout example YAML
 [source,yaml]
 ----
 SKOPEO_TIMEOUT_INTERVAL: 300
+----
+
+[id="superuser-config-dump"]
+== Superuser configDump
+
+The `FEATURE_SUPERUSER_CONFIGDUMP` configuration field has been added. With this field, {productname} superusers can leverage the `configDump` API field to return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. To use this field, superusers must be defined in the `config.yaml` file via the `SUPER_USERS` configuration field.
+
+.configDump configuration field
+|===
+| Field | Type | Description 
+|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. +
+ +
+**Default:** `false`
+|===
+
+.Superuser configDump example YAML
+[source,yaml]
+----
+# ...
+FEATURE_SUPERUSER_CONFIGDUMP: true
+# ...
 ----

modules/retrieving-config-api.adoc

@@ -0,0 +1,61 @@
+// Document included in the following assemblies: 
+
+// Configuring Red hat Quay
+
+:_content-type: REFERENCE
+[id="retrieving-config-file-api"]
+= Retrieving the configuration file by using the API
+
+The `config.yaml` file can be returned on the CLI by leveraging the `FEATURE_SUPERUSER_CONFIGDUMP` configuration field alongside the  `v1/superuser/config` API endpoint. Together, {productname} superusers can return all Flask configuration fields that are set, which can be used to show proof of compliance for various security policies, such as PCI-DSS4.0.
+
+.Prerequisites
+
+* You have set `FEATURE_SUPERUSER_CONFIGDUMP: true` in your `config.yaml` file.
+* You have set `BROWSER_API_CALLS_XHR_ONLY: false` in your `config.yaml` file.
+* You have assigned the superuser role to a user in your `config.yaml` file.
+* You have generated an OAuth 2 access token for the superuser.
+
+.Procedure
+
+* Retrieve the `config.yaml` file by using the `v1/superuser/config` API endpoint. For example:
++
+[source,terminal]
+----
+$ curl -X GET -H "Authorization: Bearer <bearer_token>" "http://<quay-server.example.com>/api/v1/superuser/config" | jq -r .config
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+  "TEAM_RESYNC_STALE_TIME": "30m",
+  "UI_DELAY_AFTER_WRITE_SECONDS": 3,
+  "UI_MODELCARD_ANNOTATION": {},
+  "UI_MODELCARD_ARTIFACT_TYPE": "application/x-mlmodel",
+  "UI_MODELCARD_LAYER_ANNOTATION": {
+    "org.opencontainers.image.title": "README.md"
+  }
+...
+----
+
+* You can pass in one of `.config`, `.env`, `.warning`, or `.schema` to return specific information. For example:
++
+[source,terminal]
+----
+$ curl -X GET -H "Authorization: Bearer <bearer_token>" "http://<quay-server.example.com>/api/v1/superuser/config" | jq -r .warning
+----
++
+.Example output
++
+[source,terminal]
+----
+...
+  "BILLING_TYPE": "FakeStripe",
+  "BUILDLOGS_OPTIONS": [],
+  "BUILD_MANAGER": null,
+  "CDN_SPECIFIC_NAMESPACES": [],
+  "CHANNEL_COLORS": [
+  ]
+...
+----

modules/rn_3_15_0.adoc

@@ -40,9 +40,6 @@ Previously, when pulling from a proxied repository, only the layers explicitly r
 
 With this release, {productname} now caches all layers when an image is pulled from a proxied repository. This enhancement ensures that Clair can scan all images and that images remain pullable even if the upstream registry becomes unavailable.
 
-[id="clair-enhancements"]
-=== Clair enhancements
-
 [id="new-quay-config-fields-315"]
 == {productname} configuration fields updates and changes
 
@@ -51,8 +48,9 @@ The following configuration fields have been added to {productname} 3.15.
 [id="skopeo-timeout-configuration-field"]
 === Skopeo timeout interval
 
-The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {productname} administrators can adjust the time, in seconds, that a mirroring job runs before it times out. This field is required and defaults at `300` seconds, or 5 minutes. It cannot be set lower than `300` seconds.
+The `SKOPEO_TIMEOUT_INTERVAL` configuration field has been added. With this field, {productname} administrators can adjust the time, in seconds, that a mirroring job runs before it times out. This field is required and defaults at `300` seconds, or 5 minutes. It cannot be set lower than `300` seconds.
 
+.Skopeo timeout configuration field
 |===
 | Field | Type | Description 
 |*SKOPEO_TIMEOUT_INTERVAL* |Integer | Number of seconds mirroring job will run before timing out. +
@@ -63,15 +61,40 @@ The `SKOPEO_TIMEOUT_INTERVAL` has been added. With this configuration field, {pr
 .Skopeo timeout example YAML
 [source,yaml]
 ----
+# ...
 SKOPEO_TIMEOUT_INTERVAL: 300
+# ...
+----
+
+For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/manage_red_hat_quay/index#repo-mirroring-in-red-hat-quay[Repository mirroring].
+
+[id="superuser-config-dump"]
+=== Superuser configDump
+
+The `FEATURE_SUPERUSER_CONFIGDUMP` configuration field has been added. With this field, {productname} superusers can leverage the `configDump` API field to return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0. To use this field, superusers must be defined in the `config.yaml` file via the `SUPER_USERS` configuration field.
+
+.configDump configuration field
+|===
+| Field | Type | Description 
+|*FEATURE_SUPERUSER_CONFIGDUMP* |Boolean | Enables a full config dump of the running Framework, environment and schema for validation. +
+ +
+**Default:** `false`
+|===
+
+.Superuser configDump example YAML
+[source,yaml]
+----
+# ...
+FEATURE_SUPERUSER_CONFIGDUMP: true
+# ...
 ----
 
-For more information, see 
+For more information, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/configure_red_hat_quay/index#retrieving-config-file-api[Retrieiving the configuration file by using the API].
 
 [id="new-api-endpoints-315"]
 == API endpoint enhancements
 
-No the following API endpoints were added in {productname} 3.15.
+The following API endpoints were added in {productname} 3.15.
 
 [id="skopeo-timeout-api-endpoint"]
 === Skopeo timeout interval
@@ -83,10 +106,47 @@ A new parameter, `SKOPEO_TIMEOUT_INTERVAL`, has been added to the `createRepoMir
 |*skopeo_timeout_interval* |Number of seconds mirroring job will run before timing out | Integer
 |===
 
-See the link:https://docs.redhat.com/en/documentation/red_hat_quay/3.14/html/red_hat_quay_api_reference/mirror#createrepomirrorconfig[createRepoMirrorConfig] endpoint for more information.
+See the link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html/red_hat_quay_api_reference/mirror#createrepomirrorconfig[createRepoMirrorConfig] endpoint for more information.
+
+[id="api-v1-superuser-config"]
+=== Superuser configDump
+
+A new superuser API parameter, `v1/superuser/config`, has been added to the {productname} API. With this field, superusers can return all Flask configuration fields that are set. This can be used to show proof of compliance for various security policies, such as PCI-DSS4.0.
+
+|===
+|Name|Description|Schema
+
+|**configDump** +
+_optional_|Returns a structured JSON dump of the current configuration, including values from `config.yaml` (`.config`), default parameters (`.warning`), environment variables (`.env`), and schema (`.schema`) types. Sensitive fields are obfuscated. Useful for audit/compliance validation (e.g., PCI-DSS 4.0). |object
+
+|===
+
+For example API commands, see link:https://docs.redhat.com/en/documentation/red_hat_quay/{producty}/html-single/red_hat_quay_api_reference/index#superuser[Red Hat Quay API superuser commands].
+
+
+[id="notable-technical-changes-315"]
+== Notable technical changes
+
+The following section highlights notable technical changes for {productname} 3.15.
+
+[id="model-card-disable"]
+=== Model card rendering disabled by default
+
+In {productname} 3.14, model card rendering was made available on the v2 UI for machine learning models. This feature was enabled by default via the `FEATURE_UI_MODELCARD` parameter.
+
+With {productname} 3.15, this feature is now disabled by default. To view model cards on the v2 UI, you must set the `FEATURE_UI_MODELCARD` field to `true`. For example:
+
+[source,yaml]
+----
+# ...
+FEATURE_UI_MODELCARD: true
+# ...
+----
+
+This change will be reverted in a future version of {productname}.
 
 [id="known-issues-and-limitations-315"]
-== {productname} {producty} known issues and limitations
+== Known issues and limitations
 
 The following sections note known issues and limitations for {productname} 3.15.