[Pulp-dev] How to enable HTTPS for our tests in pulpcore and all plugins?

Matthias Dellweg mdellweg at redhat.com
Fri May 7 09:11:14 UTC 2021


This is a great piece of work!
The problem I see is that the SSL free container image may be used in
places we do not control. And having this http based container equipped
with an external https reverse proxy is imho a valid use case.
Therefore i would prefer, if we could provide both versions of the image
(with and without SSL) as different tags.
This would also give us the opportunity to switch the plugins one by one to
use the new container.
Ideally, the SSL container would be a thin OCI-layer on top of the http
version.

On Thu, May 6, 2021 at 10:10 PM Fabricio Aguiar <faguiard at redhat.com> wrote:

> I finally made pulp_container CI work with https,
> I also did some changes on pulp_installer, I believe these changes will
> make it possible to run functional tests on dev environment.
>
> I think now it is a matter of deciding when is the best time to merge the
> PR on the single container and if latest tag should be https or not
>
> PRs:
> https://github.com/pulp/pulp-oci-images/pull/73
> https://github.com/pulp/pulp_installer/pull/614
> https://github.com/pulp/plugin_template/pull/379
> https://github.com/pulp/pulpcore/pull/1283
> https://github.com/pulp/pulp_container/pull/304
> https://github.com/pulp/pulp_rpm/pull/1977
> https://github.com/pulp/pulp_ansible/pull/572
> https://github.com/pulp/pulp-2to3-migration/pull/362
>
> Best regards,
> Fabricio Aguiar
> Software Engineer, Pulp Project
> Red Hat Brazil - Latam <https://www.redhat.com/>
> +55 22 999000595
>
>
>
> On Tue, Apr 27, 2021 at 5:35 PM Fabricio Aguiar <faguiard at redhat.com>
> wrote:
>
>> I created https branch:
>> https://github.com/pulp/pulp-oci-images/tree/https
>> and pushed the following images:
>> - pulp/pulp-ci-centos:https
>> - pulp/pulp:https
>>
>> Now we can test on the plugins,
>> I followed your suggestion and did it on pulp_npm:
>> https://github.com/pulp/pulp_npm/pull/89
>>
>> Best regards,
>> Fabricio Aguiar
>> Software Engineer, Pulp Project
>> Red Hat Brazil - Latam <https://www.redhat.com/>
>> +55 22 999000595
>>
>>
>>
>> On Tue, Apr 27, 2021 at 9:25 AM David Davis <daviddavis at redhat.com>
>> wrote:
>>
>>> This is great. Thank you for working on it.
>>>
>>> As a next step, would it make sense to create a branch and then try to
>>> deploy a new temporary tag from that branch? Then maybe we can test a
>>> plugin (eg pulp_npm) against this new image and see what breaks.
>>>
>>> David
>>>
>>>
>>> On Mon, Apr 26, 2021 at 5:01 PM Fabricio Aguiar <faguiard at redhat.com>
>>> wrote:
>>>
>>>> I started this POC: https://github.com/pulp/pulp-oci-images/pull/73
>>>> It enables https on the single container, once merged, the CI for every
>>>> plugin will run the functional tests using https.
>>>> Probably it would break the majority of the CIs, we need to discuss
>>>> when is the best moment to merge this PR or discuss alternatives
>>>>
>>>> Best regards,
>>>> Fabricio Aguiar
>>>> Software Engineer, Pulp Project
>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>> +55 22 999000595
>>>>
>>>>
>>>>
>>>> On Tue, Feb 9, 2021 at 10:55 AM Fabricio Aguiar <faguiard at redhat.com>
>>>> wrote:
>>>>
>>>>> Our nginx conf only supports http now:
>>>>> https://github.com/pulp/pulp-oci-images/blob/latest/assets/nginx.conf#L15
>>>>> For not breaking all plugins, I believe we can build a new CI image
>>>>> that supports https.
>>>>> Maybe a template_config parameter - test_https: true would switch the
>>>>> images
>>>>>
>>>>> Best regards,
>>>>> Fabricio Aguiar
>>>>> Software Engineer, Pulp Project
>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>> +55 22 999000595
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 9, 2021 at 5:16 AM Matthias Dellweg <mdellweg at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> I believe this is at least solving the problem partially:
>>>>>>
>>>>>> https://github.com/pulp/pulp-smash/pull/1251
>>>>>>
>>>>>> On Mon, Feb 8, 2021 at 9:48 PM Brian Bouterse <bmbouter at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I believe all of our plugins (and CI) require HTTP and do not work
>>>>>>> with HTTPS. I'm not well versed in what needs to be done to fix this, but I
>>>>>>> think we should fix it.
>>>>>>>
>>>>>>> Can the CI group have a 30 min call to talk over what needs to be
>>>>>>> done? Or maybe share some info here?
>>>>>>>
>>>>>>> The main issue I'm aware of is that the tests are not prepared to
>>>>>>> trust an https certificate that is self-signed. I'm not exactly sure where
>>>>>>> we can change that in one place either.
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Brian
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pulp-dev mailing list
>>>>>>> Pulp-dev at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Pulp-dev mailing list
>>>>>> Pulp-dev at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>
>>>>> _______________________________________________
>>>> Pulp-dev mailing list
>>>> Pulp-dev at redhat.com
>>>> https://listman.redhat.com/mailman/listinfo/pulp-dev
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210507/47df521b/attachment.htm>


More information about the Pulp-dev mailing list