[Pulp-dev] How to enable HTTPS for our tests in pulpcore and all plugins?

Brian Bouterse bmbouter at redhat.com
Fri May 7 14:41:25 UTC 2021 

+1 to this observation, we probably need to either ship both or make it
configurable somehow. Shipping both is probably easier on users.

On Fri, May 7, 2021 at 5:11 AM Matthias Dellweg <mdellweg at redhat.com> wrote:

> This is a great piece of work!
> The problem I see is that the SSL free container image may be used in
> places we do not control. And having this http based container equipped
> with an external https reverse proxy is imho a valid use case.
> Therefore i would prefer, if we could provide both versions of the image
> (with and without SSL) as different tags.
> This would also give us the opportunity to switch the plugins one by one
> to use the new container.
> Ideally, the SSL container would be a thin OCI-layer on top of the http
> version.
>
> On Thu, May 6, 2021 at 10:10 PM Fabricio Aguiar <faguiard at redhat.com>
> wrote:
>
>> I finally made pulp_container CI work with https,
>> I also did some changes on pulp_installer, I believe these changes will
>> make it possible to run functional tests on dev environment.
>>
>> I think now it is a matter of deciding when is the best time to merge the
>> PR on the single container and if latest tag should be https or not
>>
>> PRs:
>> https://github.com/pulp/pulp-oci-images/pull/73
>> https://github.com/pulp/pulp_installer/pull/614
>> https://github.com/pulp/plugin_template/pull/379
>> https://github.com/pulp/pulpcore/pull/1283
>> https://github.com/pulp/pulp_container/pull/304
>> https://github.com/pulp/pulp_rpm/pull/1977
>> https://github.com/pulp/pulp_ansible/pull/572
>> https://github.com/pulp/pulp-2to3-migration/pull/362
>>
>> Best regards,
>> Fabricio Aguiar
>> Software Engineer, Pulp Project
>> Red Hat Brazil - Latam <https://www.redhat.com/>
>> +55 22 999000595
>>
>>
>>
>> On Tue, Apr 27, 2021 at 5:35 PM Fabricio Aguiar <faguiard at redhat.com>
>> wrote:
>>
>>> I created https branch:
>>> https://github.com/pulp/pulp-oci-images/tree/https
>>> and pushed the following images:
>>> - pulp/pulp-ci-centos:https
>>> - pulp/pulp:https
>>>
>>> Now we can test on the plugins,
>>> I followed your suggestion and did it on pulp_npm:
>>> https://github.com/pulp/pulp_npm/pull/89
>>>
>>> Best regards,
>>> Fabricio Aguiar
>>> Software Engineer, Pulp Project
>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>> +55 22 999000595
>>>
>>>
>>>
>>> On Tue, Apr 27, 2021 at 9:25 AM David Davis <daviddavis at redhat.com>
>>> wrote:
>>>
>>>> This is great. Thank you for working on it.
>>>>
>>>> As a next step, would it make sense to create a branch and then try to
>>>> deploy a new temporary tag from that branch? Then maybe we can test a
>>>> plugin (eg pulp_npm) against this new image and see what breaks.
>>>>
>>>> David
>>>>
>>>>
>>>> On Mon, Apr 26, 2021 at 5:01 PM Fabricio Aguiar <faguiard at redhat.com>
>>>> wrote:
>>>>
>>>>> I started this POC: https://github.com/pulp/pulp-oci-images/pull/73
>>>>> It enables https on the single container, once merged, the CI for
>>>>> every plugin will run the functional tests using https.
>>>>> Probably it would break the majority of the CIs, we need to discuss
>>>>> when is the best moment to merge this PR or discuss alternatives
>>>>>
>>>>> Best regards,
>>>>> Fabricio Aguiar
>>>>> Software Engineer, Pulp Project
>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>> +55 22 999000595
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 9, 2021 at 10:55 AM Fabricio Aguiar <faguiard at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Our nginx conf only supports http now:
>>>>>> https://github.com/pulp/pulp-oci-images/blob/latest/assets/nginx.conf#L15
>>>>>> For not breaking all plugins, I believe we can build a new CI image
>>>>>> that supports https.
>>>>>> Maybe a template_config parameter - test_https: true would switch the
>>>>>> images
>>>>>>
>>>>>> Best regards,
>>>>>> Fabricio Aguiar
>>>>>> Software Engineer, Pulp Project
>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>> +55 22 999000595
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 9, 2021 at 5:16 AM Matthias Dellweg <mdellweg at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I believe this is at least solving the problem partially:
>>>>>>>
>>>>>>> https://github.com/pulp/pulp-smash/pull/1251
>>>>>>>
>>>>>>> On Mon, Feb 8, 2021 at 9:48 PM Brian Bouterse <bmbouter at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I believe all of our plugins (and CI) require HTTP and do not work
>>>>>>>> with HTTPS. I'm not well versed in what needs to be done to fix this, but I
>>>>>>>> think we should fix it.
>>>>>>>>
>>>>>>>> Can the CI group have a 30 min call to talk over what needs to be
>>>>>>>> done? Or maybe share some info here?
>>>>>>>>
>>>>>>>> The main issue I'm aware of is that the tests are not prepared to
>>>>>>>> trust an https certificate that is self-signed. I'm not exactly sure where
>>>>>>>> we can change that in one place either.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Brian
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Pulp-dev mailing list
>>>>>>>> Pulp-dev at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Pulp-dev mailing list
>>>>>>> Pulp-dev at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>> Pulp-dev mailing list
>>>>> Pulp-dev at redhat.com
>>>>> https://listman.redhat.com/mailman/listinfo/pulp-dev
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210507/183fbe55/attachment.htm>

More information about the Pulp-dev mailing list