[Pulp-dev] How to enable HTTPS for our tests in pulpcore and all plugins?
Fabricio Aguiar
faguiard at redhat.com
Fri May 14 14:05:54 UTC 2021
Bump!
Single container PR [1] needs some adjustments, I plan to address them once
we decide about the tags.
Current PR makes:
*Tag* *Scheme*
latest http
https https
x.y http
Please share your feedback about the tag/scheme until May 19
[1] https://github.com/pulp/pulp-oci-images/pull/73
Best regards,
Fabricio Aguiar
Software Engineer, Pulp Project
Red Hat Brazil - Latam <https://www.redhat.com/>
+55 22 999000595
On Mon, May 10, 2021 at 9:07 AM Ina Panova <ipanova at redhat.com> wrote:
> I would get rid of the latest tag because it is non-deterministic and
> would keep http/https tags only.
>
> --------
> Regards,
>
> Ina Panova
> Senior Software Engineer| Pulp| Red Hat Inc.
>
> "Do not go where the path may lead,
> go instead where there is no path and leave a trail."
>
>
> On Fri, May 7, 2021 at 6:08 PM Matthias Dellweg <mdellweg at redhat.com>
> wrote:
>
>> I would tag http and https and then latest as the same as http. Then we
>> can write an announcement that we will switch latest from http to https or
>> drop latest altogether.
>> The question about release tags is a good one. I think, we need both
>> there too.
>>
>> On Fri, May 7, 2021 at 6:05 PM David Davis <daviddavis at redhat.com> wrote:
>>
>>> I feel like ideally, https would be the default (ie latest). However,
>>> then we are going to break all the release branches for pulpcore and
>>> plugins that are pointing to latest but not expecting https.
>>>
>>> Hopefully people will weigh in here.
>>>
>>> David
>>>
>>>
>>> On Fri, May 7, 2021 at 11:55 AM Fabricio Aguiar <faguiard at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, May 7, 2021 at 11:52 AM David Davis <daviddavis at redhat.com>
>>>> wrote:
>>>>
>>>>> To confirm, the "latest" tag will continue to ship with http? I
>>>>> imagine most users will end up with http then.
>>>>>
>>>> I can modify the PR and make https the default
>>>>
>>>>>
>>>>> Also, what (if anything) do we do about y release tags (e.g. the
>>>>> upcoming 3.13 tag)? Do they continue to ship with http?
>>>>>
>>>> I think release tags can be https
>>>>
>>>>>
>>>>> David
>>>>>
>>>>>
>>>>> On Fri, May 7, 2021 at 10:51 AM Brian Bouterse <bmbouter at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> awwww yisssss
>>>>>>
>>>>>> On Fri, May 7, 2021 at 10:46 AM Fabricio Aguiar <faguiard at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I changed https://github.com/pulp/pulp-oci-images/pull/73 to ship
>>>>>>> both,
>>>>>>> latest as is, and the new tag: https
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Fabricio Aguiar
>>>>>>> Software Engineer, Pulp Project
>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>>> +55 22 999000595
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, May 7, 2021 at 11:41 AM Brian Bouterse <bmbouter at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> +1 to this observation, we probably need to either ship both or
>>>>>>>> make it configurable somehow. Shipping both is probably easier on users.
>>>>>>>>
>>>>>>>> On Fri, May 7, 2021 at 5:11 AM Matthias Dellweg <
>>>>>>>> mdellweg at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> This is a great piece of work!
>>>>>>>>> The problem I see is that the SSL free container image may be used
>>>>>>>>> in places we do not control. And having this http based container equipped
>>>>>>>>> with an external https reverse proxy is imho a valid use case.
>>>>>>>>> Therefore i would prefer, if we could provide both versions of the
>>>>>>>>> image (with and without SSL) as different tags.
>>>>>>>>> This would also give us the opportunity to switch the plugins one
>>>>>>>>> by one to use the new container.
>>>>>>>>> Ideally, the SSL container would be a thin OCI-layer on top of the
>>>>>>>>> http version.
>>>>>>>>>
>>>>>>>>> On Thu, May 6, 2021 at 10:10 PM Fabricio Aguiar <
>>>>>>>>> faguiard at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> I finally made pulp_container CI work with https,
>>>>>>>>>> I also did some changes on pulp_installer, I believe these
>>>>>>>>>> changes will make it possible to run functional tests on dev environment.
>>>>>>>>>>
>>>>>>>>>> I think now it is a matter of deciding when is the best time to
>>>>>>>>>> merge the PR on the single container and if latest tag should be https or
>>>>>>>>>> not
>>>>>>>>>>
>>>>>>>>>> PRs:
>>>>>>>>>> https://github.com/pulp/pulp-oci-images/pull/73
>>>>>>>>>> https://github.com/pulp/pulp_installer/pull/614
>>>>>>>>>> https://github.com/pulp/plugin_template/pull/379
>>>>>>>>>> https://github.com/pulp/pulpcore/pull/1283
>>>>>>>>>> https://github.com/pulp/pulp_container/pull/304
>>>>>>>>>> https://github.com/pulp/pulp_rpm/pull/1977
>>>>>>>>>> https://github.com/pulp/pulp_ansible/pull/572
>>>>>>>>>> https://github.com/pulp/pulp-2to3-migration/pull/362
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Fabricio Aguiar
>>>>>>>>>> Software Engineer, Pulp Project
>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>>>>>> +55 22 999000595
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Apr 27, 2021 at 5:35 PM Fabricio Aguiar <
>>>>>>>>>> faguiard at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I created https branch:
>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/tree/https
>>>>>>>>>>> and pushed the following images:
>>>>>>>>>>> - pulp/pulp-ci-centos:https
>>>>>>>>>>> - pulp/pulp:https
>>>>>>>>>>>
>>>>>>>>>>> Now we can test on the plugins,
>>>>>>>>>>> I followed your suggestion and did it on pulp_npm:
>>>>>>>>>>> https://github.com/pulp/pulp_npm/pull/89
>>>>>>>>>>>
>>>>>>>>>>> Best regards,
>>>>>>>>>>> Fabricio Aguiar
>>>>>>>>>>> Software Engineer, Pulp Project
>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>>>>>>> +55 22 999000595
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Apr 27, 2021 at 9:25 AM David Davis <
>>>>>>>>>>> daviddavis at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> This is great. Thank you for working on it.
>>>>>>>>>>>>
>>>>>>>>>>>> As a next step, would it make sense to create a branch and then
>>>>>>>>>>>> try to deploy a new temporary tag from that branch? Then maybe we can test
>>>>>>>>>>>> a plugin (eg pulp_npm) against this new image and see what breaks.
>>>>>>>>>>>>
>>>>>>>>>>>> David
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Apr 26, 2021 at 5:01 PM Fabricio Aguiar <
>>>>>>>>>>>> faguiard at redhat.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I started this POC:
>>>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/pull/73
>>>>>>>>>>>>> It enables https on the single container, once merged, the CI
>>>>>>>>>>>>> for every plugin will run the functional tests using https.
>>>>>>>>>>>>> Probably it would break the majority of the CIs, we need to
>>>>>>>>>>>>> discuss when is the best moment to merge this PR or discuss alternatives
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best regards,
>>>>>>>>>>>>> Fabricio Aguiar
>>>>>>>>>>>>> Software Engineer, Pulp Project
>>>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>>>>>>>>> +55 22 999000595
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Feb 9, 2021 at 10:55 AM Fabricio Aguiar <
>>>>>>>>>>>>> faguiard at redhat.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Our nginx conf only supports http now:
>>>>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/blob/latest/assets/nginx.conf#L15
>>>>>>>>>>>>>> For not breaking all plugins, I believe we can build a new CI
>>>>>>>>>>>>>> image that supports https.
>>>>>>>>>>>>>> Maybe a template_config parameter - test_https: true would
>>>>>>>>>>>>>> switch the images
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best regards,
>>>>>>>>>>>>>> Fabricio Aguiar
>>>>>>>>>>>>>> Software Engineer, Pulp Project
>>>>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/>
>>>>>>>>>>>>>> +55 22 999000595
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Feb 9, 2021 at 5:16 AM Matthias Dellweg <
>>>>>>>>>>>>>> mdellweg at redhat.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I believe this is at least solving the problem partially:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://github.com/pulp/pulp-smash/pull/1251
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Feb 8, 2021 at 9:48 PM Brian Bouterse <
>>>>>>>>>>>>>>> bmbouter at redhat.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I believe all of our plugins (and CI) require HTTP and do
>>>>>>>>>>>>>>>> not work with HTTPS. I'm not well versed in what needs to be done to fix
>>>>>>>>>>>>>>>> this, but I think we should fix it.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Can the CI group have a 30 min call to talk over what needs
>>>>>>>>>>>>>>>> to be done? Or maybe share some info here?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The main issue I'm aware of is that the tests are not
>>>>>>>>>>>>>>>> prepared to trust an https certificate that is self-signed. I'm not exactly
>>>>>>>>>>>>>>>> sure where we can change that in one place either.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>>> Brian
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> Pulp-dev mailing list
>>>>>>>>>>>>>>>> Pulp-dev at redhat.com
>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Pulp-dev mailing list
>>>>>>>>>>>>>>> Pulp-dev at redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Pulp-dev mailing list
>>>>>>>>>>>>> Pulp-dev at redhat.com
>>>>>>>>>>>>> https://listman.redhat.com/mailman/listinfo/pulp-dev
>>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>> Pulp-dev mailing list
>> Pulp-dev at redhat.com
>> https://listman.redhat.com/mailman/listinfo/pulp-dev
>>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://listman.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210514/01b6c7b1/attachment.htm>
More information about the Pulp-dev
mailing list