From 54042e6337c507bf75f130778c4a9a424e142164 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 25 Jun 2024 12:51:10 +0000 Subject: [PATCH 1/4] pulp_auth_proxy: Fix variable name in README --- etc/kayobe/ansible/roles/pulp_auth_proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md b/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md index f14a5b2e8..66568a640 100644 --- a/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md +++ b/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md @@ -15,7 +15,7 @@ any untrusted environment. ## Role variables -* `pulp_auth_proxy_pulp_url`: URL of the Pulp server to proxy requests to. +* `pulp_auth_proxy_url`: URL of the Pulp server to proxy requests to. * `pulp_auth_proxy_username`: Username of the Pulp server to proxy requests to. * `pulp_auth_proxy_password`: Password of the Pulp server to proxy requests to. * `pulp_auth_proxy_conf_path`: Path to a directory in which to write Nginx From 08087a0e8546134540896620f801be3e8e5f8f9d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 25 Jun 2024 12:52:36 +0000 Subject: [PATCH 2/4] pulp_auth_proxy: Use stackhpc_release_pulp_url for Ark URL This allows us to set stackhpc_repo_mirror_auth_proxy_enabled to true while deploying the proxy without resulting in a recursive proxy. --- etc/kayobe/ansible/pulp-auth-proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/pulp-auth-proxy.yml b/etc/kayobe/ansible/pulp-auth-proxy.yml index 4cebbd386..c5c76efc8 100644 --- a/etc/kayobe/ansible/pulp-auth-proxy.yml +++ b/etc/kayobe/ansible/pulp-auth-proxy.yml @@ -8,7 +8,7 @@ - import_role: name: pulp_auth_proxy vars: - pulp_auth_proxy_url: "{{ stackhpc_repo_mirror_url }}" + pulp_auth_proxy_url: "{{ stackhpc_release_pulp_url }}" pulp_auth_proxy_username: "{{ stackhpc_repo_mirror_username }}" pulp_auth_proxy_password: "{{ stackhpc_repo_mirror_password }}" pulp_auth_proxy_conf_path: "{{ base_path }}/containers/pulp_proxy" From e01f23e09ce9a8fedc7d11a26495df96a1c8cf4c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 25 Jun 2024 12:55:33 +0000 Subject: [PATCH 3/4] pulp_auth_proxy: Support deploying on hosts without Docker bridge networking We need to tell Docker to use host networking when bridge networking is not enabled. --- .../contributor/environments/ci-builder.rst | 7 +++++++ .../roles/pulp_auth_proxy/defaults/main.yml | 1 + .../roles/pulp_auth_proxy/tasks/main.yml | 21 +++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/doc/source/contributor/environments/ci-builder.rst b/doc/source/contributor/environments/ci-builder.rst index 15a456044..ea5a4a21e 100644 --- a/doc/source/contributor/environments/ci-builder.rst +++ b/doc/source/contributor/environments/ci-builder.rst @@ -123,6 +123,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it proxies. Because this proxy bypasses Pulp's authentication, it must not be exposed to any untrusted environment. +Ensure that ``localhost`` is resolvable if Docker bridge networking is +disabled. This may be achieved by adding the following to ``/etc/hosts``: + +.. parsed-literal:: + + 127.0.0.1 localhost + To deploy the proxy: .. parsed-literal:: diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml index ae723565d..bd13e071f 100644 --- a/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml +++ b/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml @@ -5,3 +5,4 @@ pulp_auth_proxy_password: pulp_auth_proxy_conf_path: pulp_auth_proxy_listen_ip: 127.0.0.1 pulp_auth_proxy_listen_port: 80 +pulp_auth_proxy_network_mode: diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml index c15421510..c9b89ceff 100644 --- a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml +++ b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml @@ -1,4 +1,24 @@ --- +- when: pulp_auth_proxy_network_mode is none + block: + - name: Check if Docker bridge network exists + community.docker.docker_host_info: + networks: true + register: docker_host_info + + - name: Set a fact about the network mode + ansible.builtin.set_fact: + pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}" + +- name: Assert that localhost is resolvable when using host networking + assert: + that: + - "'localhost' is ansible.utils.resolvable" + fail_msg: >- + localhost must be resolvable when using Docker host networking with this container. + Consider adding '127.0.0.1 localhost' to /etc/hosts. + when: pulp_auth_proxy_network_mode == 'host' + - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists" ansible.builtin.file: path: "{{ pulp_auth_proxy_conf_path }}" @@ -18,6 +38,7 @@ community.docker.docker_container: name: pulp_proxy image: nginx:stable-alpine + network_mode: "{{ pulp_auth_proxy_network_mode }}" ports: - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80" restart_policy: "no" From 03ef6bb40f6046e55501f8fa39988a1c68b158f3 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 25 Jun 2024 12:55:59 +0000 Subject: [PATCH 4/4] pulp_auth_proxy: Wait for container to become accessible Catch connectivity issues earlier. --- etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml index c9b89ceff..7f412c5f2 100644 --- a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml +++ b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml @@ -45,3 +45,11 @@ restart: "{{ pulp_proxy_conf is changed }}" volumes: - "{{ pulp_auth_proxy_conf_path }}/pulp_proxy.conf:/etc/nginx/conf.d/default.conf:ro" + +- name: Wait for pulp_proxy container to become accessible + ansible.builtin.uri: + url: http://localhost/pulp/api/v3/status/ + register: uri_result + until: uri_result is success + retries: 30 + delay: 2