2023.1: Pulp auth proxy fixes

doc/source/contributor/environments/ci-builder.rst

@@ -123,6 +123,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it
 proxies. Because this proxy bypasses Pulp's authentication, it must not be
 exposed to any untrusted environment.
 
+Ensure that ``localhost`` is resolvable if Docker bridge networking is
+disabled. This may be achieved by adding the following to ``/etc/hosts``:
+
+.. parsed-literal::
+
+   127.0.0.1 localhost
+
 To deploy the proxy:
 
 .. parsed-literal::

etc/kayobe/ansible/pulp-auth-proxy.yml

@@ -8,7 +8,7 @@
     - import_role:
         name: pulp_auth_proxy
       vars:
-        pulp_auth_proxy_url: "{{ stackhpc_repo_mirror_url }}"
+        pulp_auth_proxy_url: "{{ stackhpc_release_pulp_url }}"
         pulp_auth_proxy_username: "{{ stackhpc_repo_mirror_username }}"
         pulp_auth_proxy_password: "{{ stackhpc_repo_mirror_password }}"
         pulp_auth_proxy_conf_path: "{{ base_path }}/containers/pulp_proxy"

etc/kayobe/ansible/roles/pulp_auth_proxy/README.md

@@ -15,7 +15,7 @@ any untrusted environment.
 
 ## Role variables
 
-* `pulp_auth_proxy_pulp_url`: URL of the Pulp server to proxy requests to.
+* `pulp_auth_proxy_url`: URL of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_username`: Username of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_password`: Password of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_conf_path`: Path to a directory in which to write Nginx

etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml

@@ -5,3 +5,4 @@ pulp_auth_proxy_password:
 pulp_auth_proxy_conf_path:
 pulp_auth_proxy_listen_ip: 127.0.0.1
 pulp_auth_proxy_listen_port: 80
+pulp_auth_proxy_network_mode:

etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml

@@ -1,4 +1,24 @@
 ---
+- when: pulp_auth_proxy_network_mode is none
+  block:
+    - name: Check if Docker bridge network exists
+      community.docker.docker_host_info:
+        networks: true
+      register: docker_host_info
+
+    - name: Set a fact about the network mode
+      ansible.builtin.set_fact:
+        pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}"
+
+- name: Assert that localhost is resolvable when using host networking
+  assert:
+    that:
+      - "'localhost' is ansible.utils.resolvable"
+    fail_msg: >-
+      localhost must be resolvable when using Docker host networking with this container.
+      Consider adding '127.0.0.1 localhost' to /etc/hosts.
+  when: pulp_auth_proxy_network_mode == 'host'
+
 - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists"
   ansible.builtin.file:
     path: "{{ pulp_auth_proxy_conf_path }}"
@@ -18,9 +38,18 @@
   community.docker.docker_container:
     name: pulp_proxy
     image: nginx:stable-alpine
+    network_mode: "{{ pulp_auth_proxy_network_mode }}"
     ports:
       - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80"
     restart_policy: "no"
     restart: "{{ pulp_proxy_conf is changed }}"
     volumes:
       - "{{ pulp_auth_proxy_conf_path }}/pulp_proxy.conf:/etc/nginx/conf.d/default.conf:ro"
+
+- name: Wait for pulp_proxy container to become accessible
+  ansible.builtin.uri:
+    url: http://localhost/pulp/api/v3/status/
+  register: uri_result
+  until: uri_result is success
+  retries: 30
+  delay: 2