Run pulp container on https

[fao89]

Related thread: https://listman.redhat.com/archives/pulp-dev/2021-April/msg00043.html

[pulpbot]

WARNING!!! This PR is not attached to an issue. In most cases this is not advisable. Please see our PR docs for more information about how to attach this PR to an issue.

[mdellweg]

That is not how execlineb works...
You need to foreground every single command that does not support chain calling, despite the last one.

[fao89]

I got confused when reading about foreground, thank you for the help!

[mdellweg]

I believe, you need to set verify-ssl or similar to false for the curl calls.

[daviddavis]

This work looks great. Can I ask for a huge favor? Can we wait until after April 30 to merge this work (or at least hold off publishing the new containers until then)? The students working on the UI are using these and have their final project deadline on April 30. I don't want to mess them up.

[fao89]

This work looks great. Can I ask for a huge favor? Can we wait until after April 30 to merge this work (or at least hold off publishing the new containers until then)? The students working on the UI are using these and have their final project deadline on April 30. I don't want to mess them up.

yes, this is just a POC, and it may break CI for almost every plugin. It needs to be proper advertised before merged, so people can have time to improve functional tests to deal with https

[fao89]

Related thread: https://listman.redhat.com/archives/pulp-dev/2021-April/msg00043.html

[mdellweg]

This is a major change in the way the single container works.
Can we somehow make the switch to https optional? So we do not break every automation we have when merging this?

[daviddavis]

We created an https tag that @fao89 is using to test things out.

Ideally I think we'd like to get all the other tags moved over to https but this seems like a monumental undertaking when one considers all the repos, release branches, etc.

[mdellweg]

What about the opposite tag (http / nossl / ...), and some day, we announce the switchover of latest?
Can we make the ssl version to be a thin container layer on top of the nossl version?

[fao89]

Followed: https://docs.oracle.com/cd/E52668_01/E66514/html/ceph-issues-24424028.html

[mdellweg]

💯

[mdellweg]

This is changing the files checked into this repository.
May be OK in CI, but the moment we are going to write up these steps in the README, it may get weird. WDYT?

[fao89]

I didn't want to have a new container file just because of the tag, maybe we need to use a template

[fao89]

template + makefile?

[mdellweg]

So you would turn the SSL/Containerfile into a template? Would you template it on the fly? Or use the Makefile to template files we want to check into git? I really don't know what's the best way.
Another thought: We are now building the images with 3 layers of dependency. Maybe it is time to start using make to sort out the build sequence.
BTW: we could call that file pulp-ci-centos8/Containerfile.https. No one really says that it must be called Containerfile. So one nice naming schema would be <image_name>/Containerfile.<tag>. Wdyt?

[fao89]

I agree with everything you said, including the part: "I really don't know what's the best way"
<image_name>/Containerfile.<tag>sounds really good!

[himdel]

I'd like to request this feature be optional, with an option to go back to http.

We're using this for Cypress testing, and having to generate a self-signed certificate only to ignore it seems unecessary for that case, if it can be reasonably avoided :).

(context: ansible/ansible-hub-ui#378 (comment) )