Enable the creation of Ingress or Route based on the CR input

* Add capabilities to the CRD for ingress or route
* Enable the creation of ingress or route objects with provided TLS options
* Update pulp-web to use nginx image directly driven via projected volumes
* Removed pulp-web container creation
* Alter all deployments to be driven off CR naming
* Obtain pulp admin password from projected volume instead of ENV variable

fixes #8272
https://pulp.plan.io/issues/8272

.ci/ansible/galaxy/vars.yaml

@@ -5,11 +5,18 @@ images:
       container_file: Containerfile.core
       pulpcore: git+https://github.com/pulp/pulpcore.git@3.10#egg=pulpcore
       plugins:
+        - "git+https://github.com/pulp/pulp_ansible.git"
+        - "git+https://github.com/pulp/pulp_container.git"
         - "git+https://github.com/ansible/galaxy_ng.git"
   - galaxy_web_master:
       image_name: galaxy-web
       tag: latest
       container_file: Containerfile.web
       base_image_name: galaxy
+      python_version: "3.9"
+      plugin_snippets:
+        - pulp_ansible
+        - pulp_container
+        - galaxy_ng
 registry: quay.io
 project: pulp

.ci/ansible/vars.yaml

@@ -24,17 +24,28 @@ images:
       tag: latest
       container_file: Containerfile.web
       base_image_name: pulp
+      python_version: "3.9"
+      plugin_snippets:
+        - pulp_ansible
+        - pulp_container
   - galaxy_master:
       image_name: galaxy
       tag: latest
       container_file: Containerfile.core
       pulpcore: git+https://github.com/pulp/pulpcore.git@3.10#egg=pulpcore
       plugins:
+        - "git+https://github.com/pulp/pulp_ansible.git"
+        - "git+https://github.com/pulp/pulp_container.git"
         - "git+https://github.com/ansible/galaxy_ng.git"
   - galaxy_web_master:
       image_name: galaxy-web
       tag: latest
       container_file: Containerfile.web
       base_image_name: galaxy
+      python_version: "3.9"
+      plugin_snippets:
+        - pulp_ansible
+        - pulp_container
+        - galaxy_ng
 registry: quay.io
 project: pulp

.ci/scripts/pulp-operator-check-and-wait.sh

@@ -122,6 +122,7 @@ done
 if [[ "$KUBE" == "minikube" ]]; then
   API_NODE="localhost"
   kubectl port-forward service/$SVC_NAME $API_PORT:$API_PORT &
+  echo "port-forwarding service/$SVC_NAME $API_PORT:$API_PORT"
   sleep 30
 fi
 
@@ -171,6 +172,7 @@ for tries in {0..180}; do
     echo "$output"
     break
   fi
+  sleep 5
 done
 
 echo "Final output test was:\n $output"

.ci/scripts/pulp_file-tests.sh

@@ -6,7 +6,11 @@ SERVER=$(hostname)
 if [[ "$1" == "--minikube" ]] || [[ "$1" == "-m" ]]; then
   KUBE="minikube"
   SERVER="localhost"
-
+  if [[ "$CI_TEST" == "true" ]]; then
+    SVC_NAME="example-pulp-api-svc"
+    API_PORT="24817"
+    kubectl port-forward service/$SVC_NAME $API_PORT:$API_PORT &
+  fi
 fi
 
 # From the pulp-server/pulp-api config-map

CHANGES/8272.feature

@@ -0,0 +1 @@
+Enable the creation of Ingress or Route objects based on the specifications within the custom resource

containers/images/pulp/Containerfile.web.j2

@@ -1,19 +1,13 @@
-FROM {{ registry | default('quay.io') }}/{{ project | default('pulp') }}/{{ item.value.base_image_name | default('pulp') }}:{{ item.value.tag | default('latest') }}
+FROM {{ registry | default('quay.io') }}/{{ project | default('pulp') }}/{{ item.value.base_image_name | default('pulp') }}:{{ item.value.tag | default('latest') }} as builder
 
-RUN	dnf -y install nginx
+RUN mkdir -p /etc/nginx/pulp
+{% for plugin in item.value.plugin_snippets %}
+RUN ln /usr/local/lib/python{{ item.value.python_version }}/site-packages/{{ plugin }}/app/webserver_snippets/nginx.conf /etc/nginx/pulp/{{ plugin }}.conf
+{% endfor %}
 
-RUN mkdir -p /etc/nginx/pulp \
-             /etc/services.d/nginx \
-             /var/lib/pulp/assets
+FROM nginx:latest
 
-COPY pulp-operator/containers/images/pulp/container-assets/nginx.conf /etc/nginx/nginx.conf
-COPY pulp-operator/containers/images/pulp/container-assets/nginx /usr/bin/nginx
-COPY pulp-operator/containers/images/pulp/container-assets/nginx-check /usr/bin/nginx-check
-
-RUN ln /usr/local/lib/python3.9/site-packages/pulp_ansible/app/webserver_snippets/nginx.conf /etc/nginx/pulp/pulp_ansible.conf
-RUN ln /usr/local/lib/python3.9/site-packages/pulp_container/app/webserver_snippets/nginx.conf /etc/nginx/pulp/pulp_container.conf
-{% if item.value.base_image_name == "galaxy" %}
-RUN ln /usr/local/lib/python3.9/site-packages/galaxy_ng/app/webserver_snippets/nginx.conf /etc/nginx/pulp/galaxy_ng.conf
-{% endif %}
-
-EXPOSE 80
+RUN mkdir -p /etc/nginx/pulp
+WORKDIR /etc/nginx/pulp
+COPY --from=builder /etc/nginx/pulp .
+WORKDIR /

containers/images/pulp/container-assets/pulp-api

@@ -14,10 +14,18 @@ django-admin collectstatic --noinput
 django-admin migrate --noinput
 django-admin migrate auth --noinput
 
+ADMIN_PASSWORD_FILE=/etc/pulp/pulp-admin-password
+if [[ -f "$ADMIN_PASSWORD_FILE" ]]; then
+   echo "pulp admin can be initialized."
+   PULP_ADMIN_PASSWORD=$(cat $ADMIN_PASSWORD_FILE)
+fi
+
 if [ -n "${PULP_ADMIN_PASSWORD}" ]; then
     django-admin reset-admin-password --password "${PULP_ADMIN_PASSWORD}"
 fi
 
+mkdir -p /var/lib/pulp/media
+
 # NOTE: Due to the Linux dual-stack functionality, this will listen on both IPv4
 # IPv6, even though netstat may seem to indicate it is IPv6 only.
 # Due to containers using network namespaces, even if the host has this disabled

containers/images/pulp/container-assets/pulp-common-entrypoint.sh

@@ -7,7 +7,7 @@
 # can change our scripts' locations in the future, and call special logic in this
 # script based solely on theo command name.
 
-if [[ "$@" = "pulp-content" || "$@" = "pulp-api" || "$@" = "pulp-worker" || "$@" = "pulp-resource-manager"  || "$@" = "nginx" ]]; then
+if [[ "$@" = "pulp-content" || "$@" = "pulp-api" || "$@" = "pulp-worker" || "$@" = "pulp-resource-manager" ]]; then
         exec "/usr/bin/$@"
 else
         exec "$@"

containers/images/pulp/container-assets/wait_on_postgres.py

@@ -13,10 +13,15 @@
     print("Waiting on postgresql to start...")
     while not postgres_is_alive and tries < 100:
         tries += 1
+        pg_port = 5432
+        try:
+            env_port = os.environ.get("POSTGRES_SERVICE_PORT", "5432")
+            pg_port = int(env_port)
+        except ValueError:
+            pass
         try:
             print("Checking postgres host %s" % os.environ["POSTGRES_SERVICE_HOST"])
             print("Checking postgres port %s" % os.environ["POSTGRES_SERVICE_PORT"])
-            pg_port = int(os.environ["POSTGRES_SERVICE_PORT"])
             s.connect((os.environ["POSTGRES_SERVICE_HOST"], pg_port))
         except socket.error:
             time.sleep(3)

containers/vars/defaults.yaml

@@ -73,10 +73,18 @@ images:
       tag: stable
       container_file: Containerfile.web
       base_image_name: pulp
+      python_version: "3.9"
+      plugin_snippets:
+        - pulp_ansible
+        - pulp_container
   - pulp_web_master:
       image_name: pulp-web
       tag: latest
       container_file: Containerfile.web
       base_image_name: pulp
+      python_version: "3.9"
+      plugin_snippets:
+        - pulp_ansible
+        - pulp_container
 registry: quay.io
 project: pulp

deploy/crds/pulpproject_v1beta1_pulp_crd.yaml

@@ -101,6 +101,39 @@ spec:
                     description: The size of the file storage; for example 100Gi.
                     type: string
                 type: object
+              pulp_hostname:
+                description: The hostname of the instance
+                type: string
+              ingress_type:
+                description: The ingress type to use to reach the deployed instance
+                type: string
+                enum:
+                  - none
+                  - Ingress
+                  - ingress
+                  - Route
+                  - route
+              ingress_annotations:
+                description: Annotations to add to the ingress
+                type: string
+              ingress_tls_secret:
+                description: Secret where the ingress TLS secret can be found
+                type: string
+              route_host:
+                description: The DNS to use to points to the instance
+                type: string
+              route_tls_termination_mechanism:
+                description: The secure TLS termination mechanism to use
+                type: string
+                default: Edge
+                enum:
+                  - Edge
+                  - edge
+                  - Passthrough
+                  - passthrough
+              route_tls_secret:
+                description: Secret where the TLS related credentials are stored
+                type: string
               pulp_web:
                 description: The pulp web deployment.
                 properties:

deploy/role.yaml

@@ -4,6 +4,13 @@ metadata:
   creationTimestamp: null
   name: pulp-operator
 rules:
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  - routes/custom-host
+  verbs:
+  - '*'
 - apiGroups:
   - ""
   resources:
@@ -25,11 +32,13 @@ rules:
   - watch
 - apiGroups:
   - apps
+  - extensions
   resources:
   - deployments
   - daemonsets
   - replicasets
   - statefulsets
+  - ingresses
   verbs:
   - create
   - delete

playbook.yml

@@ -37,3 +37,4 @@
     - pulp-resource-manager
     - pulp-worker
     - pulp-web
+    - pulp-routes

roles/pulp-api/defaults/main.yml

@@ -9,3 +9,23 @@ raw_spec: "{{ vars['_pulp_pulpproject_org_pulp']['spec'] }}"
 # Secret to lookup that provide the admin password
 #
 pulp_admin_password_secret: ''
+
+# Host to create the root with.
+# If not specific will default to <instance-name>-<namespace>-<routerCanonicalHostname>
+#
+route_host: ''
+
+pulp_hostname: '{{ deployment_type }}.example.com'
+
+web_protocol: 'http'
+
+# TLS secret for the ingress. The secret either has to exist before hand with
+# the corresponding cert and key or just be an indicator for where an automated
+# process like cert-manager (enabled via annotations) will store the TLS
+# certificate and key.
+ingress_tls_secret: ''
+
+# Secret to lookup that provide the TLS specific
+# credentials to deploy
+#
+route_tls_secret: ''