From a0c0ab8397ba77e9ef85428e2de32639b621fee6 Mon Sep 17 00:00:00 2001
From: Matt Anson <matta@stackhpc.com>
Date: Thu, 19 Jan 2023 15:41:17 +0000
Subject: [PATCH 1/5] Configure TLS on local Pulp

---
 etc/kayobe/containers/pulp/pre.yml | 21 +++++++++++++++++++++
 etc/kayobe/pulp.yml                | 16 ++++++++++++++--
 etc/kayobe/seed.yml                |  2 +-
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/etc/kayobe/containers/pulp/pre.yml b/etc/kayobe/containers/pulp/pre.yml
index 22d999023..bd40b2e12 100644
--- a/etc/kayobe/containers/pulp/pre.yml
+++ b/etc/kayobe/containers/pulp/pre.yml
@@ -19,3 +19,24 @@
     dest: /opt/kayobe/containers/pulp/settings.py
     mode: 0644
   become: true
+
+- name: Configure TLS for local Pulp
+  when: pulp_enable_tls
+  become: true
+  block:
+    - name: Ensure /opt/kayobe/containers/pulp/certs exists
+      file:
+        path: "/opt/kayobe/containers/pulp/certs"
+        state: directory
+
+    - name: Copy TLS cert and key into container directory
+      template:
+        src: "{{ item.src }}"
+        dest: "/opt/kayobe/containers/pulp/certs/{{ item.dest }}"
+        mode: 0644
+      become: true
+      loop:
+        - src: "{{ pulp_cert_path }}"
+          dest: 'pulp_webserver.crt'
+        - src: "{{ pulp_key_path }}"
+          dest: 'pulp_webserver.key'
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
index f2a3d39da..028a079d2 100644
--- a/etc/kayobe/pulp.yml
+++ b/etc/kayobe/pulp.yml
@@ -1,10 +1,22 @@
 ---
 ###############################################################################
-# Local Pulp access credentials
+# Local Pulp server configuration
 
 # Base URL of the local Pulp service.
 # Default uses the seed node's IP on the admin network.
-pulp_url: "http://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:80"
+pulp_url: "{{ 'https' if pulp_enable_tls else 'http' }}://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:80"
+
+# Whether to enable TLS for Pulp.
+pulp_enable_tls: false
+
+# Path to a TLS certificate to use when TLS is enabled.
+#pulp_cert_path:
+
+# Path to a TLS key to use when TLS is enabled.
+#pulp_key_path:
+
+###############################################################################
+# Local Pulp access credentials
 
 # Credentials used to access the local Pulp REST API.
 pulp_username: admin
diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml
index 2d0784136..6d23b4383 100644
--- a/etc/kayobe/seed.yml
+++ b/etc/kayobe/seed.yml
@@ -96,7 +96,7 @@ seed_pulp_container:
     image: pulp/pulp
     pre: "{{ kayobe_config_path }}/containers/pulp/pre.yml"
     post: "{{ kayobe_config_path }}/containers/pulp/post.yml"
-    tag: "3.16"
+    tag: "{{ '3.16-https' if pulp_enable_tls else '3.16' }}"
     network_mode: host
     volumes:
       - /opt/kayobe/containers/pulp:/etc/pulp

From 0ab0acb877595cf4516316c4f00ce0cd9d9b821d Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Thu, 29 Dec 2022 12:24:03 +0000
Subject: [PATCH 2/5] Sets kolla_docker_registry_insecure to true (#297)

* Sets kolla_docker_registry_insecure to true

We currently don't configure TLS for the the local pulp registry.  This adds the pulp server to the list of insecure-registries, so that we can pull images.

* Remove kolla_docker_registry_insecure override in CI environment

Based on comments in code review.

* Use a better default for kolla_docker_registry_insecure

Hoping this will prevent breakage for people already running pulp with TLS.

(cherry picked from commit 78055cf8e7d485154a1ff06e7dd1bd8f03e7fe00)
---
 etc/kayobe/kolla.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index bb649872b..9db98fab2 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -85,6 +85,11 @@ kolla_install_type: source
 # Docker namespace to use for Kolla images. Default is 'kolla'.
 kolla_docker_namespace: stackhpc
 
+# Whether docker should be configured to use an insecure registry for Kolla
+# images. Default is false, unless docker_registry_enabled is true and
+# docker_registry_enable_tls is false.
+kolla_docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}"
+
 # Username to use to access a docker registry. Default is not set, in which
 # case the registry will be used without authentication.
 kolla_docker_registry_username: "{{ stackhpc_docker_registry_username }}"

From cd3208d366d1de08d4ff0227b9ddcb03c249cad1 Mon Sep 17 00:00:00 2001
From: Matt Anson <matta@stackhpc.com>
Date: Tue, 24 Jan 2023 14:37:43 +0000
Subject: [PATCH 3/5] Cast pulp_enable_tls to bool everywhere

---
 etc/kayobe/containers/pulp/pre.yml | 2 +-
 etc/kayobe/seed.yml                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/kayobe/containers/pulp/pre.yml b/etc/kayobe/containers/pulp/pre.yml
index bd40b2e12..85af37916 100644
--- a/etc/kayobe/containers/pulp/pre.yml
+++ b/etc/kayobe/containers/pulp/pre.yml
@@ -21,7 +21,7 @@
   become: true
 
 - name: Configure TLS for local Pulp
-  when: pulp_enable_tls
+  when: pulp_enable_tls | bool
   become: true
   block:
     - name: Ensure /opt/kayobe/containers/pulp/certs exists
diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml
index 6d23b4383..46d20fc7e 100644
--- a/etc/kayobe/seed.yml
+++ b/etc/kayobe/seed.yml
@@ -96,7 +96,7 @@ seed_pulp_container:
     image: pulp/pulp
     pre: "{{ kayobe_config_path }}/containers/pulp/pre.yml"
     post: "{{ kayobe_config_path }}/containers/pulp/post.yml"
-    tag: "{{ '3.16-https' if pulp_enable_tls else '3.16' }}"
+    tag: "{{ '3.16-https' if pulp_enable_tls | bool else '3.16' }}"
     network_mode: host
     volumes:
       - /opt/kayobe/containers/pulp:/etc/pulp

From 6903947c151f9b1054387d426666a74c6fc1dd6d Mon Sep 17 00:00:00 2001
From: Matt Anson <matta@stackhpc.com>
Date: Tue, 24 Jan 2023 14:38:08 +0000
Subject: [PATCH 4/5] Expose pulp_port variable

---
 etc/kayobe/pulp.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
index 028a079d2..4f786f8ba 100644
--- a/etc/kayobe/pulp.yml
+++ b/etc/kayobe/pulp.yml
@@ -4,7 +4,11 @@
 
 # Base URL of the local Pulp service.
 # Default uses the seed node's IP on the admin network.
-pulp_url: "{{ 'https' if pulp_enable_tls else 'http' }}://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:80"
+pulp_url: "{{ 'https' if pulp_enable_tls | bool else 'http' }}://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:{{ pulp_port }}"
+
+# Port on the seed node's interface on the admin network that the Pulp service
+# listens on.
+pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}"
 
 # Whether to enable TLS for Pulp.
 pulp_enable_tls: false

From 7d6a6cb614b37534798863671608d33d2e115500 Mon Sep 17 00:00:00 2001
From: Matt Anson <matta@stackhpc.com>
Date: Tue, 24 Jan 2023 14:47:48 +0000
Subject: [PATCH 5/5] Add releasenote

---
 releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml

diff --git a/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml b/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml
new file mode 100644
index 000000000..a6340bca7
--- /dev/null
+++ b/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Enable TLS for the Seed Pulp service. Set ``pulp_enable_tls: true`` and
+    provide paths to a TLS certificate and key using ``pulp_cert_path`` and
+    ``pulp_key_path`` respectively.