Tags in the container world are cheap. Let's add a "http" tag that points to the same image as latest. I think, we should additionally provide the released images as an https version maybe tagged "x.y-https", but this can/should be postponed. Let's first get comfy with ssl in the latest build.
On Fri, May 14, 2021 at 4:06 PM Fabricio Aguiar <fagui...@redhat.com> wrote: > Bump! > > Single container PR [1] needs some adjustments, I plan to address them > once we decide about the tags. > Current PR makes: > *Tag* *Scheme* > latest http > https https > x.y http > > Please share your feedback about the tag/scheme until May 19 > > [1] https://github.com/pulp/pulp-oci-images/pull/73 > > Best regards, > Fabricio Aguiar > Software Engineer, Pulp Project > Red Hat Brazil - Latam <https://www.redhat.com/> > +55 22 999000595 > > > > On Mon, May 10, 2021 at 9:07 AM Ina Panova <ipan...@redhat.com> wrote: > >> I would get rid of the latest tag because it is non-deterministic and >> would keep http/https tags only. >> >> -------- >> Regards, >> >> Ina Panova >> Senior Software Engineer| Pulp| Red Hat Inc. >> >> "Do not go where the path may lead, >> go instead where there is no path and leave a trail." >> >> >> On Fri, May 7, 2021 at 6:08 PM Matthias Dellweg <mdell...@redhat.com> >> wrote: >> >>> I would tag http and https and then latest as the same as http. Then we >>> can write an announcement that we will switch latest from http to https or >>> drop latest altogether. >>> The question about release tags is a good one. I think, we need both >>> there too. >>> >>> On Fri, May 7, 2021 at 6:05 PM David Davis <davidda...@redhat.com> >>> wrote: >>> >>>> I feel like ideally, https would be the default (ie latest). However, >>>> then we are going to break all the release branches for pulpcore and >>>> plugins that are pointing to latest but not expecting https. >>>> >>>> Hopefully people will weigh in here. >>>> >>>> David >>>> >>>> >>>> On Fri, May 7, 2021 at 11:55 AM Fabricio Aguiar <fagui...@redhat.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, May 7, 2021 at 11:52 AM David Davis <davidda...@redhat.com> >>>>> wrote: >>>>> >>>>>> To confirm, the "latest" tag will continue to ship with http? I >>>>>> imagine most users will end up with http then. >>>>>> >>>>> I can modify the PR and make https the default >>>>> >>>>>> >>>>>> Also, what (if anything) do we do about y release tags (e.g. the >>>>>> upcoming 3.13 tag)? Do they continue to ship with http? >>>>>> >>>>> I think release tags can be https >>>>> >>>>>> >>>>>> David >>>>>> >>>>>> >>>>>> On Fri, May 7, 2021 at 10:51 AM Brian Bouterse <bmbou...@redhat.com> >>>>>> wrote: >>>>>> >>>>>>> awwww yisssss >>>>>>> >>>>>>> On Fri, May 7, 2021 at 10:46 AM Fabricio Aguiar <fagui...@redhat.com> >>>>>>> wrote: >>>>>>> >>>>>>>> I changed https://github.com/pulp/pulp-oci-images/pull/73 to ship >>>>>>>> both, >>>>>>>> latest as is, and the new tag: https >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Fabricio Aguiar >>>>>>>> Software Engineer, Pulp Project >>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/> >>>>>>>> +55 22 999000595 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, May 7, 2021 at 11:41 AM Brian Bouterse <bmbou...@redhat.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> +1 to this observation, we probably need to either ship both or >>>>>>>>> make it configurable somehow. Shipping both is probably easier on >>>>>>>>> users. >>>>>>>>> >>>>>>>>> On Fri, May 7, 2021 at 5:11 AM Matthias Dellweg < >>>>>>>>> mdell...@redhat.com> wrote: >>>>>>>>> >>>>>>>>>> This is a great piece of work! >>>>>>>>>> The problem I see is that the SSL free container image may be >>>>>>>>>> used in places we do not control. And having this http based >>>>>>>>>> container >>>>>>>>>> equipped with an external https reverse proxy is imho a valid use >>>>>>>>>> case. >>>>>>>>>> Therefore i would prefer, if we could provide both versions of >>>>>>>>>> the image (with and without SSL) as different tags. >>>>>>>>>> This would also give us the opportunity to switch the plugins one >>>>>>>>>> by one to use the new container. >>>>>>>>>> Ideally, the SSL container would be a thin OCI-layer on top of >>>>>>>>>> the http version. >>>>>>>>>> >>>>>>>>>> On Thu, May 6, 2021 at 10:10 PM Fabricio Aguiar < >>>>>>>>>> fagui...@redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> I finally made pulp_container CI work with https, >>>>>>>>>>> I also did some changes on pulp_installer, I believe these >>>>>>>>>>> changes will make it possible to run functional tests on dev >>>>>>>>>>> environment. >>>>>>>>>>> >>>>>>>>>>> I think now it is a matter of deciding when is the best time to >>>>>>>>>>> merge the PR on the single container and if latest tag should be >>>>>>>>>>> https or >>>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>> PRs: >>>>>>>>>>> https://github.com/pulp/pulp-oci-images/pull/73 >>>>>>>>>>> https://github.com/pulp/pulp_installer/pull/614 >>>>>>>>>>> https://github.com/pulp/plugin_template/pull/379 >>>>>>>>>>> https://github.com/pulp/pulpcore/pull/1283 >>>>>>>>>>> https://github.com/pulp/pulp_container/pull/304 >>>>>>>>>>> https://github.com/pulp/pulp_rpm/pull/1977 >>>>>>>>>>> https://github.com/pulp/pulp_ansible/pull/572 >>>>>>>>>>> https://github.com/pulp/pulp-2to3-migration/pull/362 >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> Fabricio Aguiar >>>>>>>>>>> Software Engineer, Pulp Project >>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/> >>>>>>>>>>> +55 22 999000595 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Apr 27, 2021 at 5:35 PM Fabricio Aguiar < >>>>>>>>>>> fagui...@redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> I created https branch: >>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/tree/https >>>>>>>>>>>> and pushed the following images: >>>>>>>>>>>> - pulp/pulp-ci-centos:https >>>>>>>>>>>> - pulp/pulp:https >>>>>>>>>>>> >>>>>>>>>>>> Now we can test on the plugins, >>>>>>>>>>>> I followed your suggestion and did it on pulp_npm: >>>>>>>>>>>> https://github.com/pulp/pulp_npm/pull/89 >>>>>>>>>>>> >>>>>>>>>>>> Best regards, >>>>>>>>>>>> Fabricio Aguiar >>>>>>>>>>>> Software Engineer, Pulp Project >>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/> >>>>>>>>>>>> +55 22 999000595 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Apr 27, 2021 at 9:25 AM David Davis < >>>>>>>>>>>> davidda...@redhat.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> This is great. Thank you for working on it. >>>>>>>>>>>>> >>>>>>>>>>>>> As a next step, would it make sense to create a branch and >>>>>>>>>>>>> then try to deploy a new temporary tag from that branch? Then >>>>>>>>>>>>> maybe we can >>>>>>>>>>>>> test a plugin (eg pulp_npm) against this new image and see what >>>>>>>>>>>>> breaks. >>>>>>>>>>>>> >>>>>>>>>>>>> David >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Apr 26, 2021 at 5:01 PM Fabricio Aguiar < >>>>>>>>>>>>> fagui...@redhat.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> I started this POC: >>>>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/pull/73 >>>>>>>>>>>>>> It enables https on the single container, once merged, the CI >>>>>>>>>>>>>> for every plugin will run the functional tests using https. >>>>>>>>>>>>>> Probably it would break the majority of the CIs, we need to >>>>>>>>>>>>>> discuss when is the best moment to merge this PR or discuss >>>>>>>>>>>>>> alternatives >>>>>>>>>>>>>> >>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>> Fabricio Aguiar >>>>>>>>>>>>>> Software Engineer, Pulp Project >>>>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/> >>>>>>>>>>>>>> +55 22 999000595 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Feb 9, 2021 at 10:55 AM Fabricio Aguiar < >>>>>>>>>>>>>> fagui...@redhat.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Our nginx conf only supports http now: >>>>>>>>>>>>>>> https://github.com/pulp/pulp-oci-images/blob/latest/assets/nginx.conf#L15 >>>>>>>>>>>>>>> For not breaking all plugins, I believe we can build a new >>>>>>>>>>>>>>> CI image that supports https. >>>>>>>>>>>>>>> Maybe a template_config parameter - test_https: true would >>>>>>>>>>>>>>> switch the images >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>>> Fabricio Aguiar >>>>>>>>>>>>>>> Software Engineer, Pulp Project >>>>>>>>>>>>>>> Red Hat Brazil - Latam <https://www.redhat.com/> >>>>>>>>>>>>>>> +55 22 999000595 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Tue, Feb 9, 2021 at 5:16 AM Matthias Dellweg < >>>>>>>>>>>>>>> mdell...@redhat.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I believe this is at least solving the problem partially: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://github.com/pulp/pulp-smash/pull/1251 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Mon, Feb 8, 2021 at 9:48 PM Brian Bouterse < >>>>>>>>>>>>>>>> bmbou...@redhat.com> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I believe all of our plugins (and CI) require HTTP and do >>>>>>>>>>>>>>>>> not work with HTTPS. I'm not well versed in what needs to be >>>>>>>>>>>>>>>>> done to fix >>>>>>>>>>>>>>>>> this, but I think we should fix it. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Can the CI group have a 30 min call to talk over what >>>>>>>>>>>>>>>>> needs to be done? Or maybe share some info here? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The main issue I'm aware of is that the tests are not >>>>>>>>>>>>>>>>> prepared to trust an https certificate that is self-signed. >>>>>>>>>>>>>>>>> I'm not exactly >>>>>>>>>>>>>>>>> sure where we can change that in one place either. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks! >>>>>>>>>>>>>>>>> Brian >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> Pulp-dev mailing list >>>>>>>>>>>>>>>>> Pulp-dev@redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Pulp-dev mailing list >>>>>>>>>>>>>>>> Pulp-dev@redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/pulp-dev >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Pulp-dev mailing list >>>>>>>>>>>>>> Pulp-dev@redhat.com >>>>>>>>>>>>>> https://listman.redhat.com/mailman/listinfo/pulp-dev >>>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>> Pulp-dev mailing list >>> Pulp-dev@redhat.com >>> https://listman.redhat.com/mailman/listinfo/pulp-dev >>> >> _______________________________________________ >> Pulp-dev mailing list >> Pulp-dev@redhat.com >> https://listman.redhat.com/mailman/listinfo/pulp-dev >> >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://listman.redhat.com/mailman/listinfo/pulp-dev
