pulp-add-on doc #282
pulp-add-on doc #282
Conversation
| @@ -0,0 +1,198 @@ | |||
| --- | |||
| title: Pulp Access Controller | |||
There was a problem hiding this comment.
Thank you for opening the adr.
I have basic questions, what is pulp and why Konflux users need to access it?
There was a problem hiding this comment.
Hi, pulp is redhat`s offering for centrally storing artifacts. Initially RPM, but today it's the go-to place for storing any language artifacts, excluding OCI type ones. So for an example, if you are producing RPMs during a Konflux job, and you want to storage them and redistribute them through the native RPM tools (yum/dnf), you would want to store them in Pulp. Does this help?
There was a problem hiding this comment.
This would be good preamble to add to the top of the # Context section.
There was a problem hiding this comment.
good point, I added it.
|
|
||
| ### Basic setup | ||
|
|
||
| First, create a secret with your TLS certificate and key: |
There was a problem hiding this comment.
What is the point in asking the user to create the certificates when the controller gets access to the private key the user generated?
There was a problem hiding this comment.
We need to present the key during TLS handshake with console.redhat.com. But we can't generate it, because it's provided by the IT team.
| ``` | ||
|
|
||
| That's it. The controller will: | ||
| 1. Read your credentials from `my-pulp-creds` |
There was a problem hiding this comment.
This controller has read access to all the secrets in the cluster?
There was a problem hiding this comment.
In the namespace of the user, not the whole cluster. The controller generates a secret, and reads a secret provided by the user. And we went with the idea of the user storing their cert in a secret to make it easier for any CI/CD type of implementation, safer. The actual certificates don't become part of what is store in git.
There was a problem hiding this comment.
I'm a bit confused, who is the user (can there be more than one user)? in which namespace does the tls certificate should be created?
There was a problem hiding this comment.
The user would be the owner of the namespace in a way. If they need integration with pulp, they use our controller to setup their domain config, the storage config for the domain, inside pulp itself (it's a hosted service). Without having to contact us, it's meant as an onboarding helper. And than the controller also gives them a pre-populated config file for pulp-cli. And each user would use it to create a secret inside their namespace. This is how it's used today
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
3 participants
Documenting the pulp-access-controller as a Konflux add-on