Skip to content
Runbooks

Pulp Infrastructure Setup

Overview

Section titled “Overview”

This document describes the step-by-step to setup a Pulp environment (similarly, you can also use it as a reference when redeploying Pulp on an existing environment).

This guide relies on the current automation and Infrastructure-as-Code (IaC) which are currently used to deploy Pulp. Thus, it won’t go into details about each components or explain infrastructre architect. This is rather a glue between the existing automation and remaining manual steps we need to do to deploy Pulp.

Instruction

Section titled “Instruction”

  1. Terraform setup: Create a new file in environments/<env>/pulp.tf in the config-mgmt repository and adapt the values. You can refer to environments/ops/pulp.tf as an example. Apply the new environment via a MR.

  2. Create a new database user:

    • Access the new CloudSQL instance created by Terraform on the GCP Console
    • Go to Users
    • Create a new user named pulp
    • Note down the password for the next step

  3. Vault setup: A Pulp setup requires 4 Vault items in the location k8s/<env>-gitlab-gke/pulp/:

    • memorystore: MemoryStore connection details. It is created by Terraform. Nothing to do here.

    • gpg: Create a key private_key with the value is a valid private key used for GPG

    • admin-password: Create a key password with the value is a random string used as Pulp’s admin password

    • db: Add the folllwing JSON value, in which you only need to update POSTGRES_PASSWORD from the password created in the previous step:

      {
        "POSTGRES_DB_NAME": "pulp",
        "POSTGRES_HOST": "pulp-sql-proxy",
        "POSTGRES_PASSWORD": "CHANGEME",
        "POSTGRES_PORT": "5432",
        "POSTGRES_SSLMODE": "prefer",
        "POSTGRES_USERNAME": "pulp"
      }

  4. Helm setup:

    1. Open the gitlab-helmfiles repository
    2. Copy the pulp block from bases/environments/ops.yaml to bases/environments/<env>.yaml
    3. Go to releases/pulp/values-secrets/. Clone ops.yaml.gotmpl to <env>.yaml.gotmpl. Adapt the Vault secret versions in the new file
    4. Go to releases/pulp/values-sql-proxy. Clone ops.yaml.gotmpl to <env>.yaml.gotmpl. Replace the instance value with the CloudSQL instance name created by Terraform in the previous step
    5. Go to releases/pulp/. Clone ops.yaml.gotmpl to <env>.yaml.gotmpl. Replace the following values:
      • fqdn: the full domain name to access the Pulp instance
      • loadBalancerIP: Go to the GCP’s IP address page, choose the right project, and then filter by pulp-gke-ingress-. You should find only one result. This is the IP address created by Terraform. Use the IP address for loadBalancerIP
      • pulpCert.issuerRef.name: Depend on the domain name, choose the right SSL certificate issuer. As a rule of thumb:
        • *.gitlab.net: Use gitlab-combined
        • *.gitlab.com: Use cloudflare-issuer
    6. Apply via an MR

Testing the setup

Section titled “Testing the setup”

Performing the following simple tests to validate if the setup is accessible:

  • Access the Pulp instance’s domain name

  • Create a test repository:

    Terminal window
    export PULP_ADMIN_PASSWORD=$(kubectl get secret pulp-custom-admin-password -o jsonpath='{.data.password}' | base64 -d)
    export PULP_DOMAIN=<pulp-domain>
    pulp config create --base-url "https://${PULP_DOMAIN}" --api-root "/pulp/" --verify-ssl --format json --force --username admin --password "${PULP_ADMIN_PASSWORD}" --timeout 0 --overwrite
    pulp deb repository create --name=variant-1-bookworm