Azure Commercial low-side E2E runbook

Scope

Low-side only, Azure Commercial only, Milestone 1 Ubuntu 22.04 (jammy) content path only.

Inputs and references

• docs/runbooks/low-side-azure-prereqs.md
• docs/runbooks/pulp-bootstrap.md
• docs/runbooks/local-validation.md
• ../../DEPLOYMENT.md

Prerequisites

Use docs/runbooks/low-side-azure-prereqs.md as the authoritative prerequisite checklist.

Deploy to Azure portal button

For first-time evaluators who want to inspect resources before scripting, the README ships two one-click buttons that open the Azure Custom Deployment wizard pre-loaded with infra/low-side/main.json:

Cloud	Button
Azure Commercial
Azure US Government

The button deploys the same infra/low-side/main.json that scripts/quickstart.sh deploys — it is a compiled output of main.bicep and must never be hand-edited. For full automation (idempotency, validation, and secret bootstrapping) the scripts/quickstart.sh path below is strongly recommended over the portal button.

Happy path

1. Deploy the low-side Azure substrate:

   az deployment group create \
     --resource-group <rg> \
     --template-file infra/low-side/main.bicep \
     --parameters infra/low-side/main.public.local.bicepparam
   

2. Create an evidence directory such as artifacts/e2e/<timestamp>/ and tee wrapper output into it.
3. Run the zero-touch wrapper:

   automation/bootstrap/run_e2e.sh --resource-group <rg>
   

4. Review the wrapper output, Pulp status response, and jammy Release checks captured under the evidence directory.

The zero-touch wrapper automation/bootstrap/run_e2e.sh handles Key Vault runtime secret preparation, ACA image build/deploy, upstream validation, database initialization, and final API/content verification. Manual platform edits are forbidden in the happy path; see the Break-Glass appendix at the end of this file for emergency-only commands.

Transparent wrapper expansion

run_e2e.sh performs this sequence on behalf of the operator:

1. Ensure the Key Vault runtime secrets exist with prepare_container_apps.py.
2. Validate upstream reachability with fallback enabled.
3. Build the derived runtime image in ACR and deploy the ACA apps/jobs with deploy_container_apps.py.
4. Start and wait for the pulp-db-init ACA job.
5. Poll the ACA API ingress until /pulp/api/v3/status/ returns HTTP 200.
6. Start and wait for the pulp-reconcile ACA job.
7. Verify the base, updates, and security Release files return HTTP 200 and preserve evidence in artifacts/e2e/<timestamp>/.

For the canonical bootstrap command shapes, use docs/runbooks/pulp-bootstrap.md instead of duplicating them here.

Pass/fail gates

Gate	Pass criteria	Fail criteria
Wrapper execution	run_e2e.sh exits 0	non-zero exit or missing evidence
Pulp health	ACA API ingress /pulp/api/v3/status/ returns HTTP 200	non-200 or timeout
Jammy distributions	base, updates, and security Release files return HTTP 200	missing path or non-200
ACA bootstrap jobs	pulp-db-init and pulp-reconcile executions succeed	failed execution, timeout, or missing execution evidence
Secret hygiene	no secret lands in tracked repo files	any secret written into committed source paths

Break-Glass appendix

The Azure Container Apps low-side path has no VM host. Break-glass actions are limited to platform-native diagnostics such as az containerapp logs show, az containerapp exec, and az containerapp job execution show, and they are not part of the documented happy path.