Low-side Pulp 3 configuration for Milestone 1¶
Purpose¶
This runbook defines the required low-side configuration for the Milestone 1 Pulp 3 control plane. It is limited to:
- the connected low side only,
- Ubuntu 22.04 (
jammy) validation, - the Azure Container Apps deployment model,
- local Docker validation before the Azure rollout.
For the Azure service model itself, also review low-side-azure-prereqs.md.
Source-of-truth files¶
| File | What it controls |
|---|---|
config/environments/low-side.yaml |
environment identity, bootstrap defaults, and validation targets |
config/pulp/settings.yaml |
runtime settings contract and env var names |
config/repos/ubuntu-jammy.yaml |
Milestone 1 repo matrix and upstream metadata |
runtime/compose/.env.example |
local Docker variable template |
infra/low-side/*.bicep |
Azure deployment inputs, outputs, and service dependencies |
Milestone 1 boundaries¶
In scope¶
- Pulp 3 with DEB/RPM-capable runtime scaffolding
- Ubuntu
jammy,jammy-updates, andjammy-security amd64architecture only- stable internal base paths for future consumers
- Azure Files transitional shared storage now, Azure Blob wiring next
Out of scope¶
- high-side import or hydration,
- Red Hat entitlement onboarding,
- production media transfer,
- full release-cycle automation beyond the bootstrap scaffold.
Required Azure deployment inputs¶
These values are parameterized in infra/low-side/main.bicep and related modules.
| Parameter | Required | Default | Why it matters |
|---|---|---|---|
location |
no | resource group region | Azure placement for the low-side footprint |
namePrefix |
no | pulpm1 |
short naming prefix for all resources |
environment |
no | low |
resource suffix and tagging |
enablePublicValidation |
no | true |
exposes ACA ingress for operator validation and approved clients |
repoClientAddressPrefix |
yes for E2E | none | limits who can reach published repo endpoints through ACA ingress |
postgresAdminLogin |
no | pulpadmin |
PostgreSQL admin login name |
postgresAdminPassword |
yes | none | secure DB bootstrap secret |
postgresDatabaseName |
no | pulpcore |
Pulp metadata database name |
storageSku |
no | Standard_LRS |
artifact/export storage tier |
acrSku |
no | Basic |
image registry tier |
redisSkuName / redisCapacity |
no | Standard / 1 |
async task backing for Pulp |
serviceBusSku |
no | Standard |
placeholder orchestration backplane |
keyVaultAccessObjectIds |
no | [] |
grants secret-read rights to operators or automation |
Runtime configuration values¶
The runtime contract lives in config/pulp/settings.yaml, runtime/container-apps/Dockerfile, and the ACA deployment template infra/low-side/containerapps.bicep.
| Variable | Used for | Milestone 1 expectation |
|---|---|---|
PULP_API_BASE_URL |
API origin for automation and health checks | local http://localhost:18080, Azure maps to the ACA API hostname |
PULP_CONTENT_ORIGIN |
content publishing origin | local http://localhost:18081, Azure maps to the ACA content hostname |
PULP_ALLOWED_HOSTS_CSV |
host allow-list for Django/Pulp | comma-separated list for local hostnames and service names |
PULP_SECRET_KEY |
Django/Pulp application secret | generate locally; never commit |
PULP_ADMIN_USERNAME |
admin bootstrap account name | admin is acceptable for Milestone 1 |
PULP_ADMIN_PASSWORD |
admin bootstrap password | store only in .env or Key Vault |
POSTGRES_HOST / POSTGRES_PORT |
DB endpoint wiring | postgres:5432 locally; Azure PostgreSQL FQDN in ACA |
POSTGRES_DB / POSTGRES_USER / POSTGRES_PASSWORD |
Pulp DB identity | local scaffold values now; Key Vault-backed values in ACA |
PULP_REDIS_URL |
async task queue connection | local Redis URL now; secret-backed rediss:// URL in ACA |
AZURE_STORAGE_ACCOUNT / AZURE_STORAGE_KEY / AZURE_STORAGE_CONTAINER |
Blob artifact backend migration target | staging values remain source-driven; do not hard-code secrets |
KEY_VAULT_URI |
secret lookup target | set only after the Azure Key Vault exists |
SYNC_ON_BOOTSTRAP |
whether bootstrap should sync content | false by default for safe validation |
PUBLISH_ON_BOOTSTRAP |
whether bootstrap should publish distributions | false by default for safe validation |
Current storage posture¶
- Current ACA transition mode: Azure Files mounted at
/var/lib/pulp - Target Azure mode: Blob-backed artifacts using the storage account created by
infra/_shared/storage.bicep
Secrets handling¶
Local Docker validation¶
Keep secrets and locally generated key material out of Git:
runtime/compose/.envruntime/compose/pulp/certs/
Only the templates and scaffolding belong in the repo.
Azure rollout¶
Use secure Bicep parameters and Key Vault-backed references rather than embedding values in YAML or Compose files. The ACA scaffolding uses a user-assigned identity plus Key Vault Secrets User access.
Recommended Key Vault inventory:
| Secret name | Maps to |
|---|---|
pulp-admin-password |
PULP_ADMIN_PASSWORD |
pulp-db-password |
POSTGRES_PASSWORD |
pulp-secret-key |
PULP_SECRET_KEY |
pulp-storage-account-key |
AZURE_STORAGE_KEY |
rhsm-username |
future Red Hat onboarding |
rhsm-password |
future Red Hat onboarding |
pulp-tls-cert |
low-side HTTPS certificate |
pulp-tls-key |
low-side HTTPS private key |
Repo matrix inputs for Milestone 1¶
The repo matrix is defined in config/repos/ubuntu-jammy.yaml.
Global inputs¶
- upstream provider:
ubuntu.com - primary upstream URL:
https://archive.ubuntu.com/ubuntu/ - fallback upstream URL:
https://archive.ubuntu.com/ubuntu/ - architecture set:
amd64 - sync policy:
immediate sync_udebs:false
Repository set¶
| Repository | Ubuntu pocket | Components | Stable base path | Retention |
|---|---|---|---|---|
ubuntu-jammy-amd64-base |
jammy |
main, restricted, universe, multiverse |
ubuntu/jammy/amd64/base |
3 versions |
ubuntu-jammy-amd64-updates |
jammy-updates |
main, restricted, universe, multiverse |
ubuntu/jammy/amd64/updates |
3 versions |
ubuntu-jammy-amd64-security |
jammy-security |
main, restricted, universe, multiverse |
ubuntu/jammy/amd64/security |
5 versions |
Why this matrix shape was chosen¶
- one remote per pocket keeps reconciliation predictable,
- stable base paths keep downstream client URLs unchanged,
- retention remains intentionally small for Milestone 1 while preserving rollback evidence.
Azure handoff checklist after local validation¶
Before moving the low-side stack into Azure, confirm that you have:
- selected the final
namePrefix, region, and network ranges, - loaded the required secrets into Key Vault,
- recorded the Bicep outputs for the ACA environment, PostgreSQL FQDN, Redis host, storage account, Key Vault URI, ACR login server, and planned API/content URLs,
- kept the repo matrix limited to the approved Milestone 1 Ubuntu scope,
- validated the Docker path locally using the companion runbook:
local-validation.md.