Skip to content

initial pulp doc #523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+133 −0
Open

initial pulp doc #523

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0054de1
initial pulp doc
YasenT Nov 24, 2025
864f328
update according to review
YasenT Nov 27, 2025
f770034
removing a bad example
YasenT Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 133 additions & 0 deletions modules/building/pages/pulp-access.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
= Getting Access to Pulp Storage

Pulp is the artifact storage system for non-container artifacts, including RPMs, Python wheels, Go modules, and generic files. Container images are stored in Quay, while all other build artifacts are stored in Pulp.

To build RPMs or publish Python packages, configure Pulp access in your namespace.

== What you get

When you create a `PulpAccessRequest`, the pulp-access-controller sets up:

* A secret called `pulp-access` with pre-configured CLI settings
* A dedicated Pulp domain (named `konflux-<your-namespace>`)
* mTLS authentication using your certificates
* Optionally, Quay.io as an OCI storage backend

The secret includes all required configuration for builds to push artifacts to Pulp. No manual configuration is required.

== Basic setup

First, create a secret with your TLS certificate and key:

[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: my-pulp-creds
namespace: my-namespace
type: Opaque
stringData:
cert: |
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKJ...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BA...
-----END PRIVATE KEY-----
----

Then create a `PulpAccessRequest`:

[source,yaml]
----
apiVersion: pulp.konflux-ci.dev/v1alpha1
kind: PulpAccessRequest
metadata:
name: my-pulp-access
namespace: my-namespace
spec:
credentialsSecretName: my-pulp-creds
----

The controller will create a domain called `konflux-my-namespace` in Pulp and generate the `pulp-access` secret with everything configured.

== Certificate naming

The controller accepts either of the following naming conventions in your credentials secret:

* `cert` and `key` (shown above)
* `tls.crt` and `tls.key` (if copying from a TLS secret)

Both conventions are functionally equivalent.

== Using it in builds

After the secret is created, mount it in your build pods.

The secret includes a `cli.toml` file pre-configured with the domain and mTLS settings. No additional configuration for pulp-cli is required.

== With Quay backend (advanced)

To configure Pulp to store container images using Quay as the backend, add `use_quay_backend: true`:

[source,yaml]
----
apiVersion: pulp.konflux-ci.dev/v1alpha1
kind: PulpAccessRequest
metadata:
name: pulp-with-quay
namespace: my-namespace
spec:
credentialsSecretName: my-pulp-creds
use_quay_backend: true
----

This creates an ImageRepository and configures Quay for OCI storage. This option is primarily useful for custom container image workflows through Pulp.

== Verifying the setup

After creating the PulpAccessRequest, verify that it is ready:

[source,bash]
----
kubectl get pulpaccessrequest my-pulp-access -o yaml
----

Look for the status section. If `conditions` shows `Ready: True`, the setup is complete. The status also includes:

* `domain`: The Pulp domain that was created
* `domainCreated`: Whether the domain creation succeeded
* `secretName`: Name of the generated secret (always `pulp-access`)

Quick check:

[source,bash]
----
kubectl get pulpaccessrequest my-pulp-access -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
----

If the output is `True`, the configuration is complete.

== Common issues

**Secret not found**: Verify that the credentials secret exists in the same namespace before creating the PulpAccessRequest.

**Domain creation fails**: The TLS certificate requires proper permissions for the Pulp API. Contact your platform team for assistance.

**Cannot find the pulp-access secret**: The secret is created in the same namespace as the PulpAccessRequest. Verify that you are looking in the correct namespace.

**Pulp cannot authenticate**: Verify that the secret is mounted correctly and that the environment variables (`PULP_CLI_CONFIG`, `PULP_CERT`, `PULP_KEY`) are set properly.

== Why use Pulp?

Using Pulp provides the following benefits:

* **Centralized storage**: All artifacts in one place for easy tracking and management
* **Versioning**: Pulp keeps track of different versions of your artifacts
* **Access control**: Proper authentication and domain isolation
* **Distribution**: Built-in content delivery for your artifacts
* **Multi-format support**: RPMs, Python wheels, generic files, and more

For non-container artifacts, Pulp is the recommended storage solution.