pulp_auth_proxy: Support deploying on hosts without Docker bridge networking

markgoddard · markgoddard · commit e01f23e09ce9 · 2024-06-25T12:55:33.000Z
We need to tell Docker to use host networking when bridge networking is not enabled.
diff --git a/doc/source/contributor/environments/ci-builder.rst b/doc/source/contributor/environments/ci-builder.rst
@@ -123,6 +123,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it
 proxies. Because this proxy bypasses Pulp's authentication, it must not be
 exposed to any untrusted environment.
 
+Ensure that ``localhost`` is resolvable if Docker bridge networking is
+disabled. This may be achieved by adding the following to ``/etc/hosts``:
+
+.. parsed-literal::
+
+   127.0.0.1 localhost
+
 To deploy the proxy:
 
 .. parsed-literal::
diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml
@@ -5,3 +5,4 @@ pulp_auth_proxy_password:
 pulp_auth_proxy_conf_path:
 pulp_auth_proxy_listen_ip: 127.0.0.1
 pulp_auth_proxy_listen_port: 80
+pulp_auth_proxy_network_mode:
diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml
@@ -1,4 +1,24 @@
 ---
+- when: pulp_auth_proxy_network_mode is none
+  block:
+    - name: Check if Docker bridge network exists
+      community.docker.docker_host_info:
+        networks: true
+      register: docker_host_info
+
+    - name: Set a fact about the network mode
+      ansible.builtin.set_fact:
+        pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}"
+
+- name: Assert that localhost is resolvable when using host networking
+  assert:
+    that:
+      - "'localhost' is ansible.utils.resolvable"
+    fail_msg: >-
+      localhost must be resolvable when using Docker host networking with this container.
+      Consider adding '127.0.0.1 localhost' to /etc/hosts.
+  when: pulp_auth_proxy_network_mode == 'host'
+
 - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists"
   ansible.builtin.file:
     path: "{{ pulp_auth_proxy_conf_path }}"
@@ -18,6 +38,7 @@
   community.docker.docker_container:
     name: pulp_proxy
     image: nginx:stable-alpine
+    network_mode: "{{ pulp_auth_proxy_network_mode }}"
     ports:
       - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80"
     restart_policy: "no"
