Settings¶
Pulp uses dynaconf for its settings which allows you to configure Pulp settings
through a configuration file (/etc/pulp/settings.py) that is automatically
created by Pulp Operator.
Check pulpcore doc for more information about the list of settings: Pulp Settings.
View Settings¶
To list the effective settings on a Pulp installation, run the command dynaconf list
from a Pulp API pod:
$ kubectl exec $(kubectl get deployment -oname -l app.kubernetes.io/component=api) -- dynaconf list
To check the settings.py file:
$ kubectl exec $(kubectl get deployment -oname -l app.kubernetes.io/component=api) -- cat /etc/pulp/settings.py
Pulp Server Secret¶
To share the settings between Pulp pods, Pulp Operator creates a
Kubernetes Secret
(the pulp-server Secret)
based on the definitions of Pulp CR.
There are 2 ways to configure the settings:
Pulp Operator Defined Settings¶
The following settings (database, cache, secret_key, etc) are all
"abstracted" from Pulp CR definitions and, under the hood, the operator
translates/migrates these configs into settings.py. To modify them, modify the
corresponding field or resource.
Database¶
If database.external_db_secret is defined, Pulp Operator will configure the settings.py
file with the values from the Secret. If not, it will use the configs from the
self-managed database.
DATABASES = {
'default': {
'HOST': ...,
'ENGINE': ...,
'NAME': ...,
'USER': ...,
'PASSWORD': ...,
'PORT': ...,
'CONN_MAX_AGE': 0,
'OPTIONS': { 'sslmode': ... },
}
}
Check Configuring Pulp Database for more information on how to configure Pulp database.
Cache¶
If cache.enabled: true, Pulp Operator will define the REDIS_* settings with
the definitions from cache.external_cache_secret Secret or from the self-managed
redis instance.
CACHE_ENABLED = True
REDIS_HOST = ...
REDIS_PORT = ...
REDIS_PASSWORD = ...
REDIS_DB = ...
Check Configuring Pulp Cache for more information on how to configure Pulp cache.
Object Storage¶
If object_storage_azure_secret is defined, Pulp Operator will define the following
fields with the Secret's content:
AZURE_CONNECTION_STRING = ...
AZURE_LOCATION = ...
AZURE_ACCOUNT_NAME = ...
AZURE_ACCOUNT_KEY = ...
AZURE_CONTAINER = ...
AZURE_URL_EXPIRATION_SECS = 60
AZURE_OVERWRITE_FILES = True
DEFAULT_FILE_STORAGE = "storages.backends.azure_storage.AzureStorage"
If object_storage_s3_secret is defined, Pulp Operator will define the following
fields with the Secret's content:
AWS_ACCESS_KEY_ID = ...
AWS_SECRET_ACCESS_KEY = ...
AWS_STORAGE_BUCKET_NAME = ...
AWS_DEFAULT_ACL = "@none None"
S3_USE_SIGV4 = True
AWS_S3_SIGNATURE_VERSION = "s3v4"
AWS_S3_ADDRESSING_STYLE = "path"
DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
MEDIA_ROOT = ""
Check Configuring Pulp storage configuration for more information on how to configure Pulp storage.
Fields that depend on ingress_type¶
Some fields are defined based on the ingress_type:
ANSIBLE_API_HOSTNAME = ...
CONTENT_ORIGIN = ...
TOKEN_SERVER = ...
- if
ingress_type: ingressthe operator will set these fields withingress_hostvalue - if
ingress_type: routeit will use theroute_hostdefinition - if
ingress_type: ""it will use the hostname frompulp-apiService for theTOKEN_SERVERpulp-webService for the others
Check Ingress for more information on how to expose Pulp to outside of k8s cluster.
Secret Key¶
If pulp_secret_key is defined in Pulp CR, Pulp Operator will define the SECRET_KEY
in settings.py with it.
If pulp_secret_key is not defined, Pulp Operator will generate a random key and
configure SECRET_KEY with it.
Check pulp-secret-key for more information about Django Secret Key.
Allowed Checksum¶
If allowed_content_checksums is defined in Pulp CR, Pulp Operator will define
the ALLOWED_CONTENT_CHECKSUMS in settings.py with it.
If allowed_content_checksums is not defined, the ALLOWED_CONTENT_CHECKSUMS
setting will not be added to settings.py file.
Check Configuring Pulp Allowed Content Checksums for more information about Pulp allowed checksum algorithms.
LDAP¶
If ldap.config is defined in Pulp CR, Pulp Operator will do the following
configurations in settings.py:
-
update the
AUTHENTICATION_BACKENDSAUTHENTICATION_BACKENDS = [ "django_auth_ldap.backend.LDAPBackend", "django.contrib.auth.backends.ModelBackend", "pulpcore.backends.ObjectRolePermissionBackend", ] -
set the
AUTH_LDAP_*fields with the "converted" (Pulp Operator will change all Secret keys to uppercase and parse their values from YAML to a format accepted by Python) values from the Secret defined inldap.config.
Check LDAP AUTHENTICATION for more information on how to configure Pulp to authenticate using LDAP.
Default Settings¶
These fields are defined with default values.
DB_ENCRYPTION_KEY = "/etc/pulp/keys/database_fields.symmetric.key"
ANSIBLE_CERTS_DIR = "/etc/pulp/keys/"
PRIVATE_KEY_PATH = "/etc/pulp/keys/container_auth_private_key.pem"
PUBLIC_KEY_PATH = "/etc/pulp/keys/container_auth_public_key.pem"
STATIC_ROOT = "/var/lib/operator/static/"
TOKEN_AUTH_DISABLED = False
TOKEN_SIGNATURE_ALGORITHM = "ES256"
API_ROOT = "/pulp/"
Custom Settings¶
Warning
Use the custom_pulp_settings field with caution. Since Pulp Operator will not manage
nor validate the contents from the ConfigMap, providing invalid values can cause disruption or
unexpected behaviors.
Most of Pulp configurations should be done using the settings presented before,
but sometimes it is not possible. In this case, Pulp CR has the custom_pulp_settings
field that can be used to define a ConfigMap with the additional Pulp configurations.
For example, to disable Pulp analytics, first create a new ConfigMap:
$ kubectl create configmap settings --from-literal=ANALYTICS=False
update Pulp CR with this new ConfigMap:
spec:
custom_pulp_settings: settings
Info
The pulp_settings field is deprecated!
Use the custom_pulp_settings field instead.