pulp3
| Field |
Value |
| Service |
pulp3 |
| Purpose |
Content distribution platform for Debian and RPM repositories |
| Criticality |
Tier 1 |
| Owner |
Platform / Content supply owner |
| Clusters |
homelab, ozirepo |
| Namespace |
pulp3 |
| Exposure |
internet |
| Stateful |
yes |
| Backup class |
app-native |
| RPO / RTO |
Daily backup target, 4 to 8 hours to restore |
| Last reviewed |
2026-05-20 |
1. Service Overview
Pulp 3 provides repository mirroring, publication, and distribution workflows for Debian and RPM content with internal signing integration.
Summary
If Pulp 3 fails, mirrored repositories and package publication workflows stop until operator, storage, and service state are restored.
Dependencies
| Dependency |
Type |
Why it matters |
| Pulp Operator |
control plane |
Creates and manages the Pulp custom resource |
| Traefik |
ingress |
Exposes the Pulp web and content endpoints |
| PostgreSQL and Redis |
state |
Support Pulp application runtime |
2. Architecture Diagram
[Mirror sync scripts]
-> [Pulp API / content]
-> [PostgreSQL / Redis / PVC-backed storage]
-> [Traefik]
-> [Repository consumers]
3. Deployment Specifications
| Item |
Value |
| Source path |
pulp3/base, pulp3/operator, and pulp3/overlays/* |
| Deployment model |
Operator bootstrap plus Kustomize overlays |
| Namespace |
pulp3 |
| Workload kind |
Operator Deployment plus Pulp custom resource |
| Chart or image version |
Pulp Operator 2.0.0, application image tags from the Pulp CR |
| Config files |
base/kustomization.yaml, operator/kustomization.yaml, overlays/homelab, overlays/ozirepo, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| homelab |
pulp3/overlays/homelab |
Current homelab deployment |
| ozirepo |
pulp3/overlays/ozirepo |
Alternate externally exposed deployment |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
| Pulp settings and signing inputs |
overlay secrets, Pulp settings files, and CR values |
API behavior, signing, and external URL settings |
mixed |
ConfigMaps
| Resource |
Path |
Purpose |
| Pulp settings resources |
pulp3/base and overlay-specific settings |
Control application runtime and external URLs |
Secrets management
- Secret names: admin password, signing passphrases, and overlay-specific credentials in the pulp3 namespace
- Source of truth: local secret input files and generated manifests
- Rotation trigger: signing key changes, admin credential rotation, or migration work
- Recovery note: restore signing passphrases and admin credentials before reconciling the overlay
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| Internal |
Pulp web and API services in the pulp3 namespace |
Cluster workloads and operators |
Pulp auth |
Traefik / service |
| External |
Overlay-specific Pulp hostnames exposed through Traefik |
Repository consumers and operators |
Pulp auth and signing trust |
Traefik |
6. Operations and Observability
- Primary health indicators: Pulp CR healthy, operator healthy, content and API pods Ready, and ingress responsive.
- Dashboards or alerts: shared cluster monitoring plus app-level health checks.
- Log locations: operator logs and Pulp workload logs in the pulp3 namespace.
- Known failure modes: operator reconciliation issues, bad secrets, failed content sync, or storage problems.
7. Backup and Recovery Notes
- Backup method: application backup, database backup, and snapshot of content storage.
- Restore prerequisites: restored operator, signing secrets, and persistent content state.
- Related runbook: ../runbooks/pulp3.md
8. Release and Change Notes
- Current deployed app version: see the Pulp CR and operator overlay.
- Current chart version: N/A.
- Last significant change: README and service coverage updated for the embedded operator layout and current overlays.
- Rollback reference: previous operator or overlay revision in Git.