Goal: 

• We need to protect content in stage and production eventually, while not everything is in place, we can go ahead and do quite a bit of work
• The goal of this is to support subscription-manager clients (using an identity cert) and image builder using turn pike https://github.com/RedHatInsights/turnpike/blob/master/docs/_index.md
• Pulp now has an OR content guard which we can use to provide the authentication we need

Acceptance Criteria:

• For Red Hat repos we do not need a content guard, for now all RH repos are accessible to all users with a valid identity cert (and thus make it past the gateway)
• For Custom repos, we need to use the OR content guard that ORs these two guards together:
  • HeaderContentGuard  with org_id that matches the repos org_id
  • HeaderContentGuard      with   "subject_dn": "/CN=some-host.example.com",   where the subject_dn is configurable.

more info:

https://github.com/pulp/pulpcore/issues/4583

https://github.com/pulp/pulpcore/issues/4518

We likely can get away with having 1 content guard for each org, and 1 content guard for the 'turnpike' access.   This would make it easy to update the turnpike's subject_dn at startup ?  Which should be done so we can easily adjust it.