From 52a8936914b0ba2e1f21f1fd318259a9528ac59c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 3 Jun 2022 13:14:28 -0700 Subject: [PATCH] proxies: rework reversepassproxy and mark all ocp4 / ocp3 apps The ocp3 cluster is reachable/available via the vpn, so any proxy can reach it. The ocp4 cluster is (at least for now) only reachable/available from the iad2 proxies (proxy01/proxy10). There's a firefox bug that causes it to reuse h2 connections, and in some cases try and request something of a non iad2 proxy that it can't reach. To work around this in those cases we need to send a 421 back to the client so it doesn't do that. This moves that logic into the template so all ocp4: true hosts do this by default. Also, we default the balancer nodes so we only have to change them in one place if we remove/add a compute node. Finally, we mark all the ocp3 apps with 'ocp4: false' so we know what they are and can move them more easily. Signed-off-by: Kevin Fenzi --- playbooks/include/proxies-reverseproxy.yml | 49 +++++++++++-------- roles/httpd/reverseproxy/tasks/main.yml | 31 +++++++++++- .../reversepassproxy.blockerbugs.conf | 5 -- .../templates/reversepassproxy.conf | 8 +++ 4 files changed, 66 insertions(+), 27 deletions(-) delete mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 9f2c485494..2b5c2ee957 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -159,6 +159,7 @@ remotepath: /totpcgiprovision balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - fas @@ -170,6 +171,7 @@ localpath: /accounts-old balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - fas @@ -181,6 +183,7 @@ localpath: /accounts balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - fas @@ -189,8 +192,8 @@ website: "accounts{{ env_suffix }}.fedoraproject.org" destname: noggin balancer_name: apps-ocp - balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_stg, ocp_nodes) }}" targettype: openshift + ocp4: false keephost: true ocp4: true tags: @@ -200,7 +203,6 @@ website: "fasjson{{ env_suffix }}.fedoraproject.org" destname: fasjson balancer_name: apps-ocp - balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_stg, ocp_nodes) }}" targettype: openshift keephost: true ocp4: true @@ -257,6 +259,7 @@ localpath: /datagrepper balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - datagrepper @@ -282,6 +285,7 @@ localpath: /kerneltest balancer_name: app-os targettype: openshift + ocp4: false keephost: true when: env == "staging" @@ -290,6 +294,7 @@ destname: kerneltest balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: kerneltest header_scheme: true @@ -304,7 +309,6 @@ ocp4: true remotepath: /blockerbugs localpath: /blockerbugs - balancer_members: "{{ ocp_nodes_stg }}" tags: blockerbugs when: env == "staging" @@ -317,7 +321,6 @@ ocp4: true remotepath: /blockerbugs localpath: /blockerbugs - balancer_members: "{{ ocp_nodes }}" tags: blockerbugs when: env != "staging" @@ -333,7 +336,6 @@ website: bodhi.fedoraproject.org destname: bodhi balancer_name: apps-ocp - balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_stg, ocp_nodes) }}" targettype: openshift keephost: true ocp4: true @@ -344,6 +346,7 @@ destname: bodhi balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: bodhi when: env != "staging" @@ -357,7 +360,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes }}" targettype: openshift keephost: true tags: @@ -369,7 +371,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes }}" targettype: openshift keephost: true tags: @@ -381,7 +382,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes }}" targettype: openshift keephost: true tags: @@ -393,7 +393,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes }}" targettype: openshift keephost: true tags: @@ -405,7 +404,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" targettype: openshift keephost: true tags: @@ -417,7 +415,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" targettype: openshift keephost: true tags: @@ -429,7 +426,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" targettype: openshift keephost: true tags: @@ -441,7 +437,6 @@ destname: cincinnati balancer_name: apps-ocp ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" targettype: openshift keephost: true tags: @@ -458,6 +453,7 @@ destname: transtats balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: transtats @@ -489,6 +485,7 @@ destname: koschei balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: koschei @@ -497,6 +494,7 @@ destname: message-tagging-service balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: message-tagging-service @@ -636,7 +634,6 @@ balancer_name: resultsdb-stg targettype: openshift ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" keephost: true when: env == "staging" @@ -738,6 +735,7 @@ destname: os balancer_name: os targettype: openshift + ocp4: false balancer_members: "{{ openshift_masters }}" keephost: true tags: @@ -748,6 +746,7 @@ destname: app.os balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - app.os.fedoraproject.org @@ -758,7 +757,6 @@ balancer_name: ocp targettype: openshift ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" keephost: true tags: - ocp.stg.fedoraproject.org @@ -770,7 +768,6 @@ balancer_name: apps-ocp targettype: openshift ocp4: true - balancer_members: "{{ ocp_nodes_stg }}" keephost: true tags: - apps.ocp.stg.fedoraproject.org @@ -782,7 +779,6 @@ balancer_name: ocp targettype: openshift ocp4: true - balancer_members: "{{ ocp_nodes }}" keephost: true tags: - ocp.fedoraproject.org @@ -794,7 +790,6 @@ balancer_name: apps-ocp targettype: openshift ocp4: true - balancer_members: "{{ ocp_nodes }}" keephost: true tags: - apps.ocp.fedoraproject.org @@ -805,6 +800,7 @@ destname: zezere balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - zezere @@ -821,6 +817,7 @@ destname: greenwave balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: greenwave @@ -829,6 +826,7 @@ destname: waiverdb balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: waiverdb @@ -837,6 +835,7 @@ destname: elections balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: elections header_scheme: true @@ -846,6 +845,7 @@ destname: calendar balancer_name: app-os targettype: openshift + ocp4: false keephost: true header_scheme: true tags: calendar @@ -855,6 +855,7 @@ destname: mdapi balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: mdapi @@ -863,6 +864,7 @@ destname: wallpapers balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: wallpapers @@ -871,6 +873,7 @@ destname: silverblue balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: silverblue @@ -879,6 +882,7 @@ destname: release-monitoring balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: release-montoring.org when: env == "production" @@ -888,6 +892,7 @@ destname: stg.release-monitoring balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: release-montoring.org when: env == "staging" @@ -896,7 +901,6 @@ website: whatcanidoforfedora.org destname: whatcanidoforfedora balancer_name: app-ocp - balancer_members: "{{ ocp_nodes_stg }}" targettype: openshift ocp4: true keephost: true @@ -908,6 +912,7 @@ destname: whatcanidoforfedora balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: whatcanidoforfedora.org when: env != "staging" @@ -917,6 +922,7 @@ destname: testdays balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: testdays @@ -925,6 +931,7 @@ destname: packager-dashboard balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: packager-dashboard @@ -933,6 +940,7 @@ destname: app.os balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: - languages @@ -951,6 +959,7 @@ destname: fedora-packages-static balancer_name: app-os targettype: openshift + ocp4: false keephost: true - role: httpd/reverseproxy @@ -958,6 +967,7 @@ destname: discourse2fedmsg balancer_name: app-os targettype: openshift + ocp4: false keephost: true tags: discourse2fedmsg @@ -965,7 +975,6 @@ website: ipsilon-project.org destname: ipsilon-website balancer_name: apps-ocp - balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_stg, ocp_nodes) }}" targettype: openshift ocp4: true keephost: true diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml index 9ed5604877..c1fda94638 100644 --- a/roles/httpd/reverseproxy/tasks/main.yml +++ b/roles/httpd/reverseproxy/tasks/main.yml @@ -7,10 +7,37 @@ # - keephost # - proxyopts -- name: Set OpenShift information if not preconfigured +- name: Set OpenShift information if not preconfigured (prod) set_fact: balancer_members: "{{ openshift_nodes }}" - when: 'targettype == "openshift" and not balancer_members is defined' + when: 'targettype == "openshift" and not balancer_members is defined and env != "staging" ' + tags: + - httpd + - httpd/reverseproxy + - httpd/reversepassproxy + +- name: Set OpenShift4 information if not preconfigured (prod) + set_fact: + balancer_members: "{{ ocp_nodes }}" + when: 'targettype == "openshift" and ocp4|bool and not balancer_members is defined and env != "staging" ' + tags: + - httpd + - httpd/reverseproxy + - httpd/reversepassproxy + +- name: Set OpenShift information if not preconfigured (stg) + set_fact: + balancer_members: "{{ openshift_nodes_stg }}" + when: 'targettype == "openshift" and not balancer_members is defined and env == "staging" ' + tags: + - httpd + - httpd/reverseproxy + - httpd/reversepassproxy + +- name: Set OpenShift4 information if not preconfigured (prod) + set_fact: + balancer_members: "{{ ocp_nodes }}" + when: 'targettype == "openshift" and ocp4|bool and not balancer_members is defined and env == "staging" ' tags: - httpd - httpd/reverseproxy diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf deleted file mode 100644 index ee26261dfd..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf +++ /dev/null @@ -1,5 +0,0 @@ -{% if 'iad2' in inventory_hostname %} -{% include "reversepassproxy.conf" %} -{% else %} -Redirect 421 / -{% endif %} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 427d7ed368..37ab9d33bd 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -18,6 +18,9 @@ ProxyPreserveHost On {% endif %} {% if balancer_name is defined %} +# This is using openshift or another thing we want to balance in httpd +{% if targettype == 'openshift' or if ( 'iad2' in inventory_hostname and ocp4|bool %} +# This is a openshift3 app on a proxy anywhere, or a openshift4 one only in iad2 SSLProxyEngine On {% if targettype is defined and targettype == "openshift" %} @@ -69,6 +72,11 @@ RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P] ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" +{% elif ocp4|bool and not 'iad2' in inventory_hostname %} +# This is a non iad2 proxy and an openshift4 app +# We do this to avoid a h2 connection reuse bug by firefox. +Redirect 421 / +{% endif %} {% else %} ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }} ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}