proxies: rework reversepassproxy and mark all ocp4 / ocp3 apps

The ocp3 cluster is reachable/available via the vpn, so any proxy can reach it. The ocp4 cluster is (at least for now) only reachable/available from the iad2 proxies (proxy01/proxy10). There's a firefox bug that causes it to reuse h2 connections, and in some cases try and request something of a non iad2 proxy that it can't reach. To work around this in those cases we need to send a 421 back to the client so it doesn't do that. This moves that logic into the template so all ocp4: true hosts do this by default. Also, we default the balancer nodes so we only have to change them in one place if we remove/add a compute node. Finally, we mark all the ocp3 apps with 'ocp4: false' so we know what they are and can move them more easily. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-06-03 13:14:28 -07:00 · 2022-06-03 13:14:28 -07:00 · 52a8936914
commit 52a8936914
parent 5b3eadb7d5
4 changed files with 66 additions and 27 deletions
--- a/roles/httpd/reverseproxy/tasks/main.yml
+++ b/roles/httpd/reverseproxy/tasks/main.yml
@ -7,10 +7,37 @@
 # - keephost
 # - proxyopts

- name: Set OpenShift information if not preconfigured
+- name: Set OpenShift information if not preconfigured (prod)
  set_fact:
    balancer_members: "{{ openshift_nodes }}"
-  when: 'targettype == "openshift" and not balancer_members is defined'
+  when: 'targettype == "openshift" and not balancer_members is defined and env != "staging" '
+  tags:
+  - httpd
+  - httpd/reverseproxy
+  - httpd/reversepassproxy
+
+- name: Set OpenShift4 information if not preconfigured (prod)
+  set_fact:
+    balancer_members: "{{ ocp_nodes }}"
+  when: 'targettype == "openshift" and ocp4|bool and not balancer_members is defined and env != "staging" '
+  tags:
+  - httpd
+  - httpd/reverseproxy
+  - httpd/reversepassproxy
+
+- name: Set OpenShift information if not preconfigured (stg)
+  set_fact:
+    balancer_members: "{{ openshift_nodes_stg }}"
+  when: 'targettype == "openshift" and not balancer_members is defined and env == "staging" '
+  tags:
+  - httpd
+  - httpd/reverseproxy
+  - httpd/reversepassproxy
+
+- name: Set OpenShift4 information if not preconfigured (prod)
+  set_fact:
+    balancer_members: "{{ ocp_nodes }}"
+  when: 'targettype == "openshift" and ocp4|bool and not balancer_members is defined and env == "staging" '
  tags:
  - httpd
  - httpd/reverseproxy
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf
@ -1,5 +0,0 @@
-{% if 'iad2' in inventory_hostname %}
-{% include "reversepassproxy.conf" %}
-{% else %}
-Redirect 421 /
-{% endif %}
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@ -18,6 +18,9 @@ ProxyPreserveHost On
 {% endif %}

 {% if balancer_name is defined %}
+# This is using openshift or another thing we want to balance in httpd
+{% if targettype == 'openshift' or if ( 'iad2' in inventory_hostname and ocp4|bool  %}
+# This is a openshift3 app on a proxy anywhere, or a openshift4 one only in iad2
 SSLProxyEngine On

 {% if targettype is defined and targettype == "openshift" %}
@ -69,6 +72,11 @@ RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P]
 </Proxy>
 ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
+{% elif ocp4|bool and not 'iad2' in inventory_hostname %}
+# This is a non iad2 proxy and an openshift4 app
+# We do this to avoid a h2 connection reuse bug by firefox.
+Redirect 421 /
+{% endif %}
 {% else %}
 ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
 ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}