From 786bf4e138e221733c08f2036f0aca7c4d14fedd Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 26 Jul 2021 09:58:32 -0700
Subject: [PATCH] ocp / proxies: add ocp4 to staging proxies

We first add a website to proxies-websites, then information to
proxies-reverseproxy about the load-balancer/site, then finally vars
about which hosts are in which blanacer.

We still need to get ssl certs issued, which we can do via dns challenge
and certbot.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/proxies_stg           | 10 +++++++++
 playbooks/include/proxies-reverseproxy.yml | 22 ++++++++++++++++++++
 playbooks/include/proxies-websites.yml     | 24 ++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg
index a264b88051..a80e59e5a7 100644
--- a/inventory/group_vars/proxies_stg
+++ b/inventory/group_vars/proxies_stg
@@ -100,3 +100,13 @@ openshift_nodes:
 - os-node02.stg.iad2.fedoraproject.org
 - os-node03.stg.iad2.fedoraproject.org
 - os-node04.stg.iad2.fedoraproject.org
+
+ocp_masters:
+- ocp01.ocp.stg.iad2.fedoraproject.org
+- ocp02.ocp.stg.iad2.fedoraproject.org
+- ocp03.ocp.stg.iad2.fedoraproject.org
+
+ocp_nodes:
+- worker01.ocp.stg.iad2.fedoraproject.org
+- worker02.ocp.stg.iad2.fedoraproject.org
+- worker03.ocp.stg.iad2.fedoraproject.org
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index 7e5cdf48a9..7e2a544926 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -608,6 +608,28 @@
     tags:
     - app.os.fedoraproject.org
 
+  - role: httpd/reverseproxy
+    website: "ocp{{ env_suffix }}.fedoraproject.org"
+    destname: ocp
+    balancer_name: ocp
+    targettype: openshift
+    balancer_members: "{{ ocp_masters }}"
+    keephost: true
+    tags:
+    - ocp.fedoraproject.org
+    when: env == "staging"
+
+  - role: httpd/reverseproxy
+    website: "app.ocp{{ env_suffix }}.fedoraproject.org"
+    destname: app.ocp
+    balancer_name: app-ocp
+    targettype: openshift
+    balancer_members: "{{ ocp_nodes }}"
+    keephost: true
+    tags:
+    - app.ocp.fedoraproject.org
+    when: env == "staging"
+
   - role: httpd/reverseproxy
     website: "provision{{ env_suffix }}.fedoraproject.org"
     destname: zezere
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 2595ee883c..a311c7e8ae 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -682,6 +682,30 @@
     tags:
     - app.os.stg.fedoraproject.org
 
+  - role: httpd/website
+    site_name: ocp.stg.fedoraproject.org
+    sslonly: true
+    cert_name: "{{wildcard_cert_name}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - ocp.stg.fedoraproject.org
+    when: env == "staging"
+
+  - role: httpd/website
+    site_name: app.ocp.stg.fedoraproject.org
+    server_aliases: ["*.app.ocp.stg.fedoraproject.org"]
+    sslonly: true
+    cert_name: "{{os_wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{os_wildcard_int_file}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - app.ocp.stg.fedoraproject.org
+    when: env == "staging"
+
   - role: httpd/website
     site_name: registry.fedoraproject.org
     server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org]