diff --git a/inventory/group_vars/all b/inventory/group_vars/all index f675a0ffe6..5cbcde5607 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -191,8 +191,8 @@ nrpe_procs_warn: 250 num_cpus: 2 # ocp4 is only set true in some proxy roles ocp4: false -# All the ocp production nodes. We place this here so proxies and openvpn openshift app -# can both use it. +# All the ocp production workers. +# This is used by the openvpn openshift app to make sure there's a vpn pod on each node. ocp_nodes: - worker01.ocp.iad2.fedoraproject.org - worker02.ocp.iad2.fedoraproject.org diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index ddc44777ca..f2243a92b2 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -47,6 +47,15 @@ ocp_masters: - ocp01.ocp.iad2.fedoraproject.org - ocp02.ocp.iad2.fedoraproject.org - ocp03.ocp.iad2.fedoraproject.org +# we override this here to point to the vpn endpoints of the ocp_nodes instead of +# The real internal hostnames. This is because proxies access them via vpn. +ocp_nodes: + - worker01.vpn.fedoraproject.org + - worker02.vpn.fedoraproject.org + - worker03.vpn.fedoraproject.org + - worker04.vpn.fedoraproject.org + - worker05.vpn.fedoraproject.org + - worker06.vpn.fedoraproject.org openshift_masters: - os-master01.vpn.fedoraproject.org - os-master02.vpn.fedoraproject.org diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 389707ed49..9a2cd9f496 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -19,9 +19,6 @@ ProxyPreserveHost On {% if balancer_name is defined %} # This is something that wants a apache balancer -{% if 'iad2' in inventory_hostname or not ocp4|bool %} -# This proxy is in iad2 and so we setup the balancer. -# Non iad2 proxies just send a 421 for this application to avoid firefox h2 reuse bug SSLProxyEngine On {% if targettype is defined and targettype == "openshift" %} @@ -73,11 +70,6 @@ BalancerMember "https://{{ member }}" ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" -{% elif ocp4|bool %} -# This is a non iad2 proxy and an app that only exists in iad2 -# We do this to avoid a h2 connection reuse bug by firefox. -Redirect 421 / -{% endif %} {% else %} # This is an application that just goes to one url, not a balancer ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}