From 9eed96e3d65a877e7abe3e64ced31e5d54f08553 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 3 Mar 2022 12:51:39 -0800 Subject: [PATCH] proxies: open ocp4 api port in both stg and prod This fixes ticket 10521. Basically we want to just open the api. It requires auth to do anything and other openshift instances have it available, so it shouldn't hopefully expose us to too much risk. With ocp3 the api was part of the normal port/web flow, but with ocp4 it's a seperate port. This also adds new workers to haproxy. I can drop that part if it's controversal, but it should be fine I would think. Signed-off-by: Kevin Fenzi --- inventory/group_vars/proxies | 6 +++--- inventory/group_vars/proxies_stg | 6 +++--- roles/haproxy/templates/haproxy.cfg | 8 ++++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 3d2d5e5427..2bef414dc5 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -26,9 +26,7 @@ custom_rules: [ # For Zanata # See files/httpd/website_id_fp_o_zanata.conf for info '-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT', - # Allow ocp control plane hosts - '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01 - '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.129 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT'] + '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT'] ipa_client_shell_groups: - fi-apprentice - sysadmin-noc @@ -82,6 +80,8 @@ tcp_ports: [ 1088, # This is for RabbitMQ public access 5671, + # openshift 4 api + 6443, # This is for RabbitMQ internal-public access 15671, # This is for the haproxy HTML stats page diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg index c7c430e4f2..7e8f50d380 100644 --- a/inventory/group_vars/proxies_stg +++ b/inventory/group_vars/proxies_stg @@ -27,9 +27,7 @@ custom_rules: [ '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT', # Allow happinesspackets-stg.fedorainfracloud.org to talk to the inbound fedmsg relay '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT', - # Allow ocp control plane hosts - '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01 - '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.50 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT'] + '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT'] ipa_client_shell_groups: - fi-apprentice - sysadmin-noc @@ -73,6 +71,8 @@ tcp_ports: [ 1088, # This is for RabbitMQ public access 5671, + # openshift 4 api + 6443, # This is for RabbitMQ internal-public access 15671, # This is for the haproxy HTML stats page diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 5be5bf523c..e34c9b7018 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -48,6 +48,9 @@ backend ocp-masters-backend-kapi server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check + server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check + server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check + server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check # temp bootstrap node # server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check @@ -61,6 +64,9 @@ backend ocp-masters-backend-machineconfig server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check + server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check + server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check + server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check # temp bootstrap node # server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check {% endif %} @@ -76,6 +82,7 @@ backend ocp-masters-backend-kapi server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check + server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check # temp bootstrap node # server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check @@ -89,6 +96,7 @@ backend ocp-masters-backend-machineconfig server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check + server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check # temp bootstrap node # server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check {% endif %}