From e7b50aaee469fdded0ea650c7e7f4dd06e929609 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 14 Feb 2025 09:32:26 -0800 Subject: [PATCH] osbuildapi-update: just keep adding to ipset It seems sso.redhat.com has a 20 second time to live, so it changes often. However, it seems to only change the pool of ips from a small (5-10) number. So, lets just add to the set so we allow any of the ips we have seen. The set will grow, but if the pool is small it should stablize to have all the ips in the pool. Signed-off-by: Kevin Fenzi --- roles/koji_builder/templates/osbuildapi-update.sh | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/roles/koji_builder/templates/osbuildapi-update.sh b/roles/koji_builder/templates/osbuildapi-update.sh index e3e665b60b..94bcf60a98 100644 --- a/roles/koji_builder/templates/osbuildapi-update.sh +++ b/roles/koji_builder/templates/osbuildapi-update.sh @@ -3,11 +3,6 @@ # Make sure the ipset is created. /usr/sbin/ipset create osbuildapi hash:ip >& /dev/null -# Prepare a temporary set to store the new IPs, so we can atomically swap them -/usr/sbin/ipset create osbuildapi_tmp hash:ip >& /dev/null -# Make sure the temporary set is empty -/usr/sbin/ipset flush osbuildapi_tmp - # in staging we need to allow api.stage and in prod api. {% if env == 'staging' %} RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query api.stage.openshift.com 2> /dev/null` @@ -20,7 +15,7 @@ NEWIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\ for j in $NEWIPS do - /usr/sbin/ipset add osbuildapi_tmp $j + /usr/sbin/ipset add osbuildapi $j done # both stage and prod authenticate using sso.redhat.com @@ -31,9 +26,5 @@ NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\ for j in $NEWIDENTITYIPS do - /usr/sbin/ipset add osbuildapi_tmp $j + /usr/sbin/ipset add osbuildapi $j done - -# Swap the sets atomically -/usr/sbin/ipset swap osbuildapi osbuildapi_tmp -/usr/sbin/ipset destroy osbuildapi_tmp