See https://pagure.io/copr/copr/issue/1935
Prevent only /api_2, /api_3, etc from redirectring from
fedoraproject.org to fedorainfracloud.org
I am not entirely sure why do we need these special-cases for API but
you guys are taking care of it and keeping it updated, so it must be
important. If anyone can explain some context, it would be
appreciated. The config is older than my involvement in the Copr
project :-)
Anyway, there is only one /api/ page - https://copr.fedorainfracloud.org/api
and that is not an API endpoint that is programmatically accessed and
that preserves backwards compatibility. It is a page that one opens
in the web browser to find information about API, such as where the
documentation is, and how to obtain an API token.
We would like to apply the redirect from fedoraproject.org to
fedorainfracloud.org even for this page.
reg is putting a /static/ into asset path since it's upgrade.
Just alias it to / here to avoid the problem for now.
Hopefully we are going to be moving to quay.io and can stop caring about
it.
Fixes infra 10673
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Apache httpd by default blocks URL-encoded / (%2F) characters in the
URL path, even though these are RFC-compliant. Enable them and permit
their safe passage to the debuginfod servers.
See also https://stackoverflow.com/a/9933890/661150
Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files
Signed-off-by: David Kirwan <dkirwan@redhat.com>
Our ansible default ansible scripts don't like multiple /suburls being
individually proxied, so we ended up losing /buildid/* and keeping
/metrics.
Switch to using single /-level reverse-proxying AND wiki-redirection
clauses, and use a new template .conf file to break the tie with a
"ProxyPass / !" directive.
debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short. Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines. Default to "", but set it
with pretty generous limits for debuginfod only.
* Update rsync configuration for production to sync the flatpak-indexer
output directories into the right place, in the same way as was done
for staging. The regindexer rsync module is renamed to flatpak-index
for clarity.
* Update the registry.fedoraproject.org to use the flatpak-indexer
rules for production.
* Remove the regindexer role
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
Add changes required for flatpak-indexer, conditionalized for staging:
* Reverse which of "index with labels" or "index with annotations" is the
default (make labels the default, since annotations are only used by
old versions of Flatpak)
* Add the deltas/ directory which holds deltas between Flatpak versions.
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
While we're getting flatpak-indexer tested and working in staging, we still
need regindexer, and we don't want the httpd config changes that are
part of the regindexer => flatpak-indexer change.
Fixes: https://pagure.io/fedora-infrastructure/issue/9631
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
flatpak-indexer replaces regindexer for creating an index of Fedora
Flatpaks. It adds an additional capability - creating "diffs" between image versions
allowing for incremental updates.
Add a new openshift namespace: flatpak-indexer, with three deploymentconfigs
in it:
- flatpak-indexer: generates the index
- flatpak-indexer-differ: worker(s) to run the expensive tardiff operation
- redis: used for cache and communication between indexer and differ
The staging version of the indexer targets the *production* bodhi/koji/registry,
since we don't have useful Flatpak content in staging. This could be changed.
The registry reverse proxy configuration is updated to a slightly different
set of generated indexes (the 'annotations' indexes for F31 and older are
now suffixed with -annotations, and the 'labels' indexes unsuffixed.)
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
Fixes https://pagure.io/fedora-infrastructure/issue/9564
download.fedoraproject.org queries mirrormanager for a redirect to a
mirror for the path/request. Before we were just taking any mirror that
mirrormanager had, if it was http or https. This caused requests that
were sent in as https to get a http mirror and error out. So, now we
just redirect http ones to http mirrors and https requests to https
mirrors.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This rewrite section is confusing, so document it more and add a rule to
make builders go direct to the regesty instead of using the cdn, this
should hopefully fix flatpak building.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I think the lack of ! on the osbs rule meant that nothing ever went to
the cdn. This increases load on the real registry a lot.
Also, we are using varnish here, but lets try and just go via haproxy.
varnish might be having problems keeping all the 404s in memory/cache.
The cdn thing should help that, but since we have cloudfront I don't
think we also need to use varnish here.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Since we no longer have any machines in phx2, I have tried to remove
them from ansible. Note that there are still some places where we need
to remove them still: nagios, dhcp, named were not touched, and in cases
where it wasn't pretty clear what a conditional was doing I left it to
be cleaned up later.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Flatpak-1.6 expects metadata to be stored in Docker-compatible labels
rather than OCI annotations. We build Flatpaks for Fedora with both
labels and annotations for compatibility with older and newer Flatpaks,
but we also need to have two sets of indexes:
- One that is served in response to a query for labels, and skips
including Flatpak annotations in the response (to reduce size)
- One that is served in response to a query for annotation, and skips
including Flatpak labels in the response.
This commit requires regindexer-1.6. See:
https://pagure.io/fedora-infrastructure/issue/8579
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
This host shares with registry vhost, but if it's used it bypasses downloading from the cdn.
We need this internally on composes that download flatpaks. They need to get them direct
from our registry and not from an external cdn.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I was hitting an issue where there were multiple reverseproxy instances
configured for a single host and some of the rewrite rules were changing
the request when they shouldn't be.
This patch adds a rewritecond to the websocket rewrite rule to make sure that
the REQUEST_URI starts with $remotepath before it's rewritten.
The current template assumes that websockets are at the base of a URL
but that is not true for our buildmaster. This patch adds remotepath
to the end of the websocket url if remotepath is defined.
Firefox is hell-bent on sending "keep-alive, Upgrade", which did not match
^Upgrade$....
Let's accept either.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
