proxies: Reach ocp4 cluster in prod over vpn instead of sending 421

I think I handled all the special cases here already. We want to switch non iad2 proxies to reach the oco4 cluster over it's vpn now that it has one. This should allow us to still keep ipv6 available for applications and not have to change dns for moving from ocp3 cluster anymore. Will roll this out slowly to one proxy then another, then the rest if it all looks ok. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-06-13 10:08:48 -07:00 · 2022-06-13 10:08:48 -07:00 · 91ccdea73f
commit 91ccdea73f
parent 6331d992ee
3 changed files with 11 additions and 10 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -191,8 +191,8 @@ nrpe_procs_warn: 250
 num_cpus: 2
 # ocp4 is only set true in some proxy roles
 ocp4: false
-# All the ocp production nodes. We place this here so proxies and openvpn openshift app
-# can both use it.
+# All the ocp production workers.
+# This is used by the openvpn openshift app to make sure there's a vpn pod on each node.
 ocp_nodes:
  - worker01.ocp.iad2.fedoraproject.org
  - worker02.ocp.iad2.fedoraproject.org
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@ -47,6 +47,15 @@ ocp_masters:
  - ocp01.ocp.iad2.fedoraproject.org
  - ocp02.ocp.iad2.fedoraproject.org
  - ocp03.ocp.iad2.fedoraproject.org
+# we override this here to point to the vpn endpoints of the ocp_nodes instead of
+# The real internal hostnames. This is because proxies access them via vpn.
+ocp_nodes:
+  - worker01.vpn.fedoraproject.org
+  - worker02.vpn.fedoraproject.org
+  - worker03.vpn.fedoraproject.org
+  - worker04.vpn.fedoraproject.org
+  - worker05.vpn.fedoraproject.org
+  - worker06.vpn.fedoraproject.org
 openshift_masters:
  - os-master01.vpn.fedoraproject.org
  - os-master02.vpn.fedoraproject.org
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@ -19,9 +19,6 @@ ProxyPreserveHost On

 {% if balancer_name is defined %}
 # This is something that wants a apache balancer
-{% if 'iad2' in inventory_hostname or not ocp4|bool %}
-# This proxy is in iad2 and so we setup the balancer.
-# Non iad2 proxies just send a 421 for this application to avoid firefox h2 reuse bug
 SSLProxyEngine On

 {% if targettype is defined and targettype == "openshift" %}
@ -73,11 +70,6 @@ BalancerMember "https://{{ member }}"
 </Proxy>
 ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
 ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
-{% elif ocp4|bool %}
-# This is a non iad2 proxy and an app that only exists in iad2
-# We do this to avoid a h2 connection reuse bug by firefox.
-Redirect 421 /
-{% endif %}
 {% else %}
 # This is an application that just goes to one url, not a balancer
 ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}