From 91ccdea73f72ce02d818a14e94c81490449f61b5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 13 Jun 2022 10:08:48 -0700 Subject: [PATCH] proxies: Reach ocp4 cluster in prod over vpn instead of sending 421 I think I handled all the special cases here already. We want to switch non iad2 proxies to reach the oco4 cluster over it's vpn now that it has one. This should allow us to still keep ipv6 available for applications and not have to change dns for moving from ocp3 cluster anymore. Will roll this out slowly to one proxy then another, then the rest if it all looks ok. Signed-off-by: Kevin Fenzi --- inventory/group_vars/all | 4 ++-- inventory/group_vars/proxies | 9 +++++++++ roles/httpd/reverseproxy/templates/reversepassproxy.conf | 8 -------- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index f675a0ffe6..5cbcde5607 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -191,8 +191,8 @@ nrpe_procs_warn: 250 num_cpus: 2 # ocp4 is only set true in some proxy roles ocp4: false -# All the ocp production nodes. We place this here so proxies and openvpn openshift app -# can both use it. +# All the ocp production workers. +# This is used by the openvpn openshift app to make sure there's a vpn pod on each node. ocp_nodes: - worker01.ocp.iad2.fedoraproject.org - worker02.ocp.iad2.fedoraproject.org diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index ddc44777ca..f2243a92b2 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -47,6 +47,15 @@ ocp_masters: - ocp01.ocp.iad2.fedoraproject.org - ocp02.ocp.iad2.fedoraproject.org - ocp03.ocp.iad2.fedoraproject.org +# we override this here to point to the vpn endpoints of the ocp_nodes instead of +# The real internal hostnames. This is because proxies access them via vpn. +ocp_nodes: + - worker01.vpn.fedoraproject.org + - worker02.vpn.fedoraproject.org + - worker03.vpn.fedoraproject.org + - worker04.vpn.fedoraproject.org + - worker05.vpn.fedoraproject.org + - worker06.vpn.fedoraproject.org openshift_masters: - os-master01.vpn.fedoraproject.org - os-master02.vpn.fedoraproject.org diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 389707ed49..9a2cd9f496 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -19,9 +19,6 @@ ProxyPreserveHost On {% if balancer_name is defined %} # This is something that wants a apache balancer -{% if 'iad2' in inventory_hostname or not ocp4|bool %} -# This proxy is in iad2 and so we setup the balancer. -# Non iad2 proxies just send a 421 for this application to avoid firefox h2 reuse bug SSLProxyEngine On {% if targettype is defined and targettype == "openshift" %} @@ -73,11 +70,6 @@ BalancerMember "https://{{ member }}" ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}" -{% elif ocp4|bool %} -# This is a non iad2 proxy and an app that only exists in iad2 -# We do this to avoid a h2 connection reuse bug by firefox. -Redirect 421 / -{% endif %} {% else %} # This is an application that just goes to one url, not a balancer ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}