proxies: add a ocp-rdu3 site/endpoint to get to the new rdu3 prod openshift

We can't use easily the existing hostname/site, as that goes to the current iad2 cluster, so setup a -rdu3 version for now. After we switch we can drop this and repoint the main one to the new cluster. Hopefully this all works and does the right thing. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-03-20 03:57:02 +08:00 · 2025-06-14 12:35:20 -07:00
parent 43b150af7a
commit e1132667d3
5 changed files with 60 additions and 0 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -210,11 +210,18 @@ ocp_nodes:
  - worker04.ocp.iad2.fedoraproject.org
  - worker05.ocp.iad2.fedoraproject.org
  - worker06.ocp.iad2.fedoraproject.org
+ocp_nodes_rdu3:
+  - worker01.ocp.rdu3.fedoraproject.org
 ocp_wildcard_cert_file: wildcard-2024.apps.ocp.fedoraproject.org.cert
 # This is the openshift wildcard cert for ocp
 ocp_wildcard_cert_name: wildcard-2024.apps.ocp.fedoraproject.org
 ocp_wildcard_int_file: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert
 ocp_wildcard_key_file: wildcard-2024.apps.ocp.fedoraproject.org.key
+# rdu3 ocp cert while we are not yet moved
+ocp_rdu3_wildcard_cert_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.cert
+ocp_rdu3_wildcard_cert_name: wildcard-2025.apps.ocp-rdu3.fedoraproject.org
+ocp_rdu3_wildcard_int_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.intermediate.cert
+ocp_rdu3_wildcard_key_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.key
 # Path to the openshift-ansible checkout as external git repo brought into
 # Fedora Infra
 openshift_ansible: /srv/web/infra/openshift-ansible/
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -95,6 +95,9 @@ ocp_nodes:
  - worker04.vpn.fedoraproject.org
  - worker05.vpn.fedoraproject.org
  - worker06.vpn.fedoraproject.org
+# once vpn is up on rdu3 openshift we can switch this to use vpn
+#ocp_nodes_rdu3:
+#  - worker01-rdu3.vpn.fedoraproject.org
 postvpnservices:
  - haproxy
  - varnish
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -734,6 +734,30 @@
    - apps.ocp.fedoraproject.org
    when: env == "production"

+  - role: httpd/reverseproxy
+    website: "ocp-rdu3{{ env_suffix }}.fedoraproject.org"
+    destname: ocp-rdu3
+    balancer_name: ocp-rdu3
+    balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_rdu3_stg, ocp_nodes_rdu3) }}"
+    targettype: openshift
+    ocp4-rdu3: true
+    keephost: true
+    tags:
+    - ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == 'rdu3'
+
+  - role: httpd/reverseproxy
+    website: "apps.ocp-rdu3{{ env_suffix }}.fedoraproject.org"
+    destname: apps.ocp-rdu3
+    balancer_name: apps-ocp-rdu3
+    balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_rdu3_stg, ocp_nodes_rdu3) }}"
+    targettype: openshift
+    ocp4-rdu3: true
+    keephost: true
+    tags:
+    - apps.ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == 'rdu3'
+
  - role: httpd/reverseproxy
    website: "provision{{ env_suffix }}.fedoraproject.org"
    destname: zezere
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -718,6 +718,30 @@
    - apps.ocp.fedoraproject.org
    when: env == "production"

+  - role: httpd/website
+    site_name: ocp-rdu3.fedoraproject.org
+    sslonly: true
+    cert_name: "{{wildcard_cert_name}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == "rdu3"
+
+  - role: httpd/website
+    site_name: apps.ocp-rdu3.fedoraproject.org
+    server_aliases: ["*.apps.ocp-rdu3.fedoraproject.org", api.apps.ocp-rdu3.fedoraproject.org]
+    sslonly: true
+    cert_name: "{{ocp_rdu3_wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{ocp_rdu3_wildcard_int_file}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - apps.ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == "rdu3"
+
  - role: httpd/website
    site_name: registry.fedoraproject.org
    server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org]
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@@ -29,6 +29,8 @@ SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem"
 {% elif env == "staging" %}
 SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem"
 {% endif %}
+{% elif ocp4-rdu3 %}
+SSLProxyCACertificateFile "/etc/haproxy/ocp.prod-rdu3.pem"
 {% endif %}

 <Proxy "balancer://{{balancer_name}}-websocket">