So, we renamed the cluster with the ocp-rdu3 name, so drop all this
special handling. All the proxies should be able to reach it by that
name and via the vpn endpoints it has.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We can't use easily the existing hostname/site, as that goes to the
current iad2 cluster, so setup a -rdu3 version for now.
After we switch we can drop this and repoint the main one to the new
cluster.
Hopefully this all works and does the right thing.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our openshift 3.11 cluster(s) served us long and well.
Now we have everything finally moved to the openshift 4 clusters (fas2
was the last holdout). We can finally retire this. :)
🎉🥂
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I think I handled all the special cases here already.
We want to switch non iad2 proxies to reach the oco4 cluster over it's
vpn now that it has one. This should allow us to still keep ipv6
available for applications and not have to change dns for moving from
ocp3 cluster anymore. Will roll this out slowly to one proxy then
another, then the rest if it all looks ok.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The ocp3 cluster is reachable/available via the vpn, so any proxy can
reach it.
The ocp4 cluster is (at least for now) only reachable/available from the
iad2 proxies (proxy01/proxy10).
There's a firefox bug that causes it to reuse h2 connections, and in
some cases try and request something of a non iad2 proxy that it can't
reach. To work around this in those cases we need to send a 421 back to
the client so it doesn't do that.
This moves that logic into the template so all ocp4: true hosts do this
by default. Also, we default the balancer nodes so we only have to
change them in one place if we remove/add a compute node.
Finally, we mark all the ocp3 apps with 'ocp4: false' so we know what
they are and can move them more easily.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files
Signed-off-by: David Kirwan <dkirwan@redhat.com>
debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short. Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines. Default to "", but set it
with pretty generous limits for debuginfod only.
I was hitting an issue where there were multiple reverseproxy instances
configured for a single host and some of the rewrite rules were changing
the request when they shouldn't be.
This patch adds a rewritecond to the websocket rewrite rule to make sure that
the REQUEST_URI starts with $remotepath before it's rewritten.
The current template assumes that websockets are at the base of a URL
but that is not true for our buildmaster. This patch adds remotepath
to the end of the websocket url if remotepath is defined.
Firefox is hell-bent on sending "keep-alive, Upgrade", which did not match
^Upgrade$....
Let's accept either.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
