With the EOL of Fedora 38 yesterday, we are no longer building any
modules and can retire our module build service.
Note that toddlers needs to be adjusted still, that will happen after
this.
Thanks for all the modules!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This removes osbs and allmost all it's associated playbooks and files.
It served long and well, but we no longer need it.
flatpaks are building with a koji-flatpak plugin.
base/minimal/toolbox containers are building with kiwi.
We aren't building any other containers right now, and we did they could
be added to kiwi.
This is the end of an era... I look with nostolga on
ansible-ansible-openshift-ansible (a role to setup ansible on a control
host and run it from our ansible).
Good bye osbs!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We are hitting a sporadic and anoying 502 error with ostree pulls.
see https://pagure.io/releng/issue/11439
The problem seems to be between haproxy and varnish on kojipkgs01.
We set the httpclose option in haproxy globally, which closes
connections as soon as it thinks they are done.
Setting this option 'httpkeepalive' will keep connections alive
and handle the case of lots of fast connections downloading small
objects much better.
Sadly, we don't have a way to test this in staging, so we would need to
test in prod and roll back if there's problems.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our openshift 3.11 cluster(s) served us long and well.
Now we have everything finally moved to the openshift 4 clusters (fas2
was the last holdout). We can finally retire this. :)
🎉🥂
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We added more to the api and machine-config, but those only go to
control nodes, not compute nodes. Just revert this section entirely, it
was a bad idea and we shall never speak of it again. :)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This fixes ticket 10521.
Basically we want to just open the api. It requires auth to do anything
and other openshift instances have it available, so it shouldn't
hopefully expose us to too much risk. With ocp3 the api was part of the
normal port/web flow, but with ocp4 it's a seperate port.
This also adds new workers to haproxy. I can drop that part if it's
controversal, but it should be fine I would think.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
If we push this to all proxies (as we have), they will fail to start
haproxy because they cannot resolve the internal ocp iad2 hosts. ;(
The ocp clusters should only apply on the iad2 haproxy nodes, not all
proxies. Also fix logic on the staging one to apply in staging instead
of just production.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files
Signed-off-by: David Kirwan <dkirwan@redhat.com>
haproxy needs to terminate ssl for the api part of the ocp cluster.
We can't do this in apache without listening for non standard ports and
that could be a mess, so terminate ssl here and talk into the cluster
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Put the api ports that ocp4 needs behind haproxy (with bootstrap node)
and open them to just the ocp4 machines on the proxies.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
