Users don't need to use this and so restrict it to admins by ip for now.
Down the road we should be able to do this much better once we can set a
policy for access here.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The mirrormanager application moved over to
mirrormanager.fedoraproject.org from
admin.fedoraproject.org/mirrormanager. So we need to change this
redirect to point things to the new place.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This removes osbs and allmost all it's associated playbooks and files.
It served long and well, but we no longer need it.
flatpaks are building with a koji-flatpak plugin.
base/minimal/toolbox containers are building with kiwi.
We aren't building any other containers right now, and we did they could
be added to kiwi.
This is the end of an era... I look with nostolga on
ansible-ansible-openshift-ansible (a role to setup ansible on a control
host and run it from our ansible).
Good bye osbs!
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
New ipa checks the referrer to avoid CSRF issues.
We need to have the proxy edit requests for the right internal hostname
for it to be able to work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
f39 adds flatpaks for ppc64le, so we need to allow ppc64le builders to
access the registry directly so they can install flatpaks in the ostree
install images. Without this they try and get them from the cdn and the
builder firewall blocks them and it times out and the image fails to
compose.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we only exclude the builders on 10.3.169 from using the
registry cdn (ie, the x86_86 builders), but we also make aarch64
containers/images and we should exclude it too ( 10.3.170.x ).
This might fix a weird compose failure we have been getting on
aarch64 ostree installer images.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our openshift 3.11 cluster(s) served us long and well.
Now we have everything finally moved to the openshift 4 clusters (fas2
was the last holdout). We can finally retire this. :)
🎉🥂
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I think I handled all the special cases here already.
We want to switch non iad2 proxies to reach the oco4 cluster over it's
vpn now that it has one. This should allow us to still keep ipv6
available for applications and not have to change dns for moving from
ocp3 cluster anymore. Will roll this out slowly to one proxy then
another, then the rest if it all looks ok.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The ocp3 cluster is reachable/available via the vpn, so any proxy can
reach it.
The ocp4 cluster is (at least for now) only reachable/available from the
iad2 proxies (proxy01/proxy10).
There's a firefox bug that causes it to reuse h2 connections, and in
some cases try and request something of a non iad2 proxy that it can't
reach. To work around this in those cases we need to send a 421 back to
the client so it doesn't do that.
This moves that logic into the template so all ocp4: true hosts do this
by default. Also, we default the balancer nodes so we only have to
change them in one place if we remove/add a compute node.
Finally, we mark all the ocp3 apps with 'ocp4: false' so we know what
they are and can move them more easily.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is the fun firefox h2 connection reuse bug. blockerbugs is only in
iad2, so if firefox tries to reuse a connection to another proxy for it,
just send it a 421 so it knows thats bad on it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Due to http/2 connection reuse bugs, sometimes firefox will decide to
'reuse' a connection to fedoraproject.org for openqa.fedoraproject.org
(since they both have the same tls cert), but openqa is only available
from the 2 iad2 proxies, not all of them. This results in a 503 timeout
and it just not loading. This should make those reused connections get a
421 from proxies and reconnect to the proper ips. (we hope)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
See https://pagure.io/copr/copr/issue/1935
Prevent only /api_2, /api_3, etc from redirectring from
fedoraproject.org to fedorainfracloud.org
I am not entirely sure why do we need these special-cases for API but
you guys are taking care of it and keeping it updated, so it must be
important. If anyone can explain some context, it would be
appreciated. The config is older than my involvement in the Copr
project :-)
Anyway, there is only one /api/ page - https://copr.fedorainfracloud.org/api
and that is not an API endpoint that is programmatically accessed and
that preserves backwards compatibility. It is a page that one opens
in the web browser to find information about API, such as where the
documentation is, and how to obtain an API token.
We would like to apply the redirect from fedoraproject.org to
fedorainfracloud.org even for this page.
reg is putting a /static/ into asset path since it's upgrade.
Just alias it to / here to avoid the problem for now.
Hopefully we are going to be moving to quay.io and can stop caring about
it.
Fixes infra 10673
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Apache httpd by default blocks URL-encoded / (%2F) characters in the
URL path, even though these are RFC-compliant. Enable them and permit
their safe passage to the debuginfod servers.
See also https://stackoverflow.com/a/9933890/661150
Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files
Signed-off-by: David Kirwan <dkirwan@redhat.com>
Our ansible default ansible scripts don't like multiple /suburls being
individually proxied, so we ended up losing /buildid/* and keeping
/metrics.
Switch to using single /-level reverse-proxying AND wiki-redirection
clauses, and use a new template .conf file to break the tie with a
"ProxyPass / !" directive.
debuginfod can take O(60s) to run certain webapi queries, so the httpd
mod_proxy default timeouts are too short. Introduce an ansible
variable "proxyopts", expanded into the httpd ProxyPass and
ProxyPassReverse configuration lines. Default to "", but set it
with pretty generous limits for debuginfod only.
