When I switched dns to use proxy110/proxy101 for src internally
in order to fix rust crate building, it broke auth on pkgs01/src.
The problem is that proxy01/10 are setup with a keytab that has
proxy01/proxy10 listed as principals so it can accept auth via them.
However, 101/110 are not listed and thus you get a permission denied.
We might look at a better way to fix this, but for now,
lets just override that here.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The messaging bridges openshift project and github2fedmsg VM were
already removed in staging. This is to clean the ansible playbooks.
I will create a separate one for production after this one is merged.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
fix 1900 failures of the following case issue:
`name[casing]: All names should start with an uppercase letter.`
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
So, we need a bit more logic here.
We want to use the vpn hosts file only if something is on the vpn and
it's also not in iad2. In iad2 we want the normal hosts file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This isn't very clever, but it should work and be easily understandable.
We likely want to come up with a better way to do these hosts files
entirely, but it can wait until after freeze.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.
Fixes: fedora-infrastructure#9822
Signed-off-by: Nils Philippsen <nils@redhat.com>
This requires the canonical names of IPA servers to be mapped to their
IP addresses on the VPN as well as specifying the IPA server explicitly
when enrolling clients.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The iad2 registries should be reachable now via the normal path, so we
can drop this workaround. Should make things faster too.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Currently the proxies can't talk to the container registries directly,
so for now route these over the vpn.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now, proxy101 is what is resolved to internally in iad2 for
candidate-registry.fedoraproject.org. It has haproxy to reach
oci-candidate-registry01.iad2.fedoraproject.org on port 5000 for this,
but that doesn't work currently due to RHIT firewall.
So, for now we add the vpn endpoint to /etc/hosts there so haproxy works
and internal machines can use the candidate registry.
Once we fix the rhit firewall we should remove this.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The problem is that id.fedoraproject.org resolves to the iad2 versions
in iad2. This is fine, but break oidc which has a talk between the
provider and the requestor, so if you use the phx2 ipsilon, you need
to use it for the entire thing. Will fix this better in dns soon.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Basically, instead of relying on an obscure db-pagure variable that
then needs to be specified in the /etc/hosts file.
Just define the pagure_db_host variable in the host's inventory
file so it exists as a variable available in the playbook/role.
This makes things more explicit and easier to debug/tweak as needed.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
