Force gitea http(s) connectivity through the load balancer

We've noticed that some web and AI crawlers are crawling each backend directly. This is undesirable because it means search indexes can return non canonical urls (an alternative approach to address this can be found in https://review.opendev.org/c/opendev/system-config/+/962826) but also because it means specific backends may be targetted and overloaded without the load balancer being aware. Forcing all communication through the load balancer should help ensure that load is more evenly distributed across all backends. We do lose the ability to test individual backends in a trivial manner (this has been particularly helpful during backend upgrades to verify the first to upgrade is happy early). Instead we'll need to use ssh -L and /etc/hosts overrides to ensure that https certs match for proxied connections. Given these tradeoffs consider this change a request for comment. I appreciate any feedback on this proposal. Note that the haproxy configuration for the test gitea lb is updated to use the same IP addresses as the iptables rules. In a system-config ansible context that is host.public_v4 which run-base.yaml sets to nodepool.private_ipv4 in the Zuul Ansible context. Doing this is necessary now that we don't allow any traffic to these ports. Change-Id: Ib910f2d5c70c4462363efc4c7ed3a8e7e44b36bc
2025-10-23 14:14:46 -07:00
parent dc977420a4
commit 78563506ad
2 changed files with 16 additions and 4 deletions
--- a/inventory/service/group_vars/gitea.yaml
+++ b/inventory/service/group_vars/gitea.yaml
@@ -5,6 +5,10 @@ gitea_root_email: infra-root@openstack.org
 gitea_gerrit_public_key_A: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCIEIT8l3h/BoIzKl7iDCui+7LB5KAzSW0EPGJxzk6/LREVo6riwY5J1aj9tLvC003ejICYKH7v7x/YICuOPwAOvC1R3LLDGSPMavwfCPUCtXeDe1heYsg1ngxkvd7ipNSHVF2chapgb+FwUqqgcnxD/2jf7HWw06/fdr9ahlNhA2HrZeZlyeo7F57Mj+C2Aq6nOCpvaZXqZ7LIcREd3EleB7+gDihD8qM0VPbxZuQrHMPumxa/l0aysmMz7RPmvzpTnFy5AYR/fcbJ/NFKjITxlUHWWBgJgKI5vrodJjRdPM5uylq+7xOkhvyZNHEYqrhBeylLXQG9JPoBpGBraKHonT2IdeBlFTi4ONypaicH9/Rdm7xCppC3rfLZwEexZgOYaoMlnC2eCJAVs1CDc7Jm91XckS15zhNdBBPV1vCpWCPrPwHSjk6JkDv8bh0zNd6IaRZxc1Bsu7bpKIKlD/ZINm9pdtrGaquEFQLpdEu4obYpqIkfDnTuBUMeOZDtyNUhtvVIo+re3orwTOFiNycB/+Z2kZiH/C82atSTh1LJrsfMeME0eKUuFyEzD+Kf2WZ8XvShx6zMMYiq6GibAQ2szz0rLESIblWEJEtZ7dT9zfoV0zyykTn6rsBBCMcXvuTeXpd3h7wz1Aj3WytIDdISCwOJutxQV1onVxx7lYii6w== gerrit@gitea.opendev.org-20231130
 gitea_gerrit_public_key_B: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCIEIT8l3h/BoIzKl7iDCui+7LB5KAzSW0EPGJxzk6/LREVo6riwY5J1aj9tLvC003ejICYKH7v7x/YICuOPwAOvC1R3LLDGSPMavwfCPUCtXeDe1heYsg1ngxkvd7ipNSHVF2chapgb+FwUqqgcnxD/2jf7HWw06/fdr9ahlNhA2HrZeZlyeo7F57Mj+C2Aq6nOCpvaZXqZ7LIcREd3EleB7+gDihD8qM0VPbxZuQrHMPumxa/l0aysmMz7RPmvzpTnFy5AYR/fcbJ/NFKjITxlUHWWBgJgKI5vrodJjRdPM5uylq+7xOkhvyZNHEYqrhBeylLXQG9JPoBpGBraKHonT2IdeBlFTi4ONypaicH9/Rdm7xCppC3rfLZwEexZgOYaoMlnC2eCJAVs1CDc7Jm91XckS15zhNdBBPV1vCpWCPrPwHSjk6JkDv8bh0zNd6IaRZxc1Bsu7bpKIKlD/ZINm9pdtrGaquEFQLpdEu4obYpqIkfDnTuBUMeOZDtyNUhtvVIo+re3orwTOFiNycB/+Z2kZiH/C82atSTh1LJrsfMeME0eKUuFyEzD+Kf2WZ8XvShx6zMMYiq6GibAQ2szz0rLESIblWEJEtZ7dT9zfoV0zyykTn6rsBBCMcXvuTeXpd3h7wz1Aj3WytIDdISCwOJutxQV1onVxx7lYii6w== gerrit@gitea.opendev.org-20231130
 iptables_extra_public_tcp_ports:
+  # ssh for gerrit to gitea git pushes
  - 222
-  - 3080
-  - 3081  # see above; reverse proxy
+iptables_extra_allowed_groups:
+  # gitea-lb to gitea http port
+  - {'protocol': 'tcp', 'port': '3080', 'group': 'gitea-lb'}
+  # gitea-lb to gitea https port
+  - {'protocol': 'tcp', 'port': '3081', 'group': 'gitea-lb'}
--- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
@@ -4,12 +4,20 @@ gitea_lb_listeners:
      - ":::80"
    servers:
      - name: "gitea99.opendev.org"
-        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3080"
+        # playbooks/zuul/run-base.yaml sets each host's public_v4 address to
+        # the nodepool.private_ipv4 value. Since we're evaluating this template
+        # from a Zuul Ansible not system-config Ansible context we need to set
+        # the corresponding value here to ensure iptables rules align.
+        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('private_ipv4', '') }}:3080"
        check_method: "check"
  - name: balance_git_https
    bind:
      - ":::443"
    servers:
      - name: "gitea99.opendev.org"
-        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081"
+        # playbooks/zuul/run-base.yaml sets each host's public_v4 address to
+        # the nodepool.private_ipv4 value. Since we're evaluating this template
+        # from a Zuul Ansible not system-config Ansible context we need to set
+        # the corresponding value here to ensure iptables rules align.
+        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('private_ipv4', '') }}:3081"
        check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"