From 78563506adc51b8a302bcd6afd56072bcbb42c6d Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 23 Oct 2025 14:14:46 -0700 Subject: [PATCH] Force gitea http(s) connectivity through the load balancer We've noticed that some web and AI crawlers are crawling each backend directly. This is undesirable because it means search indexes can return non canonical urls (an alternative approach to address this can be found in https://review.opendev.org/c/opendev/system-config/+/962826) but also because it means specific backends may be targetted and overloaded without the load balancer being aware. Forcing all communication through the load balancer should help ensure that load is more evenly distributed across all backends. We do lose the ability to test individual backends in a trivial manner (this has been particularly helpful during backend upgrades to verify the first to upgrade is happy early). Instead we'll need to use ssh -L and /etc/hosts overrides to ensure that https certs match for proxied connections. Given these tradeoffs consider this change a request for comment. I appreciate any feedback on this proposal. Note that the haproxy configuration for the test gitea lb is updated to use the same IP addresses as the iptables rules. In a system-config ansible context that is host.public_v4 which run-base.yaml sets to nodepool.private_ipv4 in the Zuul Ansible context. Doing this is necessary now that we don't allow any traffic to these ports. Change-Id: Ib910f2d5c70c4462363efc4c7ed3a8e7e44b36bc --- inventory/service/group_vars/gitea.yaml | 8 ++++++-- playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 | 12 ++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/inventory/service/group_vars/gitea.yaml b/inventory/service/group_vars/gitea.yaml index 06705a7068..6484e17889 100644 --- a/inventory/service/group_vars/gitea.yaml +++ b/inventory/service/group_vars/gitea.yaml @@ -5,6 +5,10 @@ gitea_root_email: infra-root@openstack.org gitea_gerrit_public_key_A: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCIEIT8l3h/BoIzKl7iDCui+7LB5KAzSW0EPGJxzk6/LREVo6riwY5J1aj9tLvC003ejICYKH7v7x/YICuOPwAOvC1R3LLDGSPMavwfCPUCtXeDe1heYsg1ngxkvd7ipNSHVF2chapgb+FwUqqgcnxD/2jf7HWw06/fdr9ahlNhA2HrZeZlyeo7F57Mj+C2Aq6nOCpvaZXqZ7LIcREd3EleB7+gDihD8qM0VPbxZuQrHMPumxa/l0aysmMz7RPmvzpTnFy5AYR/fcbJ/NFKjITxlUHWWBgJgKI5vrodJjRdPM5uylq+7xOkhvyZNHEYqrhBeylLXQG9JPoBpGBraKHonT2IdeBlFTi4ONypaicH9/Rdm7xCppC3rfLZwEexZgOYaoMlnC2eCJAVs1CDc7Jm91XckS15zhNdBBPV1vCpWCPrPwHSjk6JkDv8bh0zNd6IaRZxc1Bsu7bpKIKlD/ZINm9pdtrGaquEFQLpdEu4obYpqIkfDnTuBUMeOZDtyNUhtvVIo+re3orwTOFiNycB/+Z2kZiH/C82atSTh1LJrsfMeME0eKUuFyEzD+Kf2WZ8XvShx6zMMYiq6GibAQ2szz0rLESIblWEJEtZ7dT9zfoV0zyykTn6rsBBCMcXvuTeXpd3h7wz1Aj3WytIDdISCwOJutxQV1onVxx7lYii6w== gerrit@gitea.opendev.org-20231130 gitea_gerrit_public_key_B: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCIEIT8l3h/BoIzKl7iDCui+7LB5KAzSW0EPGJxzk6/LREVo6riwY5J1aj9tLvC003ejICYKH7v7x/YICuOPwAOvC1R3LLDGSPMavwfCPUCtXeDe1heYsg1ngxkvd7ipNSHVF2chapgb+FwUqqgcnxD/2jf7HWw06/fdr9ahlNhA2HrZeZlyeo7F57Mj+C2Aq6nOCpvaZXqZ7LIcREd3EleB7+gDihD8qM0VPbxZuQrHMPumxa/l0aysmMz7RPmvzpTnFy5AYR/fcbJ/NFKjITxlUHWWBgJgKI5vrodJjRdPM5uylq+7xOkhvyZNHEYqrhBeylLXQG9JPoBpGBraKHonT2IdeBlFTi4ONypaicH9/Rdm7xCppC3rfLZwEexZgOYaoMlnC2eCJAVs1CDc7Jm91XckS15zhNdBBPV1vCpWCPrPwHSjk6JkDv8bh0zNd6IaRZxc1Bsu7bpKIKlD/ZINm9pdtrGaquEFQLpdEu4obYpqIkfDnTuBUMeOZDtyNUhtvVIo+re3orwTOFiNycB/+Z2kZiH/C82atSTh1LJrsfMeME0eKUuFyEzD+Kf2WZ8XvShx6zMMYiq6GibAQ2szz0rLESIblWEJEtZ7dT9zfoV0zyykTn6rsBBCMcXvuTeXpd3h7wz1Aj3WytIDdISCwOJutxQV1onVxx7lYii6w== gerrit@gitea.opendev.org-20231130 iptables_extra_public_tcp_ports: + # ssh for gerrit to gitea git pushes - 222 - - 3080 - - 3081 # see above; reverse proxy +iptables_extra_allowed_groups: + # gitea-lb to gitea http port + - {'protocol': 'tcp', 'port': '3080', 'group': 'gitea-lb'} + # gitea-lb to gitea https port + - {'protocol': 'tcp', 'port': '3081', 'group': 'gitea-lb'} diff --git a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 index 04bd4b3a76..35b0a56a29 100644 --- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 @@ -4,12 +4,20 @@ gitea_lb_listeners: - ":::80" servers: - name: "gitea99.opendev.org" - address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3080" + # playbooks/zuul/run-base.yaml sets each host's public_v4 address to + # the nodepool.private_ipv4 value. Since we're evaluating this template + # from a Zuul Ansible not system-config Ansible context we need to set + # the corresponding value here to ensure iptables rules align. + address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('private_ipv4', '') }}:3080" check_method: "check" - name: balance_git_https bind: - ":::443" servers: - name: "gitea99.opendev.org" - address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081" + # playbooks/zuul/run-base.yaml sets each host's public_v4 address to + # the nodepool.private_ipv4 value. Since we're evaluating this template + # from a Zuul Ansible not system-config Ansible context we need to set + # the corresponding value here to ensure iptables rules align. + address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('private_ipv4', '') }}:3081" check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"