From 525d21a332e078262e085dc5ae7e6105929ec478 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kecarter@redhat.com>
Date: Wed, 19 Jun 2019 14:16:05 -0500
Subject: [PATCH] Add proxy for registry.access.redhat

This change adds a proxy config for registry.access.redhat which should
assist us when gating using images provided by the publically available
registry.

Change-Id: Ica7477d63659610de852d305a63f3e78d0dd8c4f
Signed-off-by: Kevin Carter <kecarter@redhat.com>
---
 .../templates/mirror.vhost.erb                | 61 +++++++++++++++++++
 playbooks/group_vars/mirror.yaml              |  1 +
 playbooks/group_vars/mirror_opendev.yaml      |  1 +
 .../roles/mirror/templates/mirror.vhost.j2    | 56 +++++++++++++++++
 4 files changed, 119 insertions(+)

diff --git a/modules/openstack_project/templates/mirror.vhost.erb b/modules/openstack_project/templates/mirror.vhost.erb
index 44d266f970..49ef9bdd15 100644
--- a/modules/openstack_project/templates/mirror.vhost.erb
+++ b/modules/openstack_project/templates/mirror.vhost.erb
@@ -14,6 +14,8 @@ NameVirtualHost <%= @vhost_name %>:8081
 Listen 8082
 NameVirtualHost <%= @vhost_name %>:8082
 
+Listen 8083
+NameVirtualHost <%= @vhost_name %>:8083
 
 LogFormat "%h %l %u %t \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-agent}i\"" combined-cache
 
@@ -412,3 +414,62 @@ LogFormat "%h %l %u %t \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-a
     ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
     ProxyPassReverse "/" "https://registry-1.docker.io/"
 </VirtualHost>
+
+# Redhat registry proxy.
+<VirtualHost <%= @vhost_name %>:8083>
+    ServerName <%= @srvname %>:8083
+    <% if @serveraliases.is_a? Array -%>
+      <% @serveraliases.each do |name| -%>
+        <%= "  ServerAlias #{name}:8083\n" %>
+      <% end %>
+    <% elsif @serveraliases != nil -%>
+      <%= "  ServerAlias #{@serveraliases}:8083" -%>
+    <% end %>
+
+    # Disable directory listing by default.
+    <Directory />
+      Order Deny,Allow
+      Deny from all
+      Options None
+      AllowOverride None
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8083_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8083_access.log combined-cache
+    ServerSignature Off
+
+    # Caching reverse proxy for things that don't make sense in AFS
+    #
+    # General cache rules
+    CacheRoot "/var/cache/apache2/proxy"
+    CacheDirLevels 5
+    CacheDirLength 2
+    # SSL support
+    SSLProxyEngine on
+    # Prevent thundering herds.
+    CacheLock on
+    CacheLockPath "/tmp/mod_cache-lock"
+    CacheLockMaxAge 5
+    # 5GiB
+    CacheMaxFileSize 5368709120
+    # Ignore expire headers as the urls use sha256 hashes.
+    CacheIgnoreQueryString On
+    CacheDefaultExpire 86400
+    CacheStoreExpired On
+
+    # e14353.d.akamaiedge.net
+    CacheEnable disk "/e14353.d.akamaiedge"
+    ProxyPass "/e14353.d.akamaiedge/" "https://e14353.d.akamaiedge.net/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/e14353.d.akamaiedge/" "https://e14353.d.akamaiedge.net/"
+
+    # edgekey.net
+    CacheEnable disk "/redhat.com.edgekey"
+    ProxyPass "/redhat.com.edgekey/" "https://registry.access.redhat.com.edgekey.net/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/redhat.com.edgekey/" "https://registry.access.redhat.com.edgekey.net/"
+
+    # registry.access.redhat.com
+    CacheEnable disk "/"
+    ProxyPass "/" "https://registry.access.redhat.com/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/" "https://registry.access.redhat.com/"
+</VirtualHost>
diff --git a/playbooks/group_vars/mirror.yaml b/playbooks/group_vars/mirror.yaml
index ec2b85c27c..0c08088397 100644
--- a/playbooks/group_vars/mirror.yaml
+++ b/playbooks/group_vars/mirror.yaml
@@ -3,3 +3,4 @@ iptables_extra_public_tcp_ports:
   - 8080
   - 8081
   - 8082
+  - 8083
diff --git a/playbooks/group_vars/mirror_opendev.yaml b/playbooks/group_vars/mirror_opendev.yaml
index 3f4cb5ba92..e65dc65cb2 100644
--- a/playbooks/group_vars/mirror_opendev.yaml
+++ b/playbooks/group_vars/mirror_opendev.yaml
@@ -4,3 +4,4 @@ iptables_extra_public_tcp_ports:
   - 8080
   - 8081
   - 8082
+  - 8083
diff --git a/playbooks/roles/mirror/templates/mirror.vhost.j2 b/playbooks/roles/mirror/templates/mirror.vhost.j2
index b1be6fdc75..37b1290f86 100644
--- a/playbooks/roles/mirror/templates/mirror.vhost.j2
+++ b/playbooks/roles/mirror/templates/mirror.vhost.j2
@@ -11,6 +11,9 @@ NameVirtualHost *:8081
 Listen 8082
 NameVirtualHost *:8082
 
+Listen 8083
+NameVirtualHost *:8083
+
 {% raw %}
 LogFormat "%h %l %u [%{%F %T}t.%{msec_frac}t] \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-agent}i\"" combined-cache
 ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \ referer\ %{Referer}i"
@@ -410,3 +413,56 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
     ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
     ProxyPassReverse "/" "https://registry-1.docker.io/"
 </VirtualHost>
+
+# Redhat registry proxy.
+<VirtualHost *:8083>
+    ServerName {{ apache_server_name }}:8083
+    ServerAlias {{ apache_server_alias }}:8083
+
+    # Disable directory listing by default.
+    <Directory />
+      Order Deny,Allow
+      Deny from all
+      Options None
+      AllowOverride None
+    </Directory>
+
+    ErrorLog /var/log/apache2/proxy_8083_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/proxy_8083_access.log combined-cache
+    ServerSignature Off
+
+    # Caching reverse proxy for things that don't make sense in AFS
+    #
+    # General cache rules
+    CacheRoot "/var/cache/apache2/proxy"
+    CacheDirLevels 5
+    CacheDirLength 2
+    # SSL support
+    SSLProxyEngine on
+    # Prevent thundering herds.
+    CacheLock on
+    CacheLockPath "/tmp/mod_cache-lock"
+    CacheLockMaxAge 5
+    # 5GiB
+    CacheMaxFileSize 5368709120
+    # Ignore expire headers as the urls use sha256 hashes.
+    CacheIgnoreQueryString On
+    CacheDefaultExpire 86400
+    CacheStoreExpired On
+
+    # e14353.d.akamaiedge.net
+    CacheEnable disk "/e14353.d.akamaiedge"
+    ProxyPass "/e14353.d.akamaiedge/" "https://e14353.d.akamaiedge.net/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/e14353.d.akamaiedge/" "https://e14353.d.akamaiedge.net/"
+
+    # edgekey.net
+    CacheEnable disk "/redhat.com.edgekey"
+    ProxyPass "/redhat.com.edgekey/" "https://registry.access.redhat.com.edgekey.net/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/redhat.com.edgekey/" "https://registry.access.redhat.com.edgekey.net/"
+
+    # registry.access.redhat.com
+    CacheEnable disk "/"
+    ProxyPass "/" "https://registry.access.redhat.com/" ttl=120 keepalive=On retry=0
+    ProxyPassReverse "/" "https://registry.access.redhat.com/"
+</VirtualHost>