tool-deno: update reverse proxy ingress annotations
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	aborrero
	Oct 28 2021, 10:38 AM

Description

There is a problem in Toolforge ingress-nginx.

We need to update several ingress annotations for constructing each reverse proxy that tool-denouses.

In tool-deno/proxy-deno, from:

nginx.ingress.kubernetes.io/server-snippet: |
  proxy_ssl_name cdn.deno.land;
  proxy_ssl_server_name on;

to:

nginx.ingress.kubernetes.io/proxy-ssl-name: cdn.deno.land
nginx.ingress.kubernetes.io/proxy-ssl-server-name: "true"

In tool-deno/proxy-github, from:

nginx.ingress.kubernetes.io/server-snippet: |
  proxy_ssl_name raw.githubusercontent.com;
  proxy_ssl_server_name on;

to:

nginx.ingress.kubernetes.io/proxy-ssl-name: raw.githubusercontent.com
nginx.ingress.kubernetes.io/proxy-ssl-server-name: "true"

The change is harmless in the sense that functionality should be the exact same.

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved		aborrero	T294533 tool-deno: update reverse proxy ingress annotations

Event Timeline

aborrero created this task.Oct 28 2021, 10:38 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2021, 10:38 AM

Mentioned in SAL (#wikimedia-cloud) [2021-10-28T10:43:09Z] <arturo> update proxy-github ingress object (T294533)

Mentioned in SAL (#wikimedia-cloud) [2021-10-28T10:44:23Z] <arturo> update proxy-deno ingress object (T294533)

The deno reverse proxy is apparently not working, I see this in the nginx logs:

2021/10/28 10:48:16 [error] 4102#4102: *6355909 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 192.168.209.128, server: deno.toolforge.org, request: "GET /deno/x/corejs@v3.19.0/index.js HTTP/1.1", upstream: "https://104.23.131.81:443/x/corejs@v3.19.0/index.js", host: "deno.toolforge.org"

This is the URL I'm testing: https://deno.toolforge.org/deno/corejs/versions/v3.19.0/raw/index.js

However the github one seems to work: https://deno.toolforge.org/github/hashrock/deno-opn/master/opn.ts

I just checked the generated nginx.conf file. No proxy-ssl-xxxx options are present for either proxy-github or proxy-deno.

We may be affected by this https://github.com/kubernetes/ingress-nginx/issues/6728

Not sure at this point why the change to proxy-github worked.

The solution is to disable TLS for the backend connection, ie:

---
# Service object for routing requests to deno.land
apiVersion: v1
kind: Service
metadata:
  name: deno-land
  namespace: tool-deno
spec:
  type: ExternalName
  externalName: cdn.deno.land
---
# Ingress object for routing requests to deno.land
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: proxy-deno
  namespace: tool-deno
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/upstream-vhost: cdn.deno.land
    nginx.ingress.kubernetes.io/backend-protocol: http
spec:
  rules:
    - host: deno.toolforge.org
      http:
        paths:
          - backend:
              serviceName: deno-land
              servicePort: 80
            path: /deno(/|$)(.*)

aborrero triaged this task as High priority.Oct 28 2021, 12:02 PM

aborrero mentioned this in T294547: tool-moedata: update reverse proxy ingress annotations.

aborrero closed this task as Resolved.Nov 2 2021, 10:27 AM

aborrero claimed this task.

tool-deno: update reverse proxy ingress annotationsClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

tool-deno: update reverse proxy ingress annotations
Closed, ResolvedPublic
Actions

Related Objects
Search...