ISV-3470: use proxy_pass variable to force regular address resolution… (#441)

johnbe11 · John Bell · web-flow · commit a40f34c4ef3b · 2023-05-09T15:58:08.000-04:00
* ISV-3470: use proxy_pass variable to force regular address resolution (to prevent mismatched upstream address)

* ISV-3470: use nameserver qualified name instead of ip address

---------

Co-authored-by: John Bell &lt;jbell@jbell.rdu.csb&gt;
diff --git a/ansible/inventory/group_vars/operator-pipeline.yml b/ansible/inventory/group_vars/operator-pipeline.yml
@@ -58,5 +58,6 @@ community_signing_pipeline_url: "{{ community_signing_pipeline_name }}-tekton-{{
 nginx_basic_user_file_local_path: ../../vaults/common/htpasswd-nonprod
 nginx_proxy_service_url: "https://{{ community_signing_pipeline_url }}"
 nginx_proxy_url: "{{ community_signing_pipeline_name }}-{{ env }}.apps.pipelines-stage.0ce8.p1.openshiftapps.com"
+nginx_nameserver_ip: "dns-default.openshift-dns.svc.cluster.local"
 
 signing_pub_key_local_path: ../../vaults/{{ env }}/sig-key.pub
diff --git a/ansible/roles/nginx-proxy/templates/openshift/nginx-configuration.yml b/ansible/roles/nginx-proxy/templates/openshift/nginx-configuration.yml
@@ -40,7 +40,9 @@ data:
           location / {
               auth_basic "Community signing pipeline";
               auth_basic_user_file {{ nginx_basic_user_file_path }};
-              proxy_pass {{ nginx_proxy_service_url }};
+              resolver {{ nginx_nameserver_ip }};
+              set $backend {{ nginx_proxy_service_url }};
+              proxy_pass $backend;
           }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,9 @@ data:`
`40`	`40`	`location / {`
`41`	`41`	`auth_basic "Community signing pipeline";`
`42`	`42`	`auth_basic_user_file {{ nginx_basic_user_file_path }};`
`43`		`- proxy_pass {{ nginx_proxy_service_url }};`
	`43`	`+ resolver {{ nginx_nameserver_ip }};`
	`44`	`+ set $backend {{ nginx_proxy_service_url }};`
	`45`	`+ proxy_pass $backend;`
`44`	`46`	`}`
`45`	`47`	`}`
`46`	`48`	`}`