Dedicated IP for the private-runners we use for QA test runs
We switched to using a private runner manager for QA test, which was necessary for auto-scaling runners and has been much more reliable for us, instead of running QA on a dedicated instance. The private runner manager we use on ops.gitlab.net is private-runners-manager-3.gitlab.com
and private-runners-manager-4.gitlab.com
, where the latter is used for QA tests run.
There are a lot of situations where we need to white-list requests coming from these runners but for now it's not possible, @tmaczukin comments on slack:
Well, the two runner managers have static IP addresses. But jobs are executed on VMs autoscaled in GCP. And from what I remember, we disabled Cloud Proxy here, which means that we can get any public IP address from the GCP address pools
I think what we should probably do is set up a NAT that we can route these requests through. This will become more important as we start to roll out rate limits on gitlab.com &341 (closed) and will want to white-list QA.
For now, we have a hack where we are setting a secret user-agent in https://gitlab.com/gitlab-org/gitlab-qa/-/issues/611, this is working ok for us for now, but is probably not the best long-term strategy for white-listing QA. If we keep with this approach, we will need to add the special header for rack-attack white-listing as well for this user-agent.