Align internal LB ports onf gprd and gstg
Current Situation
Currently, we run int.gstg.gitlab.net on port 11443 with a second bind rule in HAProxy. This is done so we can enable mutual TLS on port 443 for Cloudflare.
For int.gprd.gitlab.net, we do not have this second binding on port 11443, not only creating a divergence in configuration but also preventing us from enabling mutual TLS on port 443 until this is remediated.
Desired Outcome
int.gprd.gitlab.net listens on port 11443 without mutual TLS
Acceptance Criteria
-
int.gprd.gitlab.net listens on port 11443 without mutual TLS -
int.gprd.gitlab.net listens on port 443 without mutual TLS (so that it can be activated later if needed) -
configuration referencing int.gprd.gitlab.net is updated to target port 11443 instead. -
gitaly -
mailroom (https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/master/releases/gitlab/values/gprd.yaml.gotmpl#L130) -
KAS (https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/master/releases/gitlab/values/gprd.yaml.gotmpl#L210) -
ci-gateway certificate validity monitoring
-
-
Validate there is no traffic destined for int.gprd.gitlab.netarriving on port 443 of the loadbalancer
date --utc ; sudo tcpdump -Q in -Ai any -s 1500 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" | awk 'match($0,/[a-z][a-z0-9\-]{2,}(\.[a-z][a-z0-9\-]+)+\.?(:[0-9]+)?/) {print substr($0,RSTART,RLENGTH)}' | grep gitlab.net | sed "s/^/`date` | /"should be left running for 1 hour and should NOT show anything related to int.gprd.gitlab.net
Subsequently
date --utc ; sudo tcpdump -Q in -Ai any -s 1500 "tcp port 11443 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+5] = 0x01)" | awk 'match($0,/[a-z][a-z0-9\-]{2,}(\.[a-z][a-z0-9\-]+)+\.?(:[0-9]+)?/) {print substr($0,RSTART,RLENGTH)}' | grep gitlab.net | sed "s/^/`date` | /"SHOULD show traffic related to int.gprd.gitlab.net
Edited by Hendrik Meyer (xLabber)