Skip to content

Add option to configure http-proxy for Pages

John Skarbek requested to merge jts/provide-http_proxy-config into master

What does this MR do?

  • Enables the ability to configure http-proxy more flexibly, easily toggle vs the limited check for external IP
  • Doing so provides the ability to forcibly enable this when users have externalIP configured

Changelog: feature

Related issues

Closes: #2965 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Testing

First, check for the use of listen-proxy having been enabled vs the use of listen-http in the Pages ConfigMap:

$ kubectl -n n2270 exec -i gitlab-gitlab-pages-6c69c9f5b5-6tskh -c gitlab-pages -- cat /etc/gitlab-pages/config
listen-proxy=0.0.0.0:8090
listen-https-proxyv2=0.0.0.0:8091
root-cert=/etc/gitlab-secrets/pages/pages.mnielsen.k8s-ft.win.crt
root-key=/etc/gitlab-secrets/pages/pages.mnielsen.k8s-ft.win.key
pages-domain=pages.mnielsen.k8s-ft.win
pages-root=/srv/gitlab-pages
log-format=json
log-verbose=true
redirect-http=false
use-http2=true
insecure-ciphers=false
artifacts-server=http://gitlab-webservice-default.n2270.svc:8181/api/v4
artifacts-server-timeout=10
gitlab-server=https://gitlab.mnielsen.k8s-ft.win
internal-gitlab-server=http://gitlab-webservice-default.n2270.svc:8181
api-secret-key=/etc/gitlab-secrets/pages/secret
domain-config-source=gitlab
metrics-address=:9235
pages-status=/-/readiness

For functional testing:

1. Deploy Pages

global:
  pages:
    enabled: true
    externalHttp:
      - 1.2.3.4 (external IP for the Pages Service)
    externalHttps:
      - 1.2.3.4 (external IP for the Pages Service)

gitlab:
  gitlab-pages:
    statusUri: "/-/readiness"
    useHTTPProxy: true

Create a sample Pages project from one of the templates and ensure the site is accessible.

2. Deploy HAProxy

We used a local HAProxy Docker container

global
  maxconn 4096
  log stdout local0 debug

defaults
  log global
  mode http
  retries 3
  option httplog

frontend test
  bind 0.0.0.0:80
  default_backend pages
  http-request set-header X-Forwarded-For %[src]

backend pages
  server s1 1.2.3.4:80 # replace 1.2.3.4 with external IP of Pages Service
  option httpchk GET /-/readiness
$ docker run -p 80:80 -v $(pwd)/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg haproxy:latest

3. Hit Pages through HAProxy

$ curl -Iv http://root.pages.mnielsen.k8s-ft.win/pages-demo --resolve root.pages.mnielsen.k8s-ft.win:80:127.0.0.1
HTTP/1.1 302 Found
* Added root.pages.mnielsen.k8s-ft.win:80:0.0.0.0 to DNS cache
* Hostname root.pages.mnielsen.k8s-ft.win was found in DNS cache
*   Trying 0.0.0.0:80...
* Connected to root.pages.mnielsen.k8s-ft.win (127.0.0.1) port 80 (#0)
> HEAD /pages-demo HTTP/1.1
> Host: root.pages.mnielsen.k8s-ft.win
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< location: //root.pages.mnielsen.k8s-ft.win/pages-demo/
location: //root.pages.mnielsen.k8s-ft.win/pages-demo/
< vary: Origin
vary: Origin
< date: Mon, 06 Dec 2021 20:11:39 GMT
date: Mon, 06 Dec 2021 20:11:39 GMT

<
* Connection #0 to host root.pages.mnielsen.k8s-ft.win left intact

4. Confirm source IP in Pages logs

$ kubectl -n n2270 get logs <pod name> -c gitlab-pages
...
{"content_type":"text/html; charset=utf-8","correlation_id":"01FP8NZ50HWZ69Q5R3GNPJYA5C","duration_ms":0,"host":"root.pages.mnielsen.k8s-ft.win","level":"info","method":"HEAD","msg":"access","pages_host":"root.pages.mnielsen.k8s-ft.win","pages_https":false,"pages_project_id":2,"pages_project_prefix":"/pages-demo/","pages_project_serving_type":"zip","proto":"HTTP/1.1","referrer":"","remote_addr":"172.17.0.1","remote_ip":"172.17.0.1","status":302,"system":"http","time":"2021-12-06T20:11:39Z","ttfb_ms":0,"uri":"/pages-demo","user_agent":"curl/7.77.0","written_bytes":0}
...

Notice that remote_ip is 172.17.0.1. This matches the gateway for the HAProxy container:

$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.Gateway}}{{end}}' 488e
172.17.0.1

It also matches the HAproxy logs:

<134>Dec  6 20:11:53 haproxy[9]: 172.17.0.1:58164 [06/Dec/2021:20:11:53.367] test pages/s1 0/0/36/41/77 302 168 - - ---- 1/1/0/0/0 0/0 "HEAD /pages-demo HTTP/1.1"

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
Edited by Mitchell Nielsen

Merge request reports