QA (public) » openQA Project (public) » openQA Infrastructure (public)

Motivation¶

As discussed in #175902 there are certain use cases where unauthorized, unencrypted asset access is necessary, e.g.:

• http://openqa.suse.de/assets/iso/agama-installer.s390x-11.0.0-SLE-Build3.7.iso
• http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
• http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
• (http,10.145.10.207)/assets/repo/SLE-15-SP7-Online-ppc64le-Build56.1-Media1/boot/ppc64le/linux

This problem is currently solved by allowing unauthenticated download of iso and repo assets as those currently don't contain possibly embargoed data. If it turns out we can't or mustn't do that we can use a dedicated network interface for zone-cc traffic and other traffic and allow unauthenticated access only in tze cc zone.

Acceptance Criteria¶

• AC1: NGINX is configured to allow/disallow unauthorized assets downloads by network interface.

Suggestions¶

1. Ask Infra to add a 2nd network interface to the OSD-VM so we have one interface within the CC-zone and one outside.
2. Create a MR in the OPS repo to configure an IP and domain for the 2nd network interface.
3. Configure NGINX as mentioned in #176241#note-7 and http://nginx.org/en/docs/http/request_processing.html#mixed_name_ip_based_servers.
4. Ensure tests use the domain associated with the 2nd network interface when unauthorized access is needed.
   • Such tests need to run on workers within the CC-zone (or use Wireguard).
   • The configuration could be done using variables in the worker config using variable expansion on the worker (see #169159) as needed.