Remove the upstream pypi reverse proxy

Trying to reverse proxy upstream pypi has not turned out to
be very stable, or very useful. We've had many, many reports
of stability issues and the additional complexity for offline
and proxy usage is just not worth it.

Given we already have a mechanism in place to handle using
upstream pypi if the repo server is not there yet, disabling
this should just result in that mechanism kicking in and all
will be well again.

Once the repo is built, the reverse proxy to pypiserver will
then be exclusively used and the upstream pypi proxy is not
necessary anyway.

Depends-On: https://review.openstack.org/584394
Change-Id: Ie407c6a346de6b46c8f4d30caea8664a7f6bd341
(cherry picked from commit dab934b)

defaults/main.yml

@@ -99,12 +99,3 @@ repo_pypiserver_start_options: >-
 # config override var for systemd init file
 repo_pypiserver_init_overrides: {}
 
-# nginx host:port for pypi reverse proxy
-repo_nginx_pypi_upstream: "pypi.python.org:443"
-
-# Set the options for the nginx proxy_cache_path directive.
-# The proxy cache is used for data downloaded from pypi.
-# The default is set to cache up to 1G worth of packages
-# for up to 1 month
-repo_nginx_proxy_cache_path: >-
-  /var/lib/nginx/pypi levels=1:2 keys_zone=pypi:16m inactive=1M max_size=1G

releasenotes/notes/pypi-cache-removed-c03a9a0658c9d89f.yaml

@@ -0,0 +1,10 @@
+---
+deprecations:
+  - |
+    The repo server's reverse proxy for pypi has now been removed,
+    leaving only the pypiserver to serve packages already on the
+    repo server. The attempt to reverse proxy upstream pypi turned
+    out to be very unstable with increased complexity for deployers
+    using proxies or offline installs. With this, the variables
+    ``repo_nginx_pypi_upstream`` and ``repo_nginx_proxy_cache_path``
+    have also been removed.

templates/nginx-pypi.conf.j2

@@ -1,12 +1,5 @@
 # {{ ansible_managed }}
 
-proxy_cache_path {{ repo_nginx_proxy_cache_path }};
-
 upstream pypiserver {
     server localhost:{{ repo_pypiserver_port }};
 }
-
-upstream pypi {
-    server {{ repo_nginx_pypi_upstream }};
-    keepalive 16;
-}

templates/openstack-slushee.vhost.j2

@@ -6,50 +6,18 @@ server {
     access_log /var/log/nginx/{{ repo_server_name }}.access.log gzip buffer=32k;
     error_log /var/log/nginx/{{ repo_server_name }}.error.log notice;
 
-    # Allow cached content to be used even when the upstream source is not available.
-    proxy_cache pypi;
-    proxy_cache_key $uri;
-    proxy_cache_lock on;
-    proxy_cache_revalidate on;
-    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
-
-    proxy_http_version 1.1;
-    proxy_set_header Host $host:$server_port;
-    proxy_set_header Connection "";
-    proxy_set_header Accept-Encoding "";
-
-    # Rewrite any http redirects to use relative to proxy
-    proxy_redirect ~https?://pypi.python.org(.*) $1;
-
-    # Fallback mechanism from:
-    # http://linuxplayer.org/2013/06/nginx-try-files-on-multiple-named-location-or-server
-    location @pypi {
-        proxy_set_header Host pypi.python.org;
-        {% if repo_nginx_pypi_upstream | match('.*:443$') %}
-        proxy_pass https://pypi;
-        {% else %}
-        proxy_pass http://pypi;
-        {% endif %}
-    }
-
     location /simple {
-        proxy_intercept_errors on;
+        proxy_set_header  Host $host:$server_port;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_set_header  X-Real-IP $remote_addr;
         proxy_pass http://pypiserver;
-        error_page 404 = @pypi;
     }
 
     location /packages {
-        proxy_intercept_errors on;
+        proxy_set_header  Host $host:$server_port;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_set_header  X-Real-IP $remote_addr;
         proxy_pass http://pypiserver;
-        error_page 404 = @pypi;
-    }
-
-    location /+f {
-        {% if repo_nginx_pypi_upstream | match('.*:443$') %}
-        proxy_pass https://pypi;
-        {% else %}
-        proxy_pass http://pypi;
-        {% endif %}
     }
 
     location / {