Re: api and console port : 8443

[Aleksandar Lazic]

Hi.


                                   [tls passthrough]

openshift-default-router ---> [POD own haproxy with ssl] --> master:8443


you can think on this like a reverse proxy, which it is ;-)


BR Aleks

________________________________
From: Srinivas Naga Kotaru (skotaru) <skot...@cisco.com>
Sent: Thursday, March 10, 2016 09:41
To: Aleksandar Lazic; Jordan Liggitt; Clayton Coleman
Cc: users@lists.openshift.redhat.com
Subject: Re: api and console port : 8443

Aleksandar

Thanks for reply. I didn't quite understand the flow how it works. Can you 
please explain me a little brief?


--
Srinivas Kotaru

From: Aleksandar Lazic 
<aleksandar.la...@cloudwerkstatt.com<mailto:aleksandar.la...@cloudwerkstatt.com>>
Date: Thursday, March 10, 2016 at 12:18 AM
To: skotaru <skot...@cisco.com<mailto:skot...@cisco.com>>, Jordan Liggitt 
<jligg...@redhat.com<mailto:jligg...@redhat.com>>, 
"ccole...@redhat.com<mailto:ccole...@redhat.com>" 
<ccole...@redhat.com<mailto:ccole...@redhat.com>>
Cc: "users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>" 
<users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>>
Subject: Re: api and console port : 8443


Hi.


We solved this issue with a own haproxy pod in front of the master and added 
the following variables into ansible/hosts file.


#####

...

openshift_master_public_api_url=https://manage.{{ osm_default_subdomain }}
openshift_master_public_console_url={{ openshift_master_public_api_url 
}}/console
openshift_master_metrics_public_url={{ openshift_master_public_api_url 
}}/hawkular/metrics

...

#####


In this haproxy you can add the manage.{{ osm_default_subdomain }} or the 
wildcard certificate into a secret.


###

oc secrets new wildcard-cloud-cert cloud.pem=...cloud_all.pem
oc secrets add serviceaccount/default secret/


###


With this solution you don't need to expose your master to the internet ;-)


Best Regards

Aleks

________________________________
From: 
users-boun...@lists.openshift.redhat.com<mailto:users-boun...@lists.openshift.redhat.com>
 
<users-boun...@lists.openshift.redhat.com<mailto:users-boun...@lists.openshift.redhat.com>>
 on behalf of Srinivas Naga Kotaru (skotaru) 
<skot...@cisco.com<mailto:skot...@cisco.com>>
Sent: Wednesday, March 09, 2016 21:37
To: Jordan Liggitt; Clayton Coleman
Cc: users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>
Subject: Re: api and console port : 8443

Thanks Jordan/Jason/Clayton for quick replies

Good to knew that we can change port during provision time using ansible 
environment variables mentioned by Jason

However, this seems to be messy and confusing that user wont' be able to change 
after the provision. At least too difficult unless all files across board 
reflect the new port

Can we run a simple load balancer and listen on 443 and forward to all masters 
on port 8443.  All the users will use standard vip:443.  Openshift might create 
all kubeconfig files with 8443 reference.

Can you validate above approach? It might ok to run load balance also on 8443 
and forward to 8443 but am thinking clients should't bother about always enter 
8443 while connecting API or console

The idea is run a simple load balancer for balancing multiple API masters.



--
Srinivas Kotaru

From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>>
Date: Wednesday, March 9, 2016 at 12:05 PM
To: "ccole...@redhat.com<mailto:ccole...@redhat.com>" 
<ccole...@redhat.com<mailto:ccole...@redhat.com>>
Cc: skotaru <skot...@cisco.com<mailto:skot...@cisco.com>>, 
"users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>" 
<users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>>
Subject: Re: api and console port : 8443

also would need to adjust the port in the kubeconfig files used to connect to 
the master

On Wed, Mar 9, 2016 at 3:03 PM, Clayton Coleman 
<ccole...@redhat.com<mailto:ccole...@redhat.com>> wrote:
As long as you change the config, no.  We chose 8443 in case you
wanted to run a local TLS proxy, or in case you are running as a
developer.

On Wed, Mar 9, 2016 at 2:55 PM, Srinivas Naga Kotaru (skotaru)
<skot...@cisco.com<mailto:skot...@cisco.com>> wrote:
> Any reason why api and console exposed as 8443 rather 443?
>
> Any impact if we change 8443 to 443 by find and replace 8443 with 443 on
> /etc/origin/master/master-config.yaml and restart master service?
>
> Do we need to change anything on node or etcd  side?
>
> --
> Srinivas Kotaru
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>

_______________________________________________
users mailing list
users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users