Got it thanks Someone write a decent article on how to run master on 443 by taking advantage of service and external end point. https://blog.openshift.com/run-openshift-console-port-443/
Your setup or article content is pretty much inline with hosting a simple tcp based load balancer and listen on VIP:443 for client requests and forward it to masters:8443. I knew api and console can be load balanced for HA. Am not tested we can use the same VIP for controller. I knew it is still active/passive. -- Srinivas Kotaru From: Aleksandar Lazic <[email protected]<mailto:[email protected]>> Date: Thursday, March 10, 2016 at 1:20 AM To: skotaru <[email protected]<mailto:[email protected]>>, Jordan Liggitt <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: api and console port : 8443 Hi. [tls passthrough] openshift-default-router ---> [POD own haproxy with ssl] --> master:8443 you can think on this like a reverse proxy, which it is ;-) BR Aleks ________________________________ From: Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> Sent: Thursday, March 10, 2016 09:41 To: Aleksandar Lazic; Jordan Liggitt; Clayton Coleman Cc: [email protected]<mailto:[email protected]> Subject: Re: api and console port : 8443 Aleksandar Thanks for reply. I didn’t quite understand the flow how it works. Can you please explain me a little brief? -- Srinivas Kotaru From: Aleksandar Lazic <[email protected]<mailto:[email protected]>> Date: Thursday, March 10, 2016 at 12:18 AM To: skotaru <[email protected]<mailto:[email protected]>>, Jordan Liggitt <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: api and console port : 8443 Hi. We solved this issue with a own haproxy pod in front of the master and added the following variables into ansible/hosts file. ##### ... openshift_master_public_api_url=https://manage.{{ osm_default_subdomain }} openshift_master_public_console_url={{ openshift_master_public_api_url }}/console openshift_master_metrics_public_url={{ openshift_master_public_api_url }}/hawkular/metrics ... ##### In this haproxy you can add the manage.{{ osm_default_subdomain }} or the wildcard certificate into a secret. ### oc secrets new wildcard-cloud-cert cloud.pem=...cloud_all.pem oc secrets add serviceaccount/default secret/ ### With this solution you don't need to expose your master to the internet ;-) Best Regards Aleks ________________________________ From:[email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> Sent: Wednesday, March 09, 2016 21:37 To: Jordan Liggitt; Clayton Coleman Cc: [email protected]<mailto:[email protected]> Subject: Re: api and console port : 8443 Thanks Jordan/Jason/Clayton for quick replies Good to knew that we can change port during provision time using ansible environment variables mentioned by Jason However, this seems to be messy and confusing that user wont’ be able to change after the provision. At least too difficult unless all files across board reflect the new port Can we run a simple load balancer and listen on 443 and forward to all masters on port 8443. All the users will use standard vip:443. Openshift might create all kubeconfig files with 8443 reference. Can you validate above approach? It might ok to run load balance also on 8443 and forward to 8443 but am thinking clients should’t bother about always enter 8443 while connecting API or console The idea is run a simple load balancer for balancing multiple API masters. -- Srinivas Kotaru From: Jordan Liggitt <[email protected]<mailto:[email protected]>> Date: Wednesday, March 9, 2016 at 12:05 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: skotaru <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: api and console port : 8443 also would need to adjust the port in the kubeconfig files used to connect to the master On Wed, Mar 9, 2016 at 3:03 PM, Clayton Coleman <[email protected]<mailto:[email protected]>> wrote: As long as you change the config, no. We chose 8443 in case you wanted to run a local TLS proxy, or in case you are running as a developer. On Wed, Mar 9, 2016 at 2:55 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: > Any reason why api and console exposed as 8443 rather 443? > > Any impact if we change 8443 to 443 by find and replace 8443 with 443 on > /etc/origin/master/master-config.yaml and restart master service? > > Do we need to change anything on node or etcd side? > > -- > Srinivas Kotaru > > _______________________________________________ > users mailing list > [email protected]<mailto:[email protected]> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > _______________________________________________ users mailing list [email protected]<mailto:[email protected]> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
