It’s also worth mentioning that the console is not haproxy. That is the router, which run on the infrastructure nodes. The console/api server runs something else. On Wed, 3 Jan 2018 at 1:46 am, Fabio Martinelli < fabio.martinelli.1...@gmail.com> wrote:
> It was actually needed to rewrite the master-config.yaml in this other > way, basically removing all the :8443 strings in the 'public' fields, i.e. > to make it implicitly appear as :443 > > admissionConfig: > pluginConfig: > BuildDefaults: > configuration: > apiVersion: v1 > env: [] > kind: BuildDefaultsConfig > resources: > limits: {} > requests: {} > BuildOverrides: > configuration: > apiVersion: v1 > kind: BuildOverridesConfig > PodPreset: > configuration: > apiVersion: v1 > disable: false > kind: DefaultAdmissionConfig > openshift.io/ImagePolicy: > configuration: > apiVersion: v1 > executionRules: > - matchImageAnnotations: > - key: images.openshift.io/deny-execution > value: 'true' > name: execution-denied > onResources: > - resource: pods > - resource: builds > reject: true > skipOnResolutionFailure: true > kind: ImagePolicyConfig > aggregatorConfig: > proxyClientInfo: > certFile: aggregator-front-proxy.crt > keyFile: aggregator-front-proxy.key > apiLevels: > - v1 > apiVersion: v1 > assetConfig: > extensionScripts: > - /etc/origin/master/openshift-ansible-catalog-console.js > logoutURL: "" > masterPublicURL: https://hosting.wfp.org <---- > metricsPublicURL: https://metrics.hosting.wfp.org/hawkular/metrics > publicURL: https://hosting.wfp.org/console/ <---- > servingInfo: > bindAddress: 0.0.0.0:8443 > bindNetwork: tcp4 > certFile: master.server.crt > clientCA: "" > keyFile: master.server.key > maxRequestsInFlight: 0 > requestTimeoutSeconds: 0 > authConfig: > requestHeader: > clientCA: front-proxy-ca.crt > clientCommonNames: > - aggregator-front-proxy > extraHeaderPrefixes: > - X-Remote-Extra- > groupHeaders: > - X-Remote-Group > usernameHeaders: > - X-Remote-User > controllerConfig: > election: > lockName: openshift-master-controllers > serviceServingCert: > signer: > certFile: service-signer.crt > keyFile: service-signer.key > controllers: '*' > corsAllowedOrigins: > - (?i)//127\.0\.0\.1(:|\z) > - (?i)//localhost(:|\z) > - (?i)//10\.11\.41\.85(:|\z) > - (?i)//kubernetes\.default(:|\z) > - (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z) > - (?i)//kubernetes(:|\z) > - (?i)//openshift\.default(:|\z) > - (?i)//hosting\.wfp\.org(:|\z) > - (?i)//openshift\.default\.svc(:|\z) > - (?i)//172\.30\.0\.1(:|\z) > - (?i)//wfpromshap21\.global\.wfp\.org(:|\z) > - (?i)//openshift\.default\.svc\.cluster\.local(:|\z) > - (?i)//kubernetes\.default\.svc(:|\z) > - (?i)//openshift(:|\z) > dnsConfig: > bindAddress: 0.0.0.0:8053 > bindNetwork: tcp4 > etcdClientInfo: > ca: master.etcd-ca.crt > certFile: master.etcd-client.crt > keyFile: master.etcd-client.key > urls: > - https://wfpromshap21.global.wfp.org:2379 > - https://wfpromshap22.global.wfp.org:2379 > - https://wfpromshap23.global.wfp.org:2379 > etcdStorageConfig: > kubernetesStoragePrefix: kubernetes.io > kubernetesStorageVersion: v1 > openShiftStoragePrefix: openshift.io > openShiftStorageVersion: v1 > imageConfig: > format: openshift/origin-${component}:${version} > latest: false > kind: MasterConfig > kubeletClientInfo: > ca: ca-bundle.crt > certFile: master.kubelet-client.crt > keyFile: master.kubelet-client.key > port: 10250 > kubernetesMasterConfig: > apiServerArguments: > runtime-config: > - apis/settings.k8s.io/v1alpha1=true > storage-backend: > - etcd3 > storage-media-type: > - application/vnd.kubernetes.protobuf > controllerArguments: > masterCount: 3 > masterIP: 10.11.41.85 > podEvictionTimeout: > proxyClientInfo: > certFile: master.proxy-client.crt > keyFile: master.proxy-client.key > schedulerArguments: > schedulerConfigFile: /etc/origin/master/scheduler.json > servicesNodePortRange: "" > servicesSubnet: 172.30.0.0/16 > staticNodeNames: [] > masterClients: > externalKubernetesClientConnectionOverrides: > acceptContentTypes: > application/vnd.kubernetes.protobuf,application/json > burst: 400 > contentType: application/vnd.kubernetes.protobuf > qps: 200 > externalKubernetesKubeConfig: "" > openshiftLoopbackClientConnectionOverrides: > acceptContentTypes: > application/vnd.kubernetes.protobuf,application/json > burst: 600 > contentType: application/vnd.kubernetes.protobuf > qps: 300 > openshiftLoopbackKubeConfig: openshift-master.kubeconfig > masterPublicURL: https://hosting.wfp.org <---- > networkConfig: > clusterNetworkCIDR: 10.128.0.0/14 > clusterNetworks: > - cidr: 10.128.0.0/14 > hostSubnetLength: 9 > externalIPNetworkCIDRs: > - 0.0.0.0/0 > hostSubnetLength: 9 > networkPluginName: redhat/openshift-ovs-multitenant > serviceNetworkCIDR: 172.30.0.0/16 > oauthConfig: > assetPublicURL: https://hosting.wfp.org/console/ > grantConfig: > method: auto > identityProviders: > - challenge: true > login: true > mappingMethod: claim > name: htpasswd_auth > provider: > apiVersion: v1 > file: /etc/origin/master/htpasswd > kind: HTPasswdPasswordIdentityProvider > masterCA: ca-bundle.crt > masterPublicURL: https://hosting.wfp.org <---- > masterURL: https://wfpromshap21.global.wfp.org:8443 > sessionConfig: > sessionMaxAgeSeconds: 3600 > sessionName: ssn > sessionSecretsFile: /etc/origin/master/session-secrets.yaml > tokenConfig: > accessTokenMaxAgeSeconds: 86400 > authorizeTokenMaxAgeSeconds: 500 > pauseControllers: false > policyConfig: > bootstrapPolicyFile: /etc/origin/master/policy.json > openshiftInfrastructureNamespace: openshift-infra > openshiftSharedResourcesNamespace: openshift > projectConfig: > defaultNodeSelector: "" > projectRequestMessage: "" > projectRequestTemplate: "" > securityAllocator: > mcsAllocatorRange: s0:/2 > mcsLabelsPerProject: 5 > uidAllocatorRange: 1000000000-1999999999/10000 > routingConfig: > subdomain: hosting.wfp.org > serviceAccountConfig: > limitSecretReferences: false > managedNames: > - default > - builder > - deployer > masterCA: ca-bundle.crt > privateKeyFile: serviceaccounts.private.key > publicKeyFiles: > - serviceaccounts.public.key > servingInfo: > bindAddress: 0.0.0.0:8443 > bindNetwork: tcp4 > certFile: master.server.crt > clientCA: ca.crt > keyFile: master.server.key > maxRequestsInFlight: 500 > requestTimeoutSeconds: 3600 > volumeConfig: > dynamicProvisioningEnabled: true > > > > > the strange PHP error message was due to another service listening on the > 8443 port on the same host where nginx it's running ! > > > > > Exploiting this post https://github.com/openshift/origin/issues/17456 our > nginx setup got now : > > upstream openshift-cluster-webconsole { > ip_hash; > server wfpromshap21.global.wfp.org:8443; > server wfpromshap22.global.wfp.org:8443; > server wfpromshap23.global.wfp.org:8443; > } > > server { > listen 10.11.40.99:80; > server_name hosting.wfp.org; > return 301 https://$server_name$request_uri; > } > > > server { > listen 10.11.40.99:443; > server_name hosting.wfp.org; > > access_log /var/log/nginx/hosting-console-access.log; > #access_log off; > error_log /var/log/nginx/hosting-console-error.log crit; > > include /data/nginx/includes.d/ssl-wfp.conf; > > include /data/nginx/includes.d/error.conf; > > include /data/nginx/includes.d/proxy.conf; > > proxy_set_header Host $host; > > location / { > proxy_pass https://openshift-cluster-webconsole; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > } > > } > > and it seems to work by nicely masking the 3 Web Consoles. > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users