Bug 1299993

Summary:	RFE: Ability to specify a openshift_master_public_api_port different than openshift_master_api_port for Load Balanced masters
Product:	OpenShift Container Platform	Reporter:	Eric Sauer <esauer>
Component:	Installer	Assignee:	Scott Dodson <sdodson>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:	Xiaoli Tian <xtian>
Severity:	low	Docs Contact:
Priority:	medium
Version:	3.1.0	CC:	aos-bugs, bleanhar, boris.ruppert, esauer, jokerman, mmccomas, nicholas_schuetz
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-24 18:59:52 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Eric Sauer 2016-01-19 17:13:45 UTC

Description of problem:
I would like to be able to map default SSL port 443 on an Enterprise Load Balancer back to default 8443 ports on a cluster of masters. Something like:

 master.ose.example.com:443 [LB] -> master[1:3].ose.example.com:8443

In order to do this, we need support for specifying a new var in the installer inventory file.


Version-Release number of selected component (if applicable):
3.1

Comment 1 Brenton Leanhardt 2016-01-20 13:46:35 UTC

Hi Eric,

I'm a little confused by the request.  Today you can specify the following variables in your ansible inventory:

[OSEv3:vars]
openshift_master_cluster_hostname=master.ose.example.com
openshift_master_cluster_public_hostname=master.ose.example.com

Now if you had masters master[1:3].ose.example.com:8443 the certificates would be created to match master.ose.example.com and the Nodes would reach aster.ose.example.com:443.  The job of configuring the load balancer will be on the admin though.

To see an example of how this works we even have support for a reference haproxy configuration (note, this is just a single haproxy instance today so the haproxy install is not HA):

 
[lb]
master.ose.example.com  openshift_ip=xxx.xxx.xxx.xxx openshift_public_ip=xxx.xxx.xxx.xxx openshift_hostname=master.ose.example.com openshift_public_hostname=master.ose.example.com

Comment 2 Eric Sauer 2016-02-25 20:57:47 UTC

Brenton,

My concern is that the URL that's ultimately written to the master for the OpenShift console includes the port number in it. I.e: 

assetConfig:
  logoutURL: ""
  masterPublicURL: https://master.example.com:8443
  publicURL: https://master.example.com:8443/console/

So if I have 3 masters behind an F5 VIP to which master.example.com resolves, I have to have that LB VIP listen on 8443 in order for redirects in the console to work. I want to be able to leave all of my `atomic-openshift-master-api` services bound to 8443, but use 443 on the load balancer so that the publicUrl values look like:

assetConfig:
  logoutURL: ""
  masterPublicURL: https://master.example.com
  publicURL: https://master.example.com/console/

Comment 3 Brenton Leanhardt 2016-02-26 16:04:14 UTC

Eric,

Can you try setting these values in your inventory?

openshift_master_api_port=443
openshift_master_console_port=443

Looking at the playbooks now it does appear there is a convention being enforced to keep the proxy and backend service ports the same.  I'm sure we could make that more flexible if absolutely required but it would definitely make things more complicated.

Comment 5 Red Hat Bugzilla 2023-09-14 03:16:26 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days