Bug 1299993 - RFE: Ability to specify a openshift_master_public_api_port different than openshift_master_api_port for Load Balanced masters [NEEDINFO]
RFE: Ability to specify a openshift_master_public_api_port different than ope...
Status: CLOSED INSUFFICIENT_DATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.1.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Scott Dodson
Xiaoli Tian
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-19 12:13 EST by Eric Sauer
Modified: 2017-08-24 14:59 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-24 14:59:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bleanhar: needinfo? (esauer)


Attachments (Terms of Use)

  None (edit)
Description Eric Sauer 2016-01-19 12:13:45 EST
Description of problem:
I would like to be able to map default SSL port 443 on an Enterprise Load Balancer back to default 8443 ports on a cluster of masters. Something like:

 master.ose.example.com:443 [LB] -> master[1:3].ose.example.com:8443

In order to do this, we need support for specifying a new var in the installer inventory file.


Version-Release number of selected component (if applicable):
3.1
Comment 1 Brenton Leanhardt 2016-01-20 08:46:35 EST
Hi Eric,

I'm a little confused by the request.  Today you can specify the following variables in your ansible inventory:

[OSEv3:vars]
openshift_master_cluster_hostname=master.ose.example.com
openshift_master_cluster_public_hostname=master.ose.example.com

Now if you had masters master[1:3].ose.example.com:8443 the certificates would be created to match master.ose.example.com and the Nodes would reach aster.ose.example.com:443.  The job of configuring the load balancer will be on the admin though.

To see an example of how this works we even have support for a reference haproxy configuration (note, this is just a single haproxy instance today so the haproxy install is not HA):

 
[lb]
master.ose.example.com  openshift_ip=xxx.xxx.xxx.xxx openshift_public_ip=xxx.xxx.xxx.xxx openshift_hostname=master.ose.example.com openshift_public_hostname=master.ose.example.com
Comment 2 Eric Sauer 2016-02-25 15:57:47 EST
Brenton,

My concern is that the URL that's ultimately written to the master for the OpenShift console includes the port number in it. I.e: 

assetConfig:
  logoutURL: ""
  masterPublicURL: https://master.example.com:8443
  publicURL: https://master.example.com:8443/console/

So if I have 3 masters behind an F5 VIP to which master.example.com resolves, I have to have that LB VIP listen on 8443 in order for redirects in the console to work. I want to be able to leave all of my `atomic-openshift-master-api` services bound to 8443, but use 443 on the load balancer so that the publicUrl values look like:

assetConfig:
  logoutURL: ""
  masterPublicURL: https://master.example.com
  publicURL: https://master.example.com/console/
Comment 3 Brenton Leanhardt 2016-02-26 11:04:14 EST
Eric,

Can you try setting these values in your inventory?

openshift_master_api_port=443
openshift_master_console_port=443

Looking at the playbooks now it does appear there is a convention being enforced to keep the proxy and backend service ports the same.  I'm sure we could make that more flexible if absolutely required but it would definitely make things more complicated.

Note You need to log in before you can comment on or make changes to this bug.