Bug 1663453 - API listen on port 8443 like previous releases
Summary: API listen on port 8443 like previous releases
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Alex Crawford
QA Contact: Johnny Liu
: 1658932 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2019-01-04 11:37 UTC by Aleksandar Kostadinov
Modified: 2019-12-16 14:38 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-02-13 22:51:22 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Aleksandar Kostadinov 2019-01-04 11:37:07 UTC
Description of problem:
Previous OpenShift releases had API listen on port 8443 by default. With nextgen installer it is 6443. This would be confusing for existing users and a problem by upgrades.
Also not sure what configuration will openshift-ansible set because it would still be a supported installation method as far as I know.

Version-Release number of the following components:

How reproducible:

Steps to Reproduce:
1. openshift-install

Actual results:
API listen on 6443

Expected results:
API listen on 8443

Comment 2 W. Trevor King 2019-01-04 19:33:44 UTC
Cross-linking https://github.com/openshift/origin/issues/21725

Comment 3 Qin Ping 2019-01-24 09:01:22 UTC
*** Bug 1658932 has been marked as a duplicate of this bug. ***

Comment 4 Aleksandar Kostadinov 2019-01-24 15:31:03 UTC
I created a naive pull request to make server listen on 8443 [1]. I just went over installer repo and changed all 6443 ports to 8443. It doesn't work but might serve a starting point for whoever knows what actually needs to be changed. For me ideally api server will listen on 8443 on each master for consistency with openshift-ansible. While LB would serve on 443. 

Pasting the relevant bits from an internal discussion:

> Clayton Coleman: GCP doesn’t even allow TCP proxying on 6443
(tcp proxying being the best of the external facing LB options for our near term needs)
> Ryan Phillips: in bootkube the goal is to run the apiserver as a non-root user https://github.com/kubernetes-incubator/bootkube/pull/789 thus the [current] 6443 port number
> Clayton Coleman: the issue is for the external LB, also that’s not a goal of bootkube any more, we require host access to log audit entries
> Hongan Li: I think 443 is more meaningful

[1] https://github.com/openshift/installer/pull/1123

Comment 5 Alex Crawford 2019-02-13 22:51:22 UTC
We've decided to stick with 6443 for the API. We'll make a point to educate customers about the port change.

Comment 7 W. Trevor King 2019-03-07 00:17:51 UTC
There's also preliminary testing for load balancers listening on 443 in [1].

[1]: https://github.com/openshift/installer/pull/1378

Note You need to log in before you can comment on or make changes to this bug.