0

Question 1 :

1.1. who is sitting behind the "openshift_master_cluster_public_hostname" hostname ? is it the web console ( web console service ? or web service deployment ) or something else ?

1.2. when doing oc get service -n openshift-web-console i can see that the web console is runnung in 443 , isn't it supposed to work on port 8443 , same thing for api server , shouldn't be working on port 8443 ?

1.3. can you explain to me the flow of a request to https://openshift_master_cluster_public_hostname:8443 ?

1.4. in the documentation is

Question 2:

why i get different response for curl and wget ?
when i : curl https://openshift_master_cluster_public_hostname:8443 , i get :

{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    "/apis/",
    "/apis/admissionregistration.k8s.io",
    "/apis/admissionregistration.k8s.io/v1beta1",
    "/apis/apiextensions.k8s.io",
    "/apis/apiextensions.k8s.io/v1beta1",
    ...
    "/swagger.json",
    "/swaggerapi",
    "/version",
    "/version/openshift"
  ]
}

when i : wget https://openshift_master_cluster_public_hostname:8443 i get an index.html page.

Is the web console answering this request or the

Question 3 :

how can i do to expose the web console on port 443 rather then the 8443 , i found several solution :

  1. using variables "openshift_master_console_port,openshift_master_api_port" but found out that these ports are ‘internal’ ports and not designed to be the public ports. So changing this ports could crash your OpenShift setup

  2. using an external service ( described here )

I'm kind of trying to setup port forwarding on an external haporxy , is it doable ?

AMAR BESSALAH
  • 49
  • 1
  • 6

1 Answers1

1

Answer to Q1:

1.1. Cite from the documentation Configuring Your Inventory File

This variable overrides the public host name for the cluster, 
which defaults to the host name of the master. If you use an 
external load balancer, specify the address of the external load balancer.

For example:

> openshift_master_cluster_public_hostname=openshift-ansible.public.example.com

This means that this Variable is the Public facing interface to the OpenShift Web-Console.

1.2 A Service is a virtual Object which connects the Service Name to the pods and is used to connect the Route Object with the Service Object. This is explained in the documentation Services. You can use almost every port for a Service because it's virtual and nothing will bind on this Port.

1.3. The answer depend on your setup. I explain it in a ha-setup with a TCP loadbalancer in front of the masters.

                       /> Master API 1
client -> loadbalancer -> Master API 2
                       \> Master API 3

The Client make a request to https://openshift_master_cluster_public_hostname:8443 the loadbalancer forwards the Client to the Master API 1 or 2 or 3 and the Client get the answer from the requested Master API Server.

api server redirect to console if request come from a browser ( https://github.com/openshift/origin/blob/release-3.11/pkg/cmd/openshift-kube-apiserver/openshiftkubeapiserver/patch_handlerchain.go#L60-L61 )

Answer to Q2:

curl and wget behaves different because they are different tools but the https request is the same.

curl behavior with wget
wget --output-document=- https://openshift_master_cluster_public_hostname:8443

wget behavior with curl
curl -o index.html https://openshift_master_cluster_public_hostname:8443

Why - is described in Usage of dash (-) in place of a filename

Answer to Q3:

You can use the OpenShift Router which you use for the apps to make the Web-Console available on 443. It's a little bit outdated but the concept is the same for the current 3.x versions Make OpenShift console available on port 443 (https) [UPDATE]

AMAR BESSALAH
  • 49
  • 1
  • 6
Aleksandar
  • 2,442
  • 3
  • 15
  • 24
  • thank you for your response , can you please be more clear to the question 1 please : once the request "https://openshift_master_cluster_public_hostname:8443" arrives to one of the master nodes , who is going to handle this request ? is it the web console or api server ? and what kind of kubernetes component is it ? ( a service , a route , .. ? ) . I can see there is no route and no nodePort service for api server nore for the web console and clusterIp services can only be accessible inside the cluster , so i don't get who the request is routed to the required component ? – AMAR BESSALAH Jul 20 '20 at 06:58
  • It's the api server which handle the request – Aleksandar Jul 20 '20 at 07:44
  • when i do "https://openshift_master_cluster_public_hostname:8443" i'm getting static resources ( html , js , css ) , i suppose it getting it from the web console not the api-server , no ? – AMAR BESSALAH Jul 20 '20 at 08:15
  • that's interesting because when I call `curl -v https://openshift_master_cluster_public_hostname:8443/` I get ```{ "paths": [ "/api", "/api/v1", and so on ``` – Aleksandar Jul 20 '20 at 12:22
  • but when you request using a browser you get a web page , right ? – AMAR BESSALAH Jul 20 '20 at 12:44
  • yes. It looks like that the api checks for user agent and then you get a redirect to `https://openshift_master_cluster_public_hostname:8443/console` – Aleksandar Jul 20 '20 at 13:38
  • this is exactly what i'm looking to understand , the documentation doesn't explain it well "https://docs.openshift.com/container-platform/3.11/architecture/infrastructure_components/web_console.html" , my question are , how this redirection is happening ? and how is the web console accessible since there no route or nodeIp service to access it ? – AMAR BESSALAH Jul 20 '20 at 13:48
  • Well it looks like it's this https://github.com/openshift/origin/blob/release-3.11/pkg/cmd/openshift-kube-apiserver/openshiftkubeapiserver/patch_handlerchain.go#L60-L61 – Aleksandar Jul 21 '20 at 12:58