-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #7301: promises are not regenerated when a node is transformed into a relay #766
Conversation
Ok Good |
@peckpeck @VinceMacBuche, why not use http://localhost:8080/ directly? You could make sure you hit the rudder API... I am just asking because we for example modified rudder's vhost config to listen on https only on a dedicated Service IP instead of *:443, as there are also other services running on https on that host... |
@VinceMacBuche what do you think of @matya's proposal ? |
I have never thought about using the jetty endpoint directly, but you are totally right @matya, vhost may be modified and only :8080 is always available ... Modifying the PR ! |
I don't think that is a good idea. The service architecture in Rudder is designed so that the single point of entry to the web applications is via an Apache server. This leaves us a lot of freedom to change jetty into another application server, or split out the two webapps (inventory-endpoint and rudder-web) into two independant application containers (as planned in http://www.rudder-project.org/redmine/issues/2630) - which would therefore possibly no longer be listening on localhost:8080. There is nothing to enforce this currently, but I see no reason why we couldn't "lock down" application security by configuring jetty to only accept connections coming from apache, etc. However, on a wider scale, if you consider the "split-server" installation architecture of a Rudder server, it would be good to have an internal communication path so that this script could be run anywhere, and we could hit the "Rudder API" URL just by relying on a DNS name (internal, hosts, or external). Still, for this PR, I think going through Apache should be kept. @matya, for your Apache config, could you also expose the Rudder API and webapp on localhost:443 (or localhost:80, I suppose)? I know this is kinda annoying to do in Apache config, just a thought... |
I agree with @jooooooon (in fact I thought i added a comment after my last one to state that, but it seems it get into a black hole ...) |
Since it was ok (for @peckpeck and @jooooooon ) I am merging this, If you want to discuss this @matya, we can still continue here or on a new issue on our Redmine :) Still many thanks about your feedbacks and opinions, they are very useful! |
…regenerated_when_a_node_is_transformed_into_a_relay Fixes #7301: promises are not regenerated when a node is transformed into a relay
I can live with the workaround of binding additionally to 127.0.0.1:443 . |
It is already bound to the server since it make modification to the ldap directly on localhost And I Agrre with you it should be done via api and Web UI, I'm opening an issue about this in redmine :) |
https://www.rudder-project.org/redmine/issues/7301