Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately #4050

Open
ron1 opened this issue Oct 5, 2019 · 4 comments
Open

Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately #4050

ron1 opened this issue Oct 5, 2019 · 4 comments
Labels
feature

Comments

@ron1
Copy link
Contributor

ron1 commented Oct 5, 2019
edited

Is this a bug report or feature request?

  • Feature Request

What should the feature do:
Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately.

What is use case behind this feature:
OpenShift prefers pod containerPort numbers > 1024. Since it is natural for in-cluster clients to communicate with RGW using ports 80 and 443, it is common to define an OpenShift Service resource like rook-ceph-rgw-* with https port 443 and targetPort 8443, for example. Likewise, if the Service wants to also support http clients, it would likely define http port 80 and targetPort 8080.

Currently, the CephObjectStore requires a non-zero value for the port so that the corresponding containerPort in the RGW pod can support health checking. Unfortunately, this setting also causes an insecure http port entry to be added to the RGW Service resource which in turn allows clients to access the CephObjectStore using the insecure http protocol. This is unacceptable for many deployments. By supporting an optional insecure service port property and a required insecure container port property, users that require traffic to be encrypted-in-flight could achieve this by defining the required insecure container port but leave the "exposed" service port undefined.

Environment:
OCP 3.11
@ron1 ron1 added the feature label Oct 5, 2019
@ron1 ron1 changed the title Allow CephObjectStore port to be containerPort-only and not a Service port Make it optional to expose CephObjectStore port Oct 5, 2019
@ron1 ron1 changed the title Make it optional to expose CephObjectStore port Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately Oct 6, 2019
@stale
Copy link

stale bot commented Jan 4, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 4, 2020
@stale
Copy link

stale bot commented Jan 11, 2020

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

@stale stale bot closed this as completed Jan 11, 2020
@ron1
Copy link
Contributor Author

ron1 commented Mar 18, 2020

Please re-open.

@travisn travisn reopened this Mar 18, 2020
@stale stale bot removed the wontfix label Mar 18, 2020
@stale
Copy link

stale bot commented Jun 17, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jun 17, 2020
@stale stale bot removed the wontfix label Jun 17, 2020
@travisn travisn removed the keepalive label Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@travisn @ron1