You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What should the feature do:
Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately.
What is use case behind this feature:
OpenShift prefers pod containerPort numbers > 1024. Since it is natural for in-cluster clients to communicate with RGW using ports 80 and 443, it is common to define an OpenShift Service resource like rook-ceph-rgw-* with https port 443 and targetPort 8443, for example. Likewise, if the Service wants to also support http clients, it would likely define http port 80 and targetPort 8080.
Currently, the CephObjectStore requires a non-zero value for the port so that the corresponding containerPort in the RGW pod can support health checking. Unfortunately, this setting also causes an insecure http port entry to be added to the RGW Service resource which in turn allows clients to access the CephObjectStore using the insecure http protocol. This is unacceptable for many deployments. By supporting an optional insecure service port property and a required insecure container port property, users that require traffic to be encrypted-in-flight could achieve this by defining the required insecure container port but leave the "exposed" service port undefined.
Environment:
OCP 3.11
The text was updated successfully, but these errors were encountered:
ron1
changed the title
Allow CephObjectStore port to be containerPort-only and not a Service port
Make it optional to expose CephObjectStore port
Oct 5, 2019
ron1
changed the title
Make it optional to expose CephObjectStore port
Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately
Oct 6, 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Is this a bug report or feature request?
What should the feature do:
Allow CephObjectStore/RGW service and container ports, both secure and insecure, to be defined separately.
What is use case behind this feature:
OpenShift prefers pod containerPort numbers > 1024. Since it is natural for in-cluster clients to communicate with RGW using ports 80 and 443, it is common to define an OpenShift Service resource like rook-ceph-rgw-* with https port 443 and targetPort 8443, for example. Likewise, if the Service wants to also support http clients, it would likely define http port 80 and targetPort 8080.
Currently, the CephObjectStore requires a non-zero value for the port so that the corresponding containerPort in the RGW pod can support health checking. Unfortunately, this setting also causes an insecure http port entry to be added to the RGW Service resource which in turn allows clients to access the CephObjectStore using the insecure http protocol. This is unacceptable for many deployments. By supporting an optional insecure service port property and a required insecure container port property, users that require traffic to be encrypted-in-flight could achieve this by defining the required insecure container port but leave the "exposed" service port undefined.
Environment:
OCP 3.11
The text was updated successfully, but these errors were encountered: