Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Vault CR service to use run on a different port than the pod API #590

Open
dhohengassner opened this issue May 19, 2021 · 3 comments
Open

Allow Vault CR service to use run on a different port than the pod API #590

dhohengassner opened this issue May 19, 2021 · 3 comments
Labels
area/provider/vault good first issue Good for newcomers kind/enhancement Categorizes issue or PR as related to an improvement. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@dhohengassner
Copy link

dhohengassner commented May 19, 2021
edited
Loading

Is your feature request related to a problem? Please describe.
I cannot configure Vault CR to create a service available under port 443 pointing to the pod API on a different port.
Vault per default exposes its HTTPS endpoint under port 8200.

The k8s service I like to create would need to look like this:

spec:
 ports:
 - name: api-port
   port: 443
   protocol: TCP
   targetPort: 8200
 - name: metrics
   port: 9091
   protocol: TCP
   targetPort: 9091
 - name: statsd
   port: 9102
   protocol: TCP
   targetPort: 9102
 selector:
   app.kubernetes.io/name: vault

With the fields available in the Vault CR I can define:

  servicePorts:
    api-port: 8200
    external-port: 443

But the resulting k8s svc only provides:

spec:
 ports:
 - name: api-port
   port: 8200
   protocol: TCP
   targetPort: 8200
 - name: external-port
   port: 443
   protocol: TCP
   targetPort: 443
 - name: metrics
   port: 9091
   protocol: TCP
   targetPort: 9091
 - name: statsd
   port: 9102
   protocol: TCP
   targetPort: 9102
 selector:
   app.kubernetes.io/name: vault

The Vault pods also do not start if they are configured to run the API directly on port 443 (probably does make sense):

Error initializing listener of type tcp: listen tcp4 0.0.0.0:443: bind: permission denied
2021-05-19T15:18:14.067Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=

Describe the solution you'd like
The CR should support configuration like:

  servicePorts:
    api-port:
      port: 8200
      targetPort: 443

Describe alternatives you've considered
Until this is supported I do not use the Vault Service created from the CR and create another one next to it.

Thanks for looking into this!
@universam1
Copy link

Second that Vault should be possible to access on the default ports like 80/443

@gw0
Copy link

gw0 commented May 24, 2021

I am wondering... Which problem does this solve? Just an aesthetic one -- that the URL does not need to specify the port :8200? Or am I missing something?

@universam1
Copy link

Couple of policy reasons and requirements that come into play.
First we can safely say there is no benefit in running at a high port, it causes human confusion and requires documentation overhead deviating from the standards.
Nevertheless, in our company the firewall policy does not permit other random high ports for http/https for firewall rules zone transitions other than the approved default ports. So kind of a hard requirement, and we don't want to treat access differently whether it's in- or cluster external.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 1, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 22, 2024
@csatib02 csatib02 transferred this issue from bank-vaults/bank-vaults Sep 22, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 22, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 22, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 22, 2024
@csatib02 csatib02 added kind/enhancement Categorizes issue or PR as related to an improvement. good first issue Good for newcomers area/provider/vault labels Sep 22, 2024
@csatib02 csatib02 reopened this Sep 22, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Nov 24, 2024
@csatib02 csatib02 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Nov 24, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/provider/vault good first issue Good for newcomers kind/enhancement Categorizes issue or PR as related to an improvement. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gw0 @universam1 @dhohengassner @csatib02