[FEATURE] Allow port 80 to be opened by default for running dev/test S2I applications

[dpkshetty]

Is your feature request related to a problem? Please describe. I can't run basic nodejs and/or pyflask applications using S2I

Describe the solution you'd like OCP S2I creates a default route at port 80, hence opening up port 80 is needed

Describe alternatives you've considered The only alternative is to curl from the Bastion host... not elegant and not an alternative for GUI applications

Additional context Basic pyflask github @ https://github.com/dpkshetty/ocp-ex-pyflask I started a S2I workflow using "From Git" option under Developer persona. Everything worked smooth and I got a route URL from OCP but I cannot access my pyflask application as S2I route serves at port 80 which isn't open for PoweVS by default.

Also people coming to OCP on PowerVS from OCP on IBM Cloud, will find it strange as this isn't a issue on IBM Cloud. I have nodejs and pyflask application running successfully on OCP on IBM Cloud, but the same workflow fails on PowerVS!

Given we are targeting dev/test usecases/scenarios, making the OCP on PowerVS cluster work with basic S2I workflow is of utmost importance!

[bpradipt]

One option is to use HTTPS route eg. edge terminated. Something like this - https://medium.com/@pradipta.banerjee/expose-openshift-apps-over-https-22e301d5a6f2 ? Can this mechanism be used for now ? Another option is to use DirectLink and route the traffic via IBM Cloud to PowerVS DC. But I agree just for S2I we needn't go via the DL route.

Unfortunately port-80 will not be opened for PowerVS DCs in near term. However we'll still pursue

[bpradipt]

Edge route should work as it's via 443. I have used it multiple times. Also you don't need to add any new entry in /etc/hosts if you had already added the string printed at the end of the cluster install. Probably something else is wrong which we'll need to figure out. The error mentions "non-existent service". Are you sure you are creating the edge route in the right namespace deepak ?

[dpkshetty]

Yes.. i had missed the namespace first.. so now corrected it.. but it still doesn't work .. see below ....

[root@deepakcs-ocp-psvs-637a-bastion-0 ~]# oc get svc -n deepak
NAME              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
ocp-ex-pyflask    ClusterIP   172.30.197.110   <none>        8080/TCP   13h
tech-ca-web-ocp   ClusterIP   172.30.240.209   <none>        8080/TCP   13h

[root@deepakcs-ocp-psvs-637a-bastion-0 ~]# oc create route edge pyflask-route --service=ocp-ex-pyflask -n deepak
route.route.openshift.io/pyflask-route created
[root@deepakcs-ocp-psvs-637a-bastion-0 ~]#

[root@deepakcs-ocp-psvs-637a-bastion-0 ~]# oc describe  route/pyflask-route -n deepak
Name:                   pyflask-route
Namespace:              deepak
Created:                8 minutes ago
Labels:                 app=ocp-ex-pyflask
                        app.kubernetes.io/component=ocp-ex-pyflask
                        app.kubernetes.io/instance=ocp-ex-pyflask
                        app.kubernetes.io/name=python
                        app.kubernetes.io/part-of=tech-ca-web-ocp-app
                        app.openshift.io/runtime=python
                        app.openshift.io/runtime-version=3.8-ubi7
Annotations:            openshift.io/host.generated=true
Requested Host:         pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs
                           exposed on router default (host apps.deepakcs-ocp-psvs-637a.ocp.deepakcs) 8 minutes ago
Path:                   <none>
TLS Termination:        edge
Insecure Policy:        <none>
Endpoint Port:          8080-tcp

Service:        ocp-ex-pyflask
Weight:         100 (100%)
Endpoints:      10.128.3.20:8080
[root@deepakcs-ocp-psvs-637a-bastion-0 ~]#

Accessing https://pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs/ still doesn't work !!

[dpkshetty]

Edge route should work as it's via 443. I have used it multiple times. Also you don't need to add any new entry in /etc/hosts if you had already added the string printed at the end of the cluster install. Probably something else is wrong which we'll need to figure out. The error mentions "non-existent service". Are you sure you are creating the edge route in the right namespace deepak ?

The string which was provided at the end of cluster install.. is added verbatim .... but it doesn't have *.apps entry SO i was not sure.. hence to be doubly sure... I appended the below entries to my /etc/hosts

*.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs

Still its not able to resolve the https://... route address 👎

[bpradipt]

Also you don't need to add any new entry in /etc/hosts if you had already added the string printed at the end of the cluster install

My bad. /etc/hosts does not handle wildcard. You'll need to explicitly add a host IP mapping for pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs to your /etc/hosts file.

Post that if it still doesn't work, then we go back to basics - check if service is working by connecting to it from bastion (using curl/lynx etc), followed by looking at whether packets are reaching the router or not.

[dpkshetty]

As u can see in my comment above.. I have explicitly added the IP mapping too.. still doesn't work. I don't think I need to find the IP of the host (worker) on which its running and then map that... that ways if the Pod moves to a diff host the mapping ceases to work. The mapping is to the same IP that was given at the end of the install script completion

[dpkshetty]

Post that if it still doesn't work, then we go back to basics - check if service is working by connecting to it from bastion (using curl/lynx etc), followed by looking at whether packets are reaching the router or not.

It works when I curl (using --insecure, otherwise it gives self-signed cert error) from bastion

[root@deepakcs-ocp-psvs-637a-bastion-0 ~]# curl --insecure https://pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs/
Hello, World Again - by Deepak

[root@deepakcs-ocp-psvs-637a-bastion-0 ~]# curl https://pyflask-route-deepak.apps.deepakcs-ocp-psvs-637a.ocp.deepakcs/
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[bpradipt]

As u can see in my comment above.. I have explicitly added the IP mapping too.. still doesn't work. I don't think I need to find the IP of the host (worker) on which its running and then map that... that ways if the Pod moves to a diff host the mapping ceases to work. The mapping is to the same IP that was given at the end of the install script completion

You only need to provide the bastion IP, since bastion runs haproxy which load-balances the router pods

[bpradipt]

Post that if it still doesn't work, then we go back to basics - check if service is working by connecting to it from bastion (using curl/lynx etc), followed by looking at whether packets are reaching the router or not.

It works when I curl (using --insecure, otherwise it gives self-signed cert error) from bastion

yeah, insecure will be needed since you are using self-signed certificate..

What happens when you connect from outside of bastion? What's the error ?

[dpkshetty]

What happens when you connect from outside of bastion? What's the error ?

The browser / curl times out. I think it has something to do with the way I am adding entriess to the /etc/hosts file (I am on Win10 and updating it by appending it)

[dpkshetty]

Works now.. once I add those router entries in the beginning of the /etc/hosts entry. Till now I was appending at the end and I think it doesn't even reach there (my guess)... when I prepend my https router entry it works now !

[yussufsh]

Opening port 80 cannot be handled via this project. It need to be pursued with cloud team and is not currently supported.