Canal Charm

Port 5000 for image-registry is not firewall/proxy friendly

Bug #1838974 reported by Nobuto Murata on 2019-08-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Calico Charm	Fix Released	Undecided	Nobuto Murata	Calico Charm 1.16
Canal Charm	Fix Released	Undecided	Nobuto Murata	Canal Charm 1.16
Kubernetes Control Plane Charm	Fix Released	Undecided	Nobuto Murata	Kubernetes Control Plane Charm 1.16

Bug Description

At this moment, kubernetes-master charm uses image-registry.canonical.com:5000/cdk as "image-registry" by default:
https://jaas.ai/u/containers/kubernetes-master/700#charm-config-image-registry

The port 5000 is not firewall/proxy friendly since the common rule for egress is usually port 80 for HTTP and port 443 for HTTPS only, then outgoing 5000 tends to be blocked in enterprise environments.

Now that image-registry.canonical.com listens on 443 too, it might be a good idea to migrate the port in the charm config as well. Here is the Canonical internal RT which added port 443:
https://portal.admin.canonical.com/C119961/

The migration strategy would need a careful review as some might have explicit whitelist of the pairs of destination host and port, so
1. call out the change in the release/upgrade notes clearly, or
2. some sort of mechanisms not to touch existing deployment and apply the new value to fresh deployments only
would be nice to have.

Tags:

Nobuto Murata (nobuto) on 2019-08-05

summary:

- Port 5000 is not firewall/proxy friendly
+ Port 5000 for image-registry is not firewall/proxy friendly

Revision history for this message

George Kraft (cynerva) wrote on 2019-08-05:

Added calico and canal since they also have charm configs that reference image-registry.canonical.com:5000.

no longer affects:	charm-kubernetes-worker
no longer affects:	cdk-addons

Revision history for this message

Nobuto Murata (nobuto) wrote on 2019-08-29:

https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/50
https://github.com/charmed-kubernetes/layer-calico/pull/45
https://github.com/charmed-kubernetes/layer-canal/pull/42

Changed in charm-calico:
assignee:	nobody → Nobuto Murata (nobuto)
status:	New → In Progress
Changed in charm-canal:
assignee:	nobody → Nobuto Murata (nobuto)
status:	New → In Progress
Changed in charm-kubernetes-master:
assignee:	nobody → Nobuto Murata (nobuto)
status:	New → In Progress

Kevin W Monroe (kwmonroe) on 2019-08-30

Changed in charm-kubernetes-master:
status:	In Progress → Fix Committed
Changed in charm-canal:
status:	In Progress → Fix Committed
Changed in charm-calico:
status:	In Progress → Fix Committed
Changed in charm-kubernetes-master:
milestone:	none → 1.16

Kevin W Monroe (kwmonroe) on 2019-08-30

Changed in charm-canal:
milestone:	none → 1.16
Changed in charm-calico:
milestone:	none → 1.16

Tim Van Steenburgh (tvansteenburgh) on 2019-09-27

Changed in charm-calico:
status:	Fix Committed → Fix Released
Changed in charm-canal:
status:	Fix Committed → Fix Released
Changed in charm-kubernetes-master:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.