API Server binds a NodePort (out of the default range) on OpenShift
When deploying Pulp via Operator on OpenShift we've encountered an issue  with API Server
Operator is creating a
Service resource that binds a nodePort
24817 (specified )). This node port is outside the default Kubernetes/OpenShift range 30000-32767. While changing this range is possible in OCP it requires coordination on multiple levels of cloud operator and goes beyond simple cluster administration - since nodePort means a real port on each of the nodes, it requires to be allowed in firewalls across the infrastructure, which makes it especially challenging to deploy on bare metal deployments.
Additionally binding a nodePort (a physical port on the nodes) makes a resource a singleton on the cluster. No other resource can bind the same port anymore. This makes Pulp API server service resource a singleton on the cluster and limits users from deploying more than one Pulp resource on the whole cluster. I think this is also an very unwanted and undocumented side effect limiting multi tenancy - while Pulp resource is a namespaced resource that can be deployed to any namespace, it behaves as a cluster scoped singleton in the end because the operator tries to bind the same node port for every Pulp api server service instance.
 https://github.com/operate-first/support/issues/176#issuecomment-848939903  https://github.com/pulp/pulp-operator/blob/221c7652118d6c1c6dcda785fe5d651f14e0b101/roles/pulp-api/templates/pulp-api.service.yaml.j2#L26  https://docs.openshift.com/container-platform/4.7/networking/configuring-node-port-service-range.html
Added by chambridge about 1 year ago
Use nodeport flow only when defined, otherwise supply svc.cluster.local option
- Don't attempt nodeport settings if not selected
- Use status.hostIP from downward API to get node where web pod is running https://stackoverflow.com/a/52047845
- Only set nodeport for web service
- Allow user to specify nodeport or take cluster default in range
Updated by chambridge about 1 year ago
- Status changed from POST to MODIFIED
Applied in changeset pulp-operator|4f134106b50795ac3731b3d469e0bdeb5f746996.