Pulp

When deploying Pulp via Operator on OpenShift we've encountered an issue [1] with API Server Service resource.

Operator is creating a Service resource that binds a nodePort 24817 (specified [2])). This node port is outside the default Kubernetes/OpenShift range 30000-32767. While changing this range is possible in OCP it requires coordination on multiple levels of cloud operator and goes beyond simple cluster administration - since nodePort means a real port on each of the nodes, it requires to be allowed in firewalls across the infrastructure, which makes it especially challenging to deploy on bare metal deployments.

Additionally binding a nodePort (a physical port on the nodes) makes a resource a singleton on the cluster. No other resource can bind the same port anymore. This makes Pulp API server service resource a singleton on the cluster and limits users from deploying more than one Pulp resource on the whole cluster. I think this is also an very unwanted and undocumented side effect limiting multi tenancy - while Pulp resource is a namespaced resource that can be deployed to any namespace, it behaves as a cluster scoped singleton in the end because the operator tries to bind the same node port for every Pulp api server service instance.

[1] https://github.com/operate-first/support/issues/176#issuecomment-848939903 [2] https://github.com/pulp/pulp-operator/blob/221c7652118d6c1c6dcda785fe5d651f14e0b101/roles/pulp-api/templates/pulp-api.service.yaml.j2#L26 [3] https://docs.openshift.com/container-platform/4.7/networking/configuring-node-port-service-range.html