Running on 80 and 443 ports instead of 8080 and 8443

[flowingbits]

I want to run Kourier on a bare-metal Kubernetes installation without a load-balancer controller. Thus, I want to run it with hostNetwork: true and ports 80 and 443 instead of 8080 and 8443 respectively. Please help me understand how to change the configuration to make it listen on those ports.

UPD: Glance over pkg/generator/caches.go makes me think it's not possible, is that true?

[norbjd]

Hello 👋

I think it's not possible as of today because as you have noticed, these ports are hardcoded.

However, it should not be very difficult to override the ports from values set in the config-kourier config map:

// NewConfigFromMap creates a DeploymentConfig from the supplied Map.
func NewConfigFromMap(configMap map[string]string) (*Kourier, error) {
	nc := DefaultConfig()

	if err := cm.Parse(configMap,
+		cm.AsUint32(HTTPPortExternal, &nc.HTTPPortExternal),
+		cm.AsUint32(HTTPSPortExternal, &nc.HTTPSPortExternal),
		cm.AsBool(enableServiceAccessLoggingKey, &nc.EnableServiceAccessLogging),
		cm.AsBool(enableProxyProtocol, &nc.EnableProxyProtocol),
		cm.AsString(clusterCert, &nc.ClusterCertSecret),
		cm.AsDuration(IdleTimeoutKey, &nc.IdleTimeout),
		cm.AsUint32(trustedHopsCount, &nc.TrustedHopsCount),
		cm.AsStringSet(cipherSuites, &nc.CipherSuites),
		cm.AsBool(enableCryptoMB, &nc.EnableCryptoMB),
		asTracing(TracingCollectorFullEndpoint, &nc.Tracing),
	); err != nil {
		return nil, err
	}

	return nc, nil
}

(and obviously 1. add these 2 fields in the Kourier struct, and 2. set 8080/8443 in the defaults).

I guess it's a good first issue if someone wants to contribute (and if maintainers are happy about this change).

[flowingbits]

I'd be glad to contribute to making the ports configurable. Let me pick it up.

[flowingbits]

Hey, I've created a PR with the changes, looking forward to a review #1202.

[skonto]

Hi @flowingbits, sorry for the late reply.

Thus, I want to run it with hostNetwork: true

Could you describe more about your use case. This choice has some consequences:
a) it is probably a privileged operation in your environment
b) when pod is restarted, its ip/hostname will change, also check K8s best practices.
Have you considered using MetalLB or some other bare metal loadbalancer instead?

[flowingbits]

@skonto, the use case is exactly that, pinning the ingress-controller data plane to a set of "ingress" machines and using them as entry points for HTTP traffic. For example, ingress-nginx lists this as one of the deployment methods on bare-metal environments: https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/baremetal.md#via-the-host-network.

Of course, this can be solved by having some sort of load-balancer, including MetalLB, but this adds one more component to deploy and operate. As you rightly noted, binding these ports will require running with root privileges and for some environments, it is an acceptable security-simplicity tradeoff.

[flowingbits]

@skonto, up please