we’ve been using 8443 port for https proxy endpoint for years, katello installation scenario cannot use this port because it is already in use (qpidd I think not sure).
I would like to propose a default change from 8443 to 9090. Reasons:
Very confusing for users working with both Foreman or Katello scenarios.
Hard to debug - 8443 is also accepting SSL connections with different certificate.
Align Foreman vs Katello scenarios, therefore upstream and downstream.
Changing the installer default is definitely not enough, since Puppet would overwrite this setting we need to figure out a way for a smooth upgrade. Register-in-foreman installer step would likely start failing, I am not sure if it is possible to detect parameter change in Puppet and make some action (foreman-rake console command to change ports for all proxies).
I think the cleanest execution would be only do this for new installations, perhaps a bit of Puppet code that would detect if it’s brand new installation or already existing. Could be also somewhere in kafo.
I think the decision can be done based on what’s easiest and smoothest experience for the upgrade process. Honestly, port numbers below 10000 that’s tight area, we will always hit something. Now after hear that it’s candlepin vs cockpit, I’d vote for changing candlepin because cockpit is definitely more popular and can possibly confuse more users.
We could also move Smart Proxy port somewhere else to >10000.
A year or more ago, there were discussions around port alignment across services to have more predictability. The RFC that may provide some useful information was at:
In short, one of the options you give is to move Smart Proxy to 9090 which is I think the best option - less users need to do migration. Also, SELinux does not need to be taken into account - it’s a trivial change.
Second point is reverse proxy, I actually vote for keeping it as is on 8443 because we can later decide to create a webUI for proxy and we have a problem.
There is also port 8000 used for template proxy, that can stay as is as well.
The rest of the proposal covers possibility to do bigger changes, I’d rather stick with minimum change which to me looks like 8443 -> 9090 for smart-proxy only.
This is only relevant in the foreman_proxy_content scenario. For katello candlepin directly serves on port 8443 without a reverse proxy and foreman doesn’t have candlepin nor the reverse proxy at all.
for aligning foreman and Katello. I do wonder if we should align Foreman or align Katello.
