Problems with Mender Helm Chart on OpenShift: privileged ports

I’m using the GitHub - mendersoftware/mender-helm: Mender Helm charts chart to install Mender, and want to say “thank you” because it’s such an easy way to install Mender!

I did run into some issues, though, that are very particular to deploying on Red Hat OpenShift. The problem is that the api-gateway and gui containers want to listen on port 80 and/or 443, but those privileged ports cannot be opened in OpenShift since the processes do not run as root. For the most part it is a case of changing the ports in the Helm files - they could even be changed so that they’re configurable as settings.

The bigger problem, though, is that the image for the gui container does a listen on port 80 in /etc/nginx/nginx.conf. I can get around this by building a new image that changes the port to something else. There are some other problems with the GUI image, like trying to write to readonly filesystems, and permissions problems when creating tempfile directories and pids - again these can be solved in the build of a custom image and other workarounds.

So the question is: what’s the best way to get some changes into the Helm Chart and the GUI image, so that I have less manual work every time there is an update? Making the ports a setting in the Helm Chart is easy enough, but it’s the image side of things that I think is going to be a lot more complicated and have potentially breaking changes for other types of Kubernetes systems.

I’d love to hear thoughts from the developers and community, thank you.

The easy fix of making the api-gateway ports configurable in Helm has been merged.

The GUI changes, particularly due to the nginx ports, is more difficult.

Heyho @waltermoar,
the GUI image relies on the official nginx docker image and we try to keep it as close to this as possible. While there is the unprivileged image from nginx (Docker Hub) both the longevity of the image and the uncertain stability in installations would make the switch to this risky. There are however other ways to proceed:

  • fork the GUI repo and create a Dockerfile using the unprivileged image
  • get nginx to adopt the changes into their main image
  • get Red Hat to rethink their stance on port limitations in OpenShift