MAJOR: change http and https default ports to 8080 and 8443

with new s6 we completely move to rootless container setup, therefore binding to 80 and 443 is nto possible nor desired by default.

if you are using external mode or nodePort setup this needs to be aligned

Author: oktalz

deploy/haproxy-ingress-daemonset.yaml

@@ -152,13 +152,17 @@ spec:
         args:
           - --configmap=haproxy-controller/haproxy-kubernetes-ingress
         securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
           runAsUser:  1000
           runAsGroup: 1000
           capabilities:
             drop:
               - ALL
             add:
               - NET_BIND_SERVICE
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           limits:
             memory: 2560Mi

deploy/haproxy-ingress.yaml

@@ -153,13 +153,17 @@ spec:
         args:
           - --configmap=haproxy-controller/haproxy-kubernetes-ingress
         securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
           runAsUser:  1000
           runAsGroup: 1000
           capabilities:
             drop:
               - ALL
             add:
               - NET_BIND_SERVICE
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           limits:
             memory: 2560Mi

deploy/tests/config/3.ingress-controller.yaml

@@ -80,13 +80,13 @@ spec:
   type: NodePort
   ports:
     - name: http
-      port: 80
-      targetPort: 80
+      port: 8080
+      targetPort: 8080
       nodePort: 30080
       protocol: TCP
     - name: https
-      port: 443
-      targetPort: 443
+      port: 8443
+      targetPort: 8443
       nodePort: 30443
       protocol: TCP
     - name: stat

deploy/tests/integration/timeout-server/timeoutserver_test.go

@@ -132,7 +132,7 @@ func newAppSvc() *store.Service {
 			{
 				Name:     "https",
 				Protocol: "TCP",
-				Port:     443,
+				Port:     8443,
 				Status:   store.ADDED,
 			},
 		},

deploy/tests/tnr/routeacl/suite_test.go

@@ -154,7 +154,7 @@ func (suite *UseBackendSuite) UseBackendFixture() (eventChan chan k8s.SyncDataEv
 			{
 				Name:     "https",
 				Protocol: "TCP",
-				Port:     443,
+				Port:     8443,
 				Status:   store.ADDED,
 			},
 		},

documentation/annotations.md

@@ -74,7 +74,7 @@ This is autogenerated from [doc.yaml](doc.yaml). Description can be found in [ge
 | [ssl-passthrough](#https) | [bool](#bool) | "false" |  |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:|
 | [ssl-redirect](#https) | [bool](#bool) | "false" | https |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [ssl-redirect-code](#https) | [301, 302, 303] | "302" | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:|
-| [ssl-redirect-port](#https) | number | 443 | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:|
+| [ssl-redirect-port](#https) | number | 8443 | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [syslog-server](#logging) | [syslog](#syslog-fields) | "address:127.0.0.1, facility: local0, level: notice" |  |:large_blue_circle:|:white_circle:|:white_circle:|
 | [standalone-backend](#standalone-backend) | [bool](#bool) |  |  |:white_circle:|:large_blue_circle:|:large_blue_circle:|
 | [timeout-check](#timeouts) | [time](#time) |  |  |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:|

documentation/controller.md

@@ -28,8 +28,8 @@ Image can be run with arguments:
 | [`--disable-ipv6`](#--disable-ipv6) | `false` |
 | [`--ipv4-bind-address`](#--ipv4-bind-address) | `0.0.0.0` |
 | [`--ipv6-bind-address`](#--ipv6-bind-address) | `::` |
-| [`--http-bind-port`](#--http-bind-port) | `80` |
-| [`--https-bind-port`](#--https-bind-port) | `443` |
+| [`--http-bind-port`](#--http-bind-port) | `8080` |
+| [`--https-bind-port`](#--https-bind-port) | `8443` |
 | [`--disable-http`](#--disable-http) | `false` |
 | [`--disable-https`](#--disable-https) | `false` |
 | [`--sync-period`](#--sync-period) | `5s` |
@@ -478,7 +478,7 @@ Example:
 
 Possible values:
 
-- A valid port in the range. Default: 80
+- A valid port in the range. Default: 8080
 
 Example:
 
@@ -496,7 +496,7 @@ Example:
 
 Possible values:
 
-- A valid port in the range. Default: 443
+- A valid port in the range. Default: 8443
 
 Example:
 

documentation/custom-resources.md

@@ -165,5 +165,5 @@ spec:
   - protocol: TCP
     port: 443
     name: https
-    targetPort: 443
+    targetPort: 8443
 ```

documentation/doc.yaml

@@ -241,8 +241,8 @@ image_arguments:
   - argument: --http-bind-port
     description: Customize the HTTP frontend binding port.
     values:
-      - "A valid port in the range. Default: 80"
-    default: 80
+      - "A valid port in the range. Default: 8080"
+    default: 8080
     version_min: "1.5"
     example: --http-bind-port=8080
     helm: |-
@@ -251,8 +251,8 @@ image_arguments:
   - argument: --https-bind-port
     description: Customize the HTTPS frontend binding port.
     values:
-      - "A valid port in the range. Default: 443"
-    default: 443
+      - "A valid port in the range. Default: 8443"
+    default: 8443
     version_min: "1.5"
     example: --http-bind-port=8443
     helm: |-
@@ -1605,7 +1605,7 @@ annotations:
     type: number
     group: https
     dependencies: ssl-redirect
-    default: "443"
+    default: "8443"
     description:
       - Sets the HTTPS port to redirect to when HTTP to HTTPS traffic redirection is enabled  when `ssl-redirect` is true.
     tip:

pkg/annotations/common/main.go

@@ -56,7 +56,7 @@ var DefaultValues = map[string]string{
 	"request-capture-len":    "128",
 	"ssl-redirect-code":      "302",
 	"request-redirect-code":  "302",
-	"ssl-redirect-port":      "443",
+	"ssl-redirect-port":      "8443",
 	"ssl-passthrough":        "false",
 	"server-ssl":             "false",
 	"scale-server-slots":     "42",

pkg/utils/flags.go

@@ -90,8 +90,8 @@ type OSArgs struct {
 	DefaultBackendPort         int            `long:"default-backend-port" description:"port to use for default service" default:"6061"`
 	ChannelSize                int64          `long:"channel-size" description:"sets the size of controller buffers used to receive and send k8s events.NOTE: increase the value to accommodate large number of resources "`
 	ControllerPort             int            `long:"controller-port" description:"port to listen on for controller data: prometheus, pprof" default:"6060"`
-	HTTPBindPort               int64          `long:"http-bind-port" default:"80" description:"port to listen on for HTTP traffic"`
-	HTTPSBindPort              int64          `long:"https-bind-port" default:"443" description:"port to listen on for HTTPS traffic"`
+	HTTPBindPort               int64          `long:"http-bind-port" default:"8080" description:"port to listen on for HTTP traffic"`
+	HTTPSBindPort              int64          `long:"https-bind-port" default:"8443" description:"port to listen on for HTTPS traffic"`
 	SyncPeriod                 time.Duration  `long:"sync-period" default:"5s" description:"Sets the period at which the controller syncs HAProxy configuration file"`
 	CacheResyncPeriod          time.Duration  `long:"cache-resync-period" default:"10m" description:"Sets the underlying Shared Informer resync period: resyncing controller with informers cache"`
 	HealthzBindPort            int64          `long:"healthz-bind-port" default:"1042" description:"port to listen on for probes"`