Menu
Currently practicing with Kubernetes (managed, on DO), I ran into a issue I couldn't resolve for two days. I have nginx-ingress setup along with cert-manager, and a domain where git.domain.com points to the IP of the load balancer. I can reach my Gitea deployment via the web, everything seems to work.
What I want to achieve now is, that I can also use SSH like so
git clone [email protected]:org/repo.git
So I somehow need to expose the container port 22 via the service, then via the ingress. I tried a couple of things, but none of them seemed to work, probably because I'm a starter at K8S. Here is the working setup I use.
Service definition:
apiVersion: v1
kind: Service
metadata:
name: gitea-service
spec:
selector:
app: gitea
ports:
- name: gitea-http
port: 3000
targetPort: gitea-http
- name: gitea-ssh
port: 22
targetPort: gitea-ssh
Ingress definiton
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo-ingress
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- git.domain.com
secretName: letsencrypt-prod
rules:
- host: git.domain.com
http:
paths:
- backend:
serviceName: gitea-service
servicePort: gitea-http
And part of my deployment, just to make sure:
...
ports:
- containerPort: 3000
name: gitea-http
- containerPort: 22
name: gitea-ssh
...
Sorry if it's a dumb question, I think there is some basics that I confuse here. Thanks!
681
You may deploy any number of ingress controllers using ingress class within a cluster. Note the . metadata.name of your ingress class resource.
Ingress controller There are few options you can choose from, among them nginx, GCE (google cloud) and Istio. Only two are officially supported by k8s for now — nginx and GCE. We are going to go with nginx as the ingress controller solution. For this we, of course, need new deployment.
The IC uses the Kubernetes API to get the latest Ingress resources created in the cluster and then configures NGINX according to those resources. Application A with two pods deployed in the namespace A by User A. To expose the application to its clients (Clients A) via the host a.example.com , User A creates Ingress A.
NGINX Ingress Controller provides a robust feature set to secure, strengthen, and scale your containerized apps, including: Advanced app‑centric configuration – Use role‑based access control (RBAC) and self‑service to set up security guardrails (not gates), so your teams can manage their apps securely and with agility.
So I somehow need to expose the container port 22 via the service, then via the ingress
So yes and no: an Ingress is specifically for virtual-hosting using the host: header (or SNI) of the incoming request to know which backend to use. There is no such mechanism in SSH, or at the very least there's no Ingress controller that I'm aware of which supports protocols other than http for doing that.
However, the nginx Ingress controller supports TCP and UDP services so long as you can assign a dedicated port for them (which in your case, you can). You would create a ConfigMap entry saying which port on the ingress controller's Service to map to the port on gitea's Service, and then you'll need to expose port 22 on whatever is Internet-facing in Digital Ocean that routes traffic to the ingress controller's Service.
[Internet] -> :22[load balancer] --> :12345[controller Service] --> :22[gitea-service]
There are Digital Ocean annotations that you can use to switch certain ports over to TCP, but I didn't study that further than a quick search
I just used the nginx ingress controller as a concrete example, but the haproxy based ingress controllers will almost certainly do that, and other controllers may have similar options, because your question is a reasonable one
160
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
