Hi, I’m evaluating replacing my ingress controller from a custom built haproxy operator with istio in my homelab. Most of the functionality is easily replaced with envoy filters (ie. auth, rate limit), however I couldn’t figure out how to do a mixmode tcp/http backend based on protocol sniffing and routing them to different backends.
I’m using haproxy to wrap ssh connections using the same cert.
I’m testing with the latest version of istio 1.7.3
This is how I currently have my ingress set up in this case:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ide-dev
namespace: dev-env
annotations:
haproxy-ingress.my-custom-ingress.io/http-2: "true"
haproxy-ingress.my-custom-ingress.io/oauth-service: oauth2-proxy.lb
haproxy-ingress.my-custom-ingress.io/oauth-uri-host: auth.example.com
haproxy-ingress.my-custom-ingress.io/auth-tls-ca-file: ca-cert-internal
haproxy-ingress.my-custom-ingress.io/auth-tls-crl-file: ca-cert-internal
haproxy-ingress.my-custom-ingress.io/auth-tls-verify: required
labels:
ingress-type: internal
spec:
rules:
- host: dev.example.com
http:
paths:
- path: /
backend:
serviceName: dev
servicePort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ssh-dev
namespace: dev-env
annotations:
haproxy-ingress.my-custom-ingress.io/tcp-backends: "true"
haproxy-ingress.my-custom-ingress.io/custom-conditions: |
[
"payload(0,7) -m bin 5353482d322e30",
"ssl_fc_has_crt"
]
haproxy-ingress.my-custom-ingress.io/auth-tls-ca-file: ca-cert-internal
haproxy-ingress.my-custom-ingress.io/auth-tls-crl-file: ca-cert-internal
haproxy-ingress.my-custom-ingress.io/auth-tls-verify: required
labels:
ingress-type: internal
spec:
rules:
- host: dev.example.com
http:
paths:
- path: /
backend:
serviceName: dev-ssh
servicePort: 22
And a diagram:
Any help with this is appreciated.