Virtual Service with https and ssh

dans · April 15, 2021, 1:57am

I’m trying to host an application that needs to have https and ssh exposed. https works, but ssh does not. I dont know what I’m doing wrong. Can someone take a look and tell me what my mistake is?

Gateway and VS

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: default-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 2022
      name: gitea-ssh
      protocol: TCP
    hosts:
    - git.mydomain
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*.mydomain"
    tls:
      mode: SIMPLE
      credentialName: mydomain-wildcard
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: gitea-vs
spec:
  hosts:
  - "git.mydomain"
  gateways:
  - istio-system/default-gateway
  http:
  - match:
    - port: 443
    route:
    - destination:
        port:
          number: 3000
        host: gitea-http.default.svc.cluster.local
  tcp:
  - match:
    - port: 2022
    route:
    - destination:
        host: gitea-ssh.default.svc.cluster.local
        port:
          number: 2022

dans · April 18, 2021, 5:16pm

Well, I found my problem. For future searchers: The config above is correct. I only needed to define a new service port on “ingressGateways.k8s.service.ports”.

      - name: gitea-ssh
        nodePort: randomport?
        port: 2022
        protocol: TCP
        targetPort: 2022

James · August 19, 2021, 2:55pm

Where is “ingressGateways.k8s.service.ports” and how do you modify/implement it? Your discussion is one of the few I have found where someone seems to have figured out how to establish a ssh session to a container via the Istio Ingress Gateway. I have been trying to figure this out for the last 3 days. I have a SFTP server running in a container and have configured the Service, Gateway, VirutalService, and ingress gateway to pass ssh traffic to the running container, but the ssh session always terminates with the message ‘kex_exchange_identification: Connection closed by remote host’. I have done packet captures on both the server and client. I can verify a TCP session is started between the client and server, but it seems to fail once the key exchange starts. As near as I can tell, none of the key exchange packets sent from the client reach the server. Any help/insights would be welcome.

dans · October 2, 2021, 11:04pm

Its been a few weeks, so you probably figured it out. But here is some more info–

It’s part of the istio ingress gateway config. It’s not well documented. Depending on how you installed istio, you can add the configuration to your helm chart values, or to the istio operator cr.

I use the operator, so added something like this to my istio cr (truncated for readability):

spec:
  components:
    ingressGateways:
    - enabled: true
      k8s:
        service:
          ports:
          - name: ssh
            nodePort: 31234
            port: 22
            protocol: TCP
            targetPort: 2022

roc · March 16, 2022, 8:55am

ssh svc_ip is works，but ssh gw_ip -p gw_port does not.

Can you help me? Thanks!

---
# svc
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2022-03-16T07:45:06Z"
  labels:
    app.kubernetes.io/name: test-pod-110
  name: sv-test-pod-110
  namespace: cust1
  resourceVersion: "23680834"
  uid: eabed918-741a-4862-827d-98ceba371fa9
spec:
  clusterIP: 10.43.64.223
  clusterIPs:
  - 10.43.64.223
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: test-pod-11022
    port: 22
    protocol: TCP
    targetPort: 22
  selector:
    app.kubernetes.io/name: test-pod-110
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

---
#DR
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  creationTimestamp: "2022-03-16T07:45:06Z"
  generation: 1
  name: ljtest-dr
  namespace: cust1
  resourceVersion: "23680841"
  uid: a0ca5bd5-78ad-4fb2-81e8-eb74606f75c2
spec:
  host: sv-test-pod-110

---
# VS
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  creationTimestamp: "2022-03-16T07:45:06Z"
  generation: 1
  name: ljtest-vs
  namespace: cust1
  resourceVersion: "23680842"
  uid: 0bc5fcf9-3447-4c64-a545-265d520765eb
spec:
  gateways:
  - ljtest-gw
  hosts:
  - '*'
  tcp:
  - match:
    - port: 31404
    route:
    - destination:
        host: ljtest-dr
        port:
          number: 22
        subset: v1

---
# GW
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  creationTimestamp: "2022-03-16T07:45:06Z"
  generation: 1
  name: ljtest-gw
  namespace: cust1
  resourceVersion: "23680840"
  uid: e56baa7f-f3eb-45f7-a211-ea129d1394c0
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: tcp
      number: 31404
      protocol: TCP

roc · March 16, 2022, 10:23am

22 端口受限。在svc上做端口映射：31404->22. 在gw，vs等上面用31404即可。

Vikas_verma · April 16, 2022, 10:44am

This article is worthy of recognition and comment. I found this material attention-grabbing and engrossing. This is well-scripted and highly informative. These views appeal to me. This is how real writing is done. Thank you. Visit Us: https://www.ezeelogin.com

Topic		Replies	Views
HTTPS port protocol returns bad gateway	1	607	September 2, 2021
Problem configuring ingress gateway with TLS and wildcard hosts Networking	3	5363	June 13, 2020
VirtualService works with tcp match but not http match	1	534	September 25, 2021
IngressGateway Route tcp and https from same port Networking	0	952	August 14, 2020
Send-proxy-v2-ssl with engressgateway dont work Networking	6	466	August 31, 2023

Virtual Service with https and ssh

Related Topics