Exposing TCP services in Kong Ingress Controller

1

Hi @hbagdi

I’m using kong ingress controller for our kubernetes cluster. I’m looking for a way to connect GitLab Shell component to a container that requires TCP traffic to pass through on port 22.

I’ve been searching for documentation or solution. I saw that this is possible using nginx-ingress-controller, they have support for exposing tcp service using the flag --tcp-services-configmap. See below documentations.

Is there a similar way to do it using kong ingress controller? Thanks

https://docs.gitlab.com/charts/advanced/external-nginx/#tcp-services-in-the-external-ingress-controller

2

I saw this stream_listen. I tried adding port 8022 in kong proxy ingress controller, but i don’t know how to point to kubernetes container port 22.

name: KONG_STREAM_LISTEN 
value: 0.0.0.0:8022
3

Great timing.
Controller 0.8 comes out this Thursday and it is adding support for TCP based services.

1 Like
4

Hi @hbagdi,

I am using the latest Controller and I followed this document to setup TCPIngress for my db-less installation. But I am getting the below error in pod and it goes to CrashLoopBackOff status.

F0406 05:28:38.611721 1 main.go:185] making HTTP request: Get “https://localhost:8444/”: dial tcp [::1]:8444: connect: connection refused

Then I tried to expose the port 8444 by adding it to the service. but still it gives the same error in the pod’s log.

Appreciate your input to fix this error.

Thanks!
Best Regards,
Danuka

5

TCPIngress requires Kong to be deployed in DB mode.

6

Is there plan to support db less mode as well?

I am using kong in db-less mode as well. I would like use the TCPIngress resource because now is hard to manage the TCP publications and I must create LoadBalancers for each (in some cloud providers there is limitations) or install another ingress controller implementation which support this.

7

Kong 2.0.4 addresses this.
Please wait for the docker image to be released: https://github.com/docker-library/official-images/pull/7880

You should be able to use TCPIngress in DB-less mode with that version.

2 Likes
8

Hi, I want to check if there is any update on this topic. I’m using Kong Ingress 0.10.0 with Kong 2.1.4 today but TCPIngress does not work with DB-less mode.

9

What problem are you running into? WHen you say “does not work”, what exactly happens?

11

Thanks for asking. I finally get it worked but I still have three questions:

  1. I followed the tcp ingress guide and created a minikube cluster for testing. Then I realized the Proxy IP(eg: http://192.168.99.100:31350) cannot be used in telnet command thus telnet $PROXY_IP 9000 will not return the expected response. I also tried telnet 192.168.99.100 9000 but only got
    Trying 192.168.99.100...
    telnet: connect to address 192.168.99.100: Connection refused
    telnet: Unable to connect to remote host. So I assume the tcpingress guide will not work with minikube, right?
  2. I then used kube cluster on AWS and the tcpingress guide works fine. The only question I have here is that I see no address bind to the TCPIngress when I run kubectl get TCPIngress
    image
    image826×112 24.5 KB

    But as mentioned in the guide, I should see PROXY_IP here
    image
    image790×178 15.8 KB
  3. I tried to follow the guide and added new ports and then found out port 389 failed while port 9001 succeed. After I adding port 389, I got an error in pod/ingress-kong immediately
    image
    image1282×168 57.1 KB

    Warning BackOff 7s (x3 over 12s) kubelet, ip-172-20-47-181.us-east-2.compute.internal Back-off restarting failed container
    Warning Unhealthy 6s kubelet, ip-172-20-47-181.us-east-2.compute.internal Readiness probe failed: Get http://100.124.0.4:10254/healthz: dial tcp 100.124.0.4:10254: connect: connection refused
    Warning Unhealthy 2s kubelet, ip-172-20-47-181.us-east-2.compute.internal Liveness probe failed: Get http://100.124.0.4:10254/healthz: dial tcp 100.124.0.4:10254: connect: connection refused
    So I want to ask if there is any restriction about the available ports in kong ingress?
    Thanks,
12

You should only use ports above 1024 because ports below 1024 are privileged ports and require special permissions to bind to.

That is odd and is an indication of bug. The status should be populated in a little bit of time. Which version of controller are you using?

13

I’m using Kong Ingress 0.10.0 with Kong 2.1.4, Kube Server version: v1.18.9. We also use terraform 0.11.11 for creating the kube cluster.
The Proxy_IP show up under Ingress not tcpingress

image
image1792×254 128 KB

15

@hbagdi , what permission needed to use ports below 1024?