TCPIngress not routing to Service

Questions
,
1

I’m working on integrating OpenUnison with Kong’s Ingress Gateway. Here’s my TCPIngress object:

apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
    meta.helm.sh/release-name: orchestra
    meta.helm.sh/release-namespace: openunison
  creationTimestamp: "2025-02-06T04:19:51Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
  name: kube-oidc-proxy-passthrough-orchestra
  namespace: openunison
  resourceVersion: "40138"
  uid: de17729d-8eea-4ccc-8185-0d6d6c5a4818
spec:
  rules:
  - backend:
      serviceName: kube-oidc-proxy-orchestra
      servicePort: 443
    host: k8sapi.192-168-2-230.nip.io
    port: 443
  tls:
  - hosts:
    - k8sapi.192-168-2-230.nip.io
    secretName: unison-tls

and my Service:

apiVersion: v1
kind: Service
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "50"
    meta.helm.sh/release-name: orchestra
    meta.helm.sh/release-namespace: openunison
  creationTimestamp: "2025-02-06T02:20:12Z"
  labels:
    app: kube-oidc-proxy-orchestra
    app.kubernetes.io/component: kube-oidc-proxy
    app.kubernetes.io/instance: openunison-orchestra
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: openunison
    app.kubernetes.io/part-of: openunison
  name: kube-oidc-proxy-orchestra
  namespace: openunison
  resourceVersion: "40418"
  uid: f3d0d643-02ee-47d5-a836-f4e4ba03c6f5
spec:
  clusterIP: 10.109.53.192
  clusterIPs:
  - 10.109.53.192
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: https-kube-oidc-proxy
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: kube-oidc-proxy-orchestra
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

When I attempt to call a URL:

I0205 23:22:24.141135   19323 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.31.3 (darwin/arm64) kubernetes/c83cbee" 'https://k8sapi.192-168-2-230.nip.io/api/v1/nodes?limit=500'
I0205 23:22:24.143088   19323 round_trippers.go:495] HTTP Trace: DNS Lookup for k8sapi.192-168-2-230.nip.io resolved to [{192.168.2.230 }]
I0205 23:22:24.143657   19323 round_trippers.go:510] HTTP Trace: Dial to tcp:192.168.2.230:443 succeed
I0205 23:22:24.147849   19323 round_trippers.go:553] GET https://k8sapi.192-168-2-230.nip.io/api/v1/nodes?limit=500 404 Not Found in 6 milliseconds
I0205 23:22:24.147857   19323 round_trippers.go:570] HTTP Statistics: DNSLookup 1 ms Dial 0 ms TLSHandshake 3 ms ServerProcessing 0 ms Duration 6 ms
I0205 23:22:24.147860   19323 round_trippers.go:577] Response Headers:
I0205 23:22:24.147864   19323 round_trippers.go:580]     Content-Type: application/json; charset=utf-8
I0205 23:22:24.147867   19323 round_trippers.go:580]     Content-Length: 103
I0205 23:22:24.147868   19323 round_trippers.go:580]     X-Kong-Response-Latency: 1
I0205 23:22:24.147874   19323 round_trippers.go:580]     Server: kong/3.8.0
I0205 23:22:24.147875   19323 round_trippers.go:580]     X-Kong-Request-Id: 720b006798491b4039888333ce9e5b4e
I0205 23:22:24.147876   19323 round_trippers.go:580]     Date: Thu, 06 Feb 2025 04:22:24 GMT
I0205 23:22:24.147889   19323 request.go:1351] Response Body: {
  "message":"no Route matched with those values",
  "request_id":"720b006798491b4039888333ce9e5b4e"
}
I0205 23:22:24.147930   19323 request.go:1550] body was not decodable (unable to check for Status): Object 'Kind' is missing in '{
  "message":"no Route matched with those values",
  "request_id":"720b006798491b4039888333ce9e5b4e"
}'
I0205 23:22:24.148197   19323 helpers.go:246] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Unable to list \"/v1, Resource=nodes\": the server could not find the requested resource (get nodes)",
  "reason": "NotFound",
  "details": {
    "kind": "nodes",
    "causes": [
      {
        "reason": "UnexpectedServerResponse",
        "message": "unknown"
      }
    ]
  },
  "code": 404
}]
Error from server (NotFound): Unable to list "/v1, Resource=nodes": the server could not find the requested resource (get nodes)

What’s interesting is that the certificate response to SNI is correct, but Kong’s not routing the request to my Service. The logs don’t have any errors in either the gateway or the controller related to the service and the service’s endpoints are available:

k get endpoints -n openunison
NAME                            ENDPOINTS                           AGE
kube-oidc-proxy-orchestra       10.244.0.17:8443                    10h
openunison-orchestra            10.244.0.59:8080,10.244.0.59:8443   11h
ouhtml-orchestra-login-portal   10.244.0.23:8080                    11h

Am I missing an object or an annotation?

Thanks
Marc

2

@mlbiam I don’t have an answer for you at this time, but I’m curious if you are aware of this how-to doc on your use case that might help you ensure configurations are correct.

3

yes, this is the doc i based my configuration off of.