No SSH on internal ingress (AWS ALB)
Summary
We use both an internal and external endpoint for out Gitlab EE installation.
When we're using our internal gitlab (when our users are connected to the internal network via VPN) we are unable to connect via SSH because it is not configured in the helm chart template for controller-service-internal.yaml
This block appears in controller-service, but not in controller-service-internal
+ {{- if include "gitlab.shell.port" $ }}
+ - name: gitlab-shell
+ port: {{ include "gitlab.shell.port" $ | int }}
+ protocol: TCP
+ targetPort: gitlab-shell
+ {{- $nodePort := coalesce (index .Values.controller.service.nodePorts "gitlab-shell") .Values.global.shell.port }}
+ {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty $nodePort))) }}
+ nodePort: {{ $nodePort }}
+ {{- end }}
+ {{- end }}
Is there a reason for this?
Steps to reproduce
Configure the helm chart in AWS to use both an internal and external ALB as illustrated below.
Configuration used
nginx-ingress:
controller:
config:
# pass the X-Forwarded-* headers directly from the upstream
use-forwarded-headers: "true"
service:
internal:
enabled: true
annotations:
external-dns.alpha.kubernetes.io/hostname: gitlab.foo.example.io
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/<ACM_CERT_UUID>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
service.beta.kubernetes.io/aws-load-balancer-internal: true
annotations:
external-dns.alpha.kubernetes.io/hostname: gitlab.foo.example.io
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/<ACM_CERT_UUID>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
Current behavior
✗ kubectl get service
gitlab-nginx-ingress-controller LoadBalancer 172.20.32.237 <ALB_PREFIX>.<AWS_REGION>.elb.amazonaws.com 80:30898/TCP,443:31307/TCP,22:30928/TCP 42d
gitlab-nginx-ingress-controller-internal LoadBalancer 172.20.205.4 internal-<ALB_PREFIX>.<AWS_REGION>.elb.amazonaws.com 80:30193/TCP,443:31276/TCP 42d
Note the omission of TCP 22 on the internal ALB
Expected behaviour
I expect to see 22 on the internal ALB
Versions
- Chart: 5.10.2)
- Platform:
- Cloud: AWS
- Kubernetes: (
kubectl version
) Client Version: v1.24.0 Kustomize Version: v4.5.4 Server Version: v1.22.9-eks-a64ea69 - Helm: (
helm version
) version.BuildInfo{Version:"v3.7.2", GitCommit:"663a896f4a815053445eec4153677ddc24a0a361", GitTreeState:"clean", GoVersion:"go1.16.10"}
Relevant logs
N/A
Edited by Mike Hobbs