Skip to content

SSH/TCP Ingress with Traefik not working

Summary

Hi, I would like to run Gitlab via Helm on my Kubernetes cluster. I use Traefik as an ingress controller and would like to make the container "gitlab-shell" accessible via a TCP route. According to the documentation, Helm automatically creates a corresponding IngressRouteTCP. I can also see this configuration, but the corresponding route is not displayed in Traefik and I cannot reach gitlab via ssh.

Steps to reproduce

I use a Traefik and a Cert Manager in my cluster and have not had them created by GitLab.

Configuration used

(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))

---
certmanager:
  installCRDs: false
  install: false
  rbac:
    create: false

nginx-ingress:
  enabled: false  

traefik:
  install: false

global:
  pages: 
    enable: true
  hosts:
    domain: <hidden>
  ingress:
    enabled: true
    provider: traefik
    class: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
    configureCertmanager: false
    tls:
      enabled: true
      secretName: <hidden>
  gitlab-shell:
    traefik:
      entrypoint: gitlab-shell
  edition: ce
  email:
    <hidden>

Short extract from the Traefik config:

ports:
  web:
    redirectTo: 
      port: websecure
  websecure:
    tls:
      enabled: true
  gitlab-shell:
    expose: true
    exposedPort: 22
    port: 2222
    protocol: TCP

Current behavior

As you can see, the router is unfortunately not recognized/used. The logs from Traefik and also from the gitlab shell containers are unfortunately not meaningful.

grafik

Helm creates a service for gitlab-shell.

grafik

Expected behavior

I am not sure if there is a configuration error or if the created IngressRouterTCP simply does not work with Traefik anymore. In any case, I have tried a lot and would be grateful for any tips on how to get it to work.

Versions

  • Chart: v7.7.3
  • Platform:
    • Self-hosted: Rancher RKE / v1.27.8+k3s2
  • Kubernetes: (kubectl version)
    • Client: v1.28.2
    • Server: v1.27.8+k3s2
  • Helm: (helm version)
    • Client: v3.13.3

Relevant logs

This is what the generated IngressRouterTCP looks like:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  annotations:
    meta.helm.sh/release-name: gitlab
    meta.helm.sh/release-namespace: gitlab
  creationTimestamp: '2024-01-14T14:40:34Z'
  generation: 3
  labels:
    app: gitlab-shell
    app.kubernetes.io/managed-by: Helm
    chart: gitlab-shell-7.7.3
    heritage: Helm
    release: gitlab
  managedFields:
    - apiVersion: traefik.containo.us/v1alpha1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:meta.helm.sh/release-name: {}
            f:meta.helm.sh/release-namespace: {}
          f:labels:
            .: {}
            f:app: {}
            f:app.kubernetes.io/managed-by: {}
            f:chart: {}
            f:heritage: {}
            f:release: {}
        f:spec:
          .: {}
          f:entryPoints: {}
          f:routes: {}
      manager: helm
      operation: Update
      time: '2024-01-14T18:29:26Z'
  name: gitlab-gitlab-shell
  namespace: gitlab
  resourceVersion: '40239003'
  uid: 45845aea-9881-434a-9d0a-445856bd31e9
spec:
  entryPoints:
    - gitlab-shell
  routes:
    - match: HostSNI(`*`)
      services:
        - name: gitlab-gitlab-shell
          namespace: gitlab
          port: 22
Edited by morzan1001