Gitea on Kubernetes - Git SSH behind same Ingress

[aleksasiriski]

Has anyone tried and if so could I get an explanation on how to use the default Traefik ingress for both http(s) and ssh on port 22? I don't want to use another LB just for Git SSH since it's costly and would be impractical to have different IPs.

I found these resources:

• https://community.traefik.io/t/ssh-via-ingressroutetcp/13577
• https://community.traefik.io/t/routing-ssh-traffic-with-traefik-v2/717

[mysticaltech]

@aleksasiriski I've asked a good AI friend of mine, here's what she says.

Traefik TCP Routing.

You:

Hello, I'm using traefik on k3s, how to use the default Traefik ingress for both http(s) and ssh on port 22? I don't want to use another LB just for Git SSH since it's costly and would be impractical to have different IPs.

ChatGPT:

Traefik does not support TCP traffic by default, which means it cannot be used to load balance SSH traffic on port 22 without additional configuration. However, you can enable TCP support and configure Traefik to route both HTTP(s) and SSH traffic.

Here's a step-by-step guide to enable TCP routing in Traefik for k3s:

1. Enable TCP support in Traefik:

Edit the Traefik Helm values.yaml file or create a new one and add the following lines to enable TCP support:

additionalArguments:
  - "--entrypoints.tcp=true"

2. Expose the desired ports:

Expose the ports you want to use for both HTTP(s) and SSH traffic. In this example, we'll use 80, 443, and 22:

ports:
  web:
    expose: true
    port: 80
  websecure:
    expose: true
    port: 443
  ssh:
    expose: true
    port: 22
    protocol: TCP

3. Define the entry points:

Define the entry points for the exposed ports:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  ssh:
    address: ":22"

4. Apply the configuration:

Use the helm upgrade command to apply the configuration if you already have Traefik installed, or use helm install if you are installing Traefik for the first time. Make sure to reference your modified values.yaml file.

5. Configure an IngressRoute for HTTP(s):

Create a Kubernetes IngressRoute resource for your HTTP(s) services as you normally would. Here's an example:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-http-service
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`)
    kind: Rule
    services:
    - name: my-http-service
      port: 80

6. Configure a TCP Router for SSH:

Create a Kubernetes TCP Router resource to route the SSH traffic:

apiVersion: traefik.containo.us/v1alpha1
kind: TCPRouter
metadata:
  name: my-ssh-router
spec:
  entryPoints:
    - ssh
  routes:
  - match: HostSNI(`*`)
    services:
    - name: my-ssh-service
      port: 22

7. Deploy the services:

Deploy your HTTP(s) and SSH services to your k3s cluster. Make sure the service names and ports match the ones defined in your IngressRoute and TCP Router resources.

With this configuration, Traefik should route both HTTP(s) and SSH traffic to the appropriate services. The HTTP(s) traffic will be routed based on the domain name, while the SSH traffic will be routed based on the SNI value.