Preliminary version. The functionality may change, but the basic features will be preserved. Compatibility with future versions is ensured, but may require additional migration actions.
Git SSH Operation on Port 22
By default, the Deckhouse cluster uses the built-in Ingress controller — ingress-nginx. This controller provides access to the web interface (UI) via standard HTTP (port 80) and HTTPS (port 443) ports. However, ingress-nginx does not support TCP port proxying.
To proxy external TCP traffic through port 22 (Git SSH), a special option is provided in the module configuration. When this option is enabled, Haproxy is deployed with a service of type LoadBalancer. Haproxy forwards traffic from port 22 to the corresponding Git SSH Pod. Ports 80 and 443 continue to be handled by ingress-nginx, where TLS traffic termination occurs.
Features of the useOwnLoadBalancer option
-
Separate IP Address: When the
useOwnLoadBalanceroption is enabled for the Code module, a separate IP address is allocated, distinct from the main Deckhouse IP address. A separate DNS record must be created for this address. The following services will be accessible via this DNS record:- Web interface (UI) on ports 80 and 443.
- Git SSH on port 22.
-
Ignored Parameters: When the
useOwnLoadBalanceroption is enabled, the following parameters are ignored:spec.instanceSpec.network.gitSsh.hostnamespec.instanceSpec.network.gitSsh.service.typespec.instanceSpec.network.gitSsh.service.nodePort
Instead, the
shellservice is assigned theLoadBalancertype, and Git SSH becomes accessible via the same domain as the web service.
Configuration Example
Below is an example of adding Haproxy for Git SSH proxying within ModuleConfig:
apiVersion: deckhouse.io/v1
kind: CodeInstance
metadata:
name: code
spec:
...
network:
useOwnLoadBalancer: true
...
Haproxy Workflow Diagram
Haproxy inside the Deckhouse cluster operates according to the following diagram:
