capacitor icon indicating copy to clipboard operation
capacitor copied to clipboard

Published 20 hours ago verified publisher icon gimlet-io

docs: document how to add an Ingress in front of Capacitor

Open laszlocph opened this issue 1 year ago • 4 comments

laszlocph avatar Jan 26 '24 09:01 laszlocph

Hey just to point that I'm trying to add an httproute to capacity but I have currently an error 503 with a message:

upstream connect error or disconnect/reset before headers. reset reason: connection timeout

The port-forward works fine. here is my manifest, I'm probably missing something:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: capacitor
  namespace: flux-system
spec:
  hostnames:
  - gitops-mycluster-0.priv.cloud.ogenki.io
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: platform-private
    namespace: infrastructure
  rules:
  - backendRefs:
    - kind: Service
      name: capacitor
      port: 9000

Smana avatar Feb 17 '24 12:02 Smana

I had a NetworkPolicy setup for weave-gitops to allow ingress into the flux-system namespace, and just re-used that, changing app.kubernetes.io/name to app.kubernetes.io/instance for the capacitor label.

This is working, but please note that I'm running the cluster on my LAN. I'm also using a default-ssl-certificate for ingress-nginx. I assume the NetworkPolicy would work just the same for HTTPRoute, but I'm not sure.

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: capacitor-ingress
  namespace: flux-system
spec:
  ingressClassName: nginx
  rules:
  - host: gitops.mydomain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: capacitor
            port:
              number: 9000
  tls:
    - hosts:
      - gitops.mydomain.com
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: capacitor-ingress
  namespace: flux-system
spec:
  policyTypes:
    - Ingress
  ingress:
    - from:
      - namespaceSelector: {}
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: capacitor

sysaeon avatar Feb 24 '24 00:02 sysaeon

Hello @sysaeon ,

Thanks for your answer and good point! I completely forgot to check the network policies. In my case, as I'm using Cilium and Gateway API, here is the proper policy:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: capacitor-ingress
  namespace: flux-system
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/instance: capacitor
  ingress:
    - fromEntities:
        - ingress
      toPorts:
        - ports:
            - port: "9000"
              protocol: TCP

Smana avatar Feb 24 '24 08:02 Smana

Just in case someone is using Flux + app-template way of deploying stuff this is how to get capacitor running with ingress: https://github.com/fenio/homelab/tree/main/cluster/apps/flux-system

fenio avatar Mar 03 '24 17:03 fenio