Ingress controller can only listen on a single host port and not on BOTH 80 and 443

[kevinvalk]

(First started with feature proposal issue and then with bug report, but both templates felt wrong as this feels exactly between bug and feature request.)

I am facing the exact problem as #32768 which became stale and was automatically closed.

My intend is to replace NGINX Ingress DaemonSet deployment that listens on host ports 80 and 443 with Cilium. This seemed supported with the recently (1.16+) introduced hostNetwork flag for both Ingress and Gateway. However, as I can only give a single sharedListenerPort, this will not fly as far as I can see.

In the GatewayAPI case, you configure the listen ports in the Gateway resources and it will bind on the host ports were required. Sadly, I cannot use Gateway due to difficulty in managing many certificates for different domains https://gateway-api.sigs.k8s.io/geps/gep-1713/#yaml

In the ingress controller case the docs states https://docs.cilium.io/en/stable/network/servicemesh/ingress/

Shared Ingress: Globally via Helm flags

ingressController.hostNetwork.sharedListenerPort: Host network port to expose the Cilium ingress controller
Envoy listener. The default port is 8080. If you change it, you should choose a port number higher than 1023 (see Bind to privileged port).

Which makes sense if you look at the code:

cilium/operator/pkg/ingress/ingress_reconcile.go

Lines 234 to 244 in 567c84c

	func (r *ingressReconciler) getSharedListenerPorts() (uint32, uint32, uint32) {
	if !r.hostNetworkEnabled {
	return defaultPassthroughPort, defaultInsecureHTTPPort, defaultSecureHTTPPort
	}
	if r.hostNetworkSharedPort > 0 {
	return r.hostNetworkSharedPort, r.hostNetworkSharedPort, r.hostNetworkSharedPort
	}
	return defaultHostNetworkListenerPort, defaultHostNetworkListenerPort, defaultHostNetworkListenerPort
	}

However, I would expect to be able to provide HTTP AND HTTPS ports (and maybe even separate passthrough port?).

I did not fully analyze the remaining implementation, so I am not sure if it is as simple as allowing for three different helm values and plugging those in getSharedListenerPorts or if more logic has to be changed in other layers.

---

The relevant Cilium configuration:

  ingressController:
    enabled: true
    loadbalancerMode: shared # As we are using host port we can only have a single ingress controller
    hostNetwork:
        enabled: true
        sharedListenerPort: 80 # <---- how can we also listen on 443 to serve both HTTP and HTTPS traffic

  # We want to be able to bind our Ingress and/or Gateway to host port 80 and 443 (privileged), so we have to make some
  # changes.
  envoy:
    enabled: true
    securityContext:
      capabilities:
        keepCapNetBindService: true # Will pass the NET_BIND_SERVICE to the actual forked process
        envoy:
          # NET_ADMIN, SYS_ADMIN are defaults and taken from `envoy.securityContext.capabilities.envoy` Helm values
          - NET_ADMIN
          - SYS_ADMIN
          - NET_BIND_SERVICE # To run our Ingress/Gateway directly on 80, 443 we need this

[youngnick]

Hi @kevinvalk, please use the Bug template when logging a bug, as it will automatically set labels etc that will have your issue get seen sooner.

Are you running an upstream load balancer that needs to connect to only those ports, or are you running in a cloud that has support for Loadbalancer Services? Cilium's Ingress support works just fine when you use Loadbalancer Services to do this, as either you'll provision some upstream loadbalancer that will listen on port 80 and port 443, or you'll use Cilium's LB-IPAM support, which will open listening ports and have eBPF transparently proxy (TPROXY) any traffic arriving on those ports to the correct Envoy ports.

This also means that the Envoy installation does not need NET_ADMIN, SYS_ADMIN, NET_BIND_SERVICE, etc.

To put this another way, if you don't specify the hostNetwork setting, do things Just Work? A lot of the time they will, depending on your deployment type. hostNetwork is intended for folks who have specific upstream Loadbalancers that don't have support for Kubernetes Loadbalancer Services, so that they can manually configure a pool of backends for an Ingress service. It's not necessary unless you fall into that bucket.

[kevinvalk]

@youngnick thanks, next time will do so (and thanks for setting labels)!

I am running a pretty non-standard setup (bare metal), but it boils down to "poor man's high-availability/load balancer". Namely, a subset of nodes (using NGINX Ingress) listen on host ports 80 and 443. These nodes are exposed to the internet (on HTTP/HTTPS ports) and using External DNS I keep domains pointing to the nodes running the workloads/pods with a relatively low TTL (60s). This gives me via DNS-RR load balancing and somewhat high availability (with +60 second failover).

It is sufficient for my needs and it saves on complexity (metallb, float IPs, BGP, etc) or/and on costs (renting/setting up dedicated load balancers).

I tried the Gateway API for Cilium and it actually works as expected in my use case (host network + extra capabilities) as listeners section can specify ports 80 and 443

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: prod-web
spec:
  gatewayClassName: example
  listeners:
  - protocol: HTTP
    port: 80
    name: prod-web-gw
    allowedRoutes:
      namespaces:
        from: Same

Sadly, I do not yet want to switch to Gateway API because the certificates are handled on the Gateway resource itself and you have a maximum of 64 listeners. The GEP-1713 provides a solution to this, but who knows when that lands https://gateway-api.sigs.k8s.io/geps/gep-1713/ on both GA of Gateway API and then also in Cilium Gateway implementation.

[cradules]

Facing the same scenario when I don't have a cloud loadbalancer or and hardware one and trying to use a DNS loadbalancer with multiple nodes from the cluster that are running Cilium.

It would be great to have the possibility to open multiple ports on nodes that we are used for ingress, or at least 443 and 80

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[kevinvalk]

I still think this is not intended behavior as the Gateway implementation is really similar and does not has this (artificial) limitation. But it is not clear to me from the code why this limitation was set in place.

[DanielvNiek]

Interested in the exact same thing. Any updates?

[youngnick]

I am also not sure why the Ingress implementation has this limitation, it is worth changing, I guess, but it is low priority, as we (as in, I) have very limited development cycles and haven't had a chance to build this.

So, if someone wants to have a go at changing this, PRs welcomed.