TCP service exposing , is it possible with contour?

[dimashenkov]

Discussed in #6645

^{Originally posted by dimashenkov August 27, 2024}
Is this enough to expose tcp service ? I have difficulties , traffic on 443 and 80 works but on port 4222 cant pass through

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: nats-server-nats-blackpearl-dev-product-frankfurt-****-cloud
  namespace: blackpearl
  labels:
    argocd.argoproj.io/instance: nats-blackpearl-qa
spec:
  ingressClassName: contour-private
  tcpproxy:
    healthCheckPolicy:
      healthyThresholdCount: 5
      intervalSeconds: 5
      timeoutSeconds: 2
      unhealthyThresholdCount: 3
    services:
      - name: nats-server
        port: 4222
  virtualhost:
    fqdn: nats.blackpearl.dev.product.frankfurt.****.cloud
    tls:
      secretName: wildcard-tls

kc get svc -n contour-private                  
NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP                                                                        PORT(S)                                     AGE
contour-private         ClusterIP      172.20.223.171   <none>                                                                             8001/TCP                                    5h55m
contour-private-envoy   LoadBalancer   172.20.236.186   a34aabb*********-020698b179c02278.elb.eu-central-1.amazonaws.com   80:31661/TCP,443:30803/TCP,4222:31010/TCP 

telnet a34*********79c02278.elb.eu-central-1.amazonaws.com 4222
Trying 10.2.11.1...
telnet: connect to address 10.2.11.1: Connection refused
Trying 10.2.46.242...
telnet: connect to address 10.2.46.242: Connection refused
Trying 10.2.24.156...
telnet: connect to address 10.2.24.156: Connection refused
telnet: Unable to connect to remote host

This Endpoints: 10.2.11.129:4222,10.2.11.50:4222,10.2.13.186:4222 + 13 more also give Connection refused

kc describe svc contour-private-envoy -n contour-private     
Name:                     contour-private-envoy
Namespace:                contour-private
Labels:                   app.kubernetes.io/component=envoy
                          app.kubernetes.io/instance=product-dev-02-contour-private
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=contour-private
                          argocd.argoproj.io/instance=product-dev-02-contour-private
                          helm.sh/chart=contour-10.1.3
Annotations:              service.beta.kubernetes.io/aws-load-balancer-internal: true
                          service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-0936f17847f1177e7, subnet-0e41fc50ea4bddaf5, subnet-0febea0039995e959
                          service.beta.kubernetes.io/aws-load-balancer-type: nlb
Selector:                 app.kubernetes.io/component=envoy,app.kubernetes.io/instance=product-dev-02-contour-private,app.kubernetes.io/name=contour-private
Type:                     LoadBalancer
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       172.20.236.186
IPs:                      172.20.236.186
LoadBalancer Ingress:     a34aabbf06a9345a********8b179c02278.elb.eu-central-1.amazonaws.com
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  31661/TCP
Endpoints:                10.2.11.129:8080,10.2.11.50:8080,10.2.13.186:8080 + 13 more...
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  30803/TCP
Endpoints:                10.2.11.129:8443,10.2.11.50:8443,10.2.13.186:8443 + 13 more...
Port:                     nats  4222/TCP
TargetPort:               4222/TCP
NodePort:                 nats  31010/TCP
Endpoints:                10.2.11.129:4222,10.2.11.50:4222,10.2.13.186:4222 + 13 more...
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     32479
Events:                   <none>
```</div>

[github-actions]

Hey @dimashenkov! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[tsaarni]

HTTPProxy can only be reached in HTTP and HTTPS ports. Just to clarify, HTTPProxy.spec.tcpproxy.services.port specifies the target port of the service and does not assign new listening ports for Envoy. When setting up HTTPProxy.spec.tcpproxy connections to the HTTPS port with TLS SNI matching HTTPProxy.spec.tcpproxy.virtualhost.fqdn will be proxied to upstream service defined in HTTPProxy.spec.tcpproxy.services.

The Gateway API’sGateway and TCPProxy(link) allow for listening on arbitrary ports by utilizing Contour Gateway provisioner. For further details on Gateway provisioner, refer to the document here.