search

bubuntux / nordlynx

GNU General Public License v3.0
192 stars 43 forks source link

Cannot reverse-proxy into qBitTorrent using kubernetes #169

Closed RossWilliamson closed 2 months ago

RossWilliamson commented 2 months ago

Describe the bug

When using kubernetes with a ClusteriP service, trying to reverse proxy into a qbittorrent container the connection times out. Similar issue if I try to port-forward into the pod or use NodePort. If I use a loadBalancer with an IP address I can then access the webGui of the service. Note that removing the nordlynx container makes the reverse proxy work as expected so it's something to do with the setting in the nordlynx contaner (iptables maybe)

To Reproduce using docker CLI

Full command needs to be provided (hide credentials) `kubectl apply -f qbittorrentvpn.yaml

To Reproduce using kubectl

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: qbittorrentvpn
  namespace: servarr
spec:
  replicas: 1
  selector:
    matchLabels:
      app: qbittorrentvpn
  strategy: 
    type: Recreate
  template:
    metadata:
      labels:
        app: qbittorrentvpn
    spec:
      initContainers:
        - name: init-sysctl
          image: busybox
          command: ["/bin/sh"]
          args:
            - -c
            - >-
                sysctl -w net.ipv6.conf.all.disable_ipv6=1 &&
                sysctl -w net.ipv4.conf.all.src_valid_mark=1
          securityContext:
            privileged: true
      containers:
        - name: nordvpn 
          image: ghcr.io/bubuntux/nordlynx
          env:
            - name: TZ
              value: America/Los_Angeles
            - name: NET_LOCAL
              value: 192.168.0.0/21
            - name: PRIVATE_KEY 
              valueFrom: 
                secretKeyRef:
                  name: nordvpn-secret
                  key: privatekey 
          imagePullPolicy: Always
          #ports:
          #  - containerPort: 8081
          #    protocol: TCP
          securityContext:
            capabilities:
              add: 
                - NET_ADMIN

        - name: qbittorrent 
          image: lscr.io/linuxserver/qbittorrent:latest
          env:
            - name: TZ
              value: America/Los_Angeles
            - name: PUID
              value: "1000"
            - name: PGID
              value: "1000"
            - name: WEBUI_PORT
              value: "8081"
            - name: TORRENTING_PORT
              value: "6881"
          imagePullPolicy: Always
          ports:
            - containerPort: 8081
              protocol: TCP
            - containerPort: 6881
              protocol: TCP
            - containerPort: 6881
              protocol: UDP
          volumeMounts:
            - name: config-volume
              mountPath: "/config"
            - name: servarr-media 
              mountPath: "/data"
              subPath: torrents
      volumes:
        - name: config-volume
          persistentVolumeClaim:
            claimName: qbittorrentvpn-dm 
        - name: servarr-media 
          persistentVolumeClaim:
            claimName: servarr-nfs 
---
apiVersion: v1
kind: Service
metadata:
  name: qbittorrent-udp
  namespace: servarr
spec:
  #type: LoadBalancer
  #externalTrafficPolicy: Local
  #loadBalancerIP: 192.168.1.180
  type: ClusterIP
  ports:
    - name: torrent-udp
      port: 6881
      targetPort: 6881
      protocol: UDP
  selector:
    app: qbittorrentvpn
---
apiVersion: v1
kind: Service
metadata:
  name: qbittorrent
  namespace: servarr
spec:
  #type: LoadBalancer
  #externalTrafficPolicy: Local
  #loadBalancerIP: 192.168.1.180
  type: ClusterIP
  ports:
    - name: qbittorrent-port
      port: 80
      targetPort: 8081
    - name: torrent-port
      port: 6881
      targetPort: 6881
      protocol: TCP
  selector:
    app: qbittorrentvpn
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: servarr # Same namespace as the deployment
  name: qbittorrent-ingress # Name of the ingress (see kubectl get ingress -A)
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size:  50m 
    nginx.ingress.kubernetes.io/proxy-read-timeout:  "3600" 
    nginx.ingress.kubernetes.io/proxy-write-timeout:  "3600" 
spec:
  ingressClassName: nginx
  rules:
  - host: <redacted>
    http:
      paths:
        - path: /  
          pathType: Prefix
          backend:
            service:
              name: qbittorrent 
              port:
                number: 80

Expected behavior

Expect to be able to connect to internal container webgui via nginx reverse proxy

Logs

Focus on errors or warnings messages, if not available post entire logs

Additional context

K3s used

RossWilliamson commented 2 months ago

As always I think I worked it out after posting the issue. For anybody who is running into this problem I needed to add the service into the ALLOW_LIST and add in the IP range of the ClusteIP service. My env now looks like this

            - name: TZ
              value: America/Los_Angeles
            - name: NET_LOCAL
              value: 192.168.0.0/21, 10.43.0.0/14
            - name: ALLOW_LIST
              value: qbittorrent.servarr.svc.cluster.local
            - name: PRE_UP
              value: cp /etc/resolv.conf /etc/resolv.conf.orig
            - name: POST_UP
              value: cat /etc/resolv.conf.orig > /etc/resolv.conf
            - name: PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  name: nordvpn-secret
                  key: privatekey
RossWilliamson commented 2 months ago

Closing