xray: drop dead vless ingress + pin Service target_port
The xray-vless ingress, Service port 6443, and container port 6443 had
no backing listener — xray.config.json only binds 7443 (REALITY), 8443
(WS) and 9443 (XHTTP). The "xray-vless" hostname was returning 502
since the module was created.
Side effect: removing the first Service port slot ("vless"/6443) caused
the kubernetes provider to shift targetPort values on the remaining
two ports (defaulting only worked at create time, not on port removal).
Pinning target_port explicitly makes Service routing deterministic.
End-to-end verified: REALITY via public IP:8080 (pfSense forward 8080
-> 10.0.20.200:7443), WS via Cloudflare, XHTTP via Cloudflare — all
three transports proxied successfully through a test pod, egress IP
correctly resolves to the home WAN.
This commit is contained in:
Viktor Barzin
parent
ae874e028d
commit
6218868ea5
1 changed files with 8 additions and 28 deletions
|
|
@ -91,10 +91,6 @@ resource "kubernetes_deployment" "xray" {
|
||||||
image = "teddysun/xray"
|
image = "teddysun/xray"
|
||||||
name = "xray"
|
name = "xray"
|
||||||
image_pull_policy = "IfNotPresent"
|
image_pull_policy = "IfNotPresent"
|
||||||
port {
|
|
||||||
container_port = 6443 // vless
|
|
||||||
protocol = "TCP"
|
|
||||||
}
|
|
||||||
port {
|
port {
|
||||||
container_port = 7443 // reality
|
container_port = 7443 // reality
|
||||||
protocol = "TCP"
|
protocol = "TCP"
|
||||||
|
|
@ -174,19 +170,16 @@ resource "kubernetes_service" "xray" {
|
||||||
app = "xray"
|
app = "xray"
|
||||||
}
|
}
|
||||||
port {
|
port {
|
||||||
name = "vless"
|
name = "websocket"
|
||||||
port = 6443
|
port = 8443
|
||||||
protocol = "TCP"
|
target_port = 8443
|
||||||
|
protocol = "TCP"
|
||||||
}
|
}
|
||||||
port {
|
port {
|
||||||
name = "websocket"
|
name = "grpc"
|
||||||
port = 8443
|
port = 9443
|
||||||
protocol = "TCP"
|
target_port = 9443
|
||||||
}
|
protocol = "TCP"
|
||||||
port {
|
|
||||||
name = "grpc"
|
|
||||||
port = 9443
|
|
||||||
protocol = "TCP"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -249,16 +242,3 @@ module "ingress_grpc" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "ingress_vless" {
|
|
||||||
source = "../../../../modules/kubernetes/ingress_factory"
|
|
||||||
# VPN protocol (VLESS) — native xray clients, not browsers.
|
|
||||||
# auth = "none": VPN protocol (VLESS) — native xray clients, not browsers; forward-auth incompatible.
|
|
||||||
auth = "none"
|
|
||||||
dns_type = "proxied"
|
|
||||||
namespace = kubernetes_namespace.xray.metadata[0].name
|
|
||||||
name = "xray-vless"
|
|
||||||
service_name = "xray"
|
|
||||||
host = "xray-vless"
|
|
||||||
port = 6443
|
|
||||||
tls_secret_name = var.tls_secret_name
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue