chore(docs): add doc on non-http ingress

[mjnagel]

Description

Documents the resources/configuration necessary to allow non-http ingress into a UDS Cluster (with Istio).

Related Issue

Fixes #748

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

While the doc can be read and reviewed, I stepped through this on k3d with an example pod to validate my own docs. The steps I used are included below for convenience/reference. These should align with the doc 1:1, just subsituting real workloads/values where needed instead of the example ones.

Create a folder + file for a new bundle, bundles/base-ssh/uds-bundle.yaml. The file contents should be:

kind: UDSBundle
metadata:
  name: base-ssh
  version: "dev"

packages:
  - name: init
    repository: ghcr.io/zarf-dev/packages/init
    ref: v0.45.0

  - name: core-base
    repository: ghcr.io/defenseunicorns/packages/private/uds/core-base
    ref: 0.33.1-unicorn
    overrides:
      istio-tenant-gateway:
        gateway:
          values:
            - path: "service.ports"
              value:
                - name: status-port
                  port: 15021
                  protocol: TCP
                  targetPort: 15021
                - name: http2
                  port: 80
                  protocol: TCP
                  targetPort: 80
                - name: https
                  port: 443
                  protocol: TCP
                  targetPort: 443
                - name: tcp-ssh
                  port: 2022
                  protocol: TCP
                  targetPort: 22

Run the below commands to deploy core with a pod listening for SSH connections:

# The extra args here allow us to expose port 2022 on the host and map it into the ingress gateway
uds zarf package deploy oci://defenseunicorns/uds-k3d:0.11.0 --set K3D_EXTRA_ARGS='-p 2022:2022@server:*' --set NGINX_EXTRA_PORTS='[2022]' --confirm

# Create our bundle
uds create bundles/base-ssh --confirm

# Deploy our bundle (note that the architecture may be different for you)
uds deploy bundles/base-ssh/uds-bundle-base-ssh-arm64-dev.tar.zst --confirm

# Create our gateway
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ssh-gateway
  namespace: istio-tenant-gateway
spec:
  selector:
    app: tenant-ingressgateway
  servers:
    - hosts:
      - ssh.uds.dev
      port:
        name: tcp-ssh
        number: 22
        protocol: TCP
EOF

# Create our virtualservice
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ssh
  namespace: uds-dev-stack
spec:
  gateways:
    - istio-tenant-gateway/ssh-gateway
  hosts:
    - ssh.uds.dev
  tcp:
    - match:
        - port: 22
      route:
        - destination:
            host: ssh-service.uds-dev-stack.svc.cluster.local
            port:
              number: 22
EOF

# Note that this assumes you have a public key setup at ~/.ssh/id_rsa.pub
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: docker-ssh-pod
  namespace: uds-dev-stack
  labels:
    app: docker-ssh
    zarf.dev/agent: ignore
spec:
  containers:
  - name: docker-ssh
    image: serversideup/docker-ssh:latest
    ports:
    - containerPort: 2222
    env:
    - name: AUTHORIZED_KEYS
      value: "$(cat ~/.ssh/id_rsa.pub)"
EOF

# Create a service for our pod
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: ssh-service
  namespace: uds-dev-stack
  labels:
    app: docker-ssh
spec:
  selector:
    app: docker-ssh
  ports:
  - protocol: TCP
    port: 22
    targetPort: 2222
  type: ClusterIP
EOF

# Note that this assumes you have the private key at ~/.ssh/id_rsa
ssh -p 2022 -i ~/.ssh/id_rsa [email protected]

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[UnicornChance]

LGTM, ran through the testing steps and everything worked for me

[noahpb]

small nit things but otherwise very nice writeup!