a separate ssh adddress

[Saheer Babu]

Hi

We are planning to separate ssh and http url of gerrit service, so that we can add application firewall for http traffic.

We have our main site at review.tf.org and we want ssh to be moved to ssh.review.tf.org. We set the value for sshd.listenAddress/sshd.advertisedAddress as mentioned here:

https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd

 But it gave us validation webhook error stating ssh.listendaddress should be review.tf.org

Is it possible to listen to a separate ssh address in k8 gerrit? 

Thanks,

Saheer

[Luca Milanesio]

On 2 Oct 2025, at 08:04, Saheer Babu <sahee...@arm.com> wrote:

Hi

We are planning to separate ssh and http url of gerrit service, so that we can add application firewall for http traffic.

We have our main site at review.tf.org and we want ssh to be moved to ssh.review.tf.org. We set the value for sshd.listenAddress/sshd.advertisedAddress as mentioned here:

https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#sshd

 But it gave us validation webhook error stating ssh.listendaddress should be review.tf.org

Validation webhook? Can you be more precise?

Is it possible to listen to a separate ssh address in k8 gerrit? 

That’s a different story: as you know, k8s-gerrit is opinioned and doesn’t really allow you to configure things outside of the “supported scenarios”.

From the code I see the following:

operator/src/main/java/com/google/gerrit/k8s/operator/gerrit/config/GerritConfigBuilder.java:        "sshd", "advertisedAddress", gerrit.getSpec().getIngress().getHost() + ":" + port);

That tells me that the ingress’ hostname is used as advertised address, you can’t change it.

HTH

Luca.

[Saheer Babu]

Thanks Luca.

 

> Validation webhook? Can you be more precise?

Sorry from admission webhook. This is the exact message from fleet logs.

cannot patch "gerrit" with kind GerritCluster: admission webhook "gerritclusters.v1beta15.validator.google.com" denied the request: Option sshd.null.listenAddress set to unsupported value ssh.review.trustedfirmware.org:29418. Expected *:29418.

 

>That’s a different story: as you know, k8s-gerrit is opinioned and doesn’t really allow you to configure things outside of the “supported scenarios”.

Could this be added as a supported scenario? 😊

 

Regards,

Saheer

 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/NqltlbV1uSo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/BA45DE87-1E06-4B78-80B8-89E0FD717074%40gmail.com.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

[Luca Milanesio]

> On 2 Oct 2025, at 09:07, Saheer Babu <sahee...@arm.com> wrote:
>
> Thanks Luca.
> > Validation webhook? Can you be more precise?
> Sorry from admission webhook. This is the exact message from fleet logs.
> cannot patch "gerrit" with kind GerritCluster: admission webhook "gerritclusters.v1beta15.validator.google.com" denied the request: Option sshd.null.listenAddress set to unsupported value ssh.review.trustedfirmware.org:29418. Expected *:29418.
> >That’s a different story: as you know, k8s-gerrit is opinioned and doesn’t really allow you to configure things outside of the “supported scenarios”.
> Could this be added as a supported scenario? 😊

Sure, you can create a change on k8s-gerrit and the community will be happy to review.

HTH

Luca.