Overview
My homelab is behind a NAT and as such, I can only forward 80 and 443 to a single host, at least for IPV4.
My old setup consisted of an HAProxy server that terminated SSL and routed to various services based on the host header.
After doing some research I discovered that you can use endpoints to point to external services - not just ports exposed by pods.
Implementation
Like most systems, an external service requires three components:
- An ingress
- A service
- A system the service targets
In this case, our service does not match against a pod, but an endpoint:
external-service.yml
apiVersion: v1
kind: Endpoints
metadata:
name: auth-zerosla-com
namespace: default
subsets:
- addresses:
- ip: 10.1.0.500
ports:
- port: 8181
name: http
---
apiVersion: v1
kind: Service
metadata:
name: auth-zerosla-com
namespace: default
spec:
clusterIP: None
ports:
- port: 80
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: external-auth.zerosla.com
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "302"
haproxy.org/ssl-redirect-port: "443"
spec:
ingressClassName: haproxy
tls:
- hosts:
- auth.zerosla.com
secretName: auth-zerosla-com-tls
rules:
- host: auth.zerosla.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-zerosla-com
port:
number: 80
After applying the config, the ingress will be created and begin the certificate request process, terminating SSL for your remote service!