Kubernetes Reverse Proxy With Ingress, Service And Endpoint¶
Maybe you are wondering if Kubernetes capable of proxying requests to an external service. In which situation can it be useful? What is the benefit of it? Imagine the situation that you have a Kubernetes cluster, perfectly configured Ingresses, Services, applications, etc. Everything goes well. But you have a service which is not running inside the Kubernetes cluster, and you want to access it form the internet. Port 443 and 80 are reserved for the IngressController, so your application could not bind these ports. My situation is similar to this, but it is a little difference.
I have a Kubernetes cluster running on some VPS and at home:
- 2 VPS node have static, public ip address
- 2 node at my home are behind NAT, and don't have static ip address.
That's why my ingress pods are runnung only on the two VPS node; the IngressController DaemonSet has nodeSelector:
For simplicity I'm using dns loadbalancer between my two ingress pods.
Another important thing, that the entire Kubernetes cluster is behind Wireguard VPN, so the nodes are connected to each other inside this VPN connection.
I have a separate HomeAssistant server, and I want to access it through my static ip addresses. I think it is better than user some kind of DynDns service, and it is even impossible when you are behind CGNAT. All of my PCs (servers) connected to the same Wireguard VPN. So I want to access the HomeAssistant server through the nginx ingress.
I know that there are several other ways to access services running behind NAT or CGNAT. The simpiest is to install Wireguard to all the device from which I want to access the home assistnat server, but I think this is an interesting way to achieve my goal.
Ok let's see the solution.
Create The Service And Endpoints¶
The following fileds must mach:
The Service must not have any selector in the spec.
The HomeAssistant service is running on
This approch can also be useful if you want to access external service from inside the Kubernetes cluster. For example you have external Elasticsearch cluster with multiple ip addresses and you want to access it from a POD. You can simply define multiple ip address in the service
In the last step we define the Ingress.
That's all. Now you can access the HomeAssistant service running outside the Kubernetes cluster.
If you have configured cert-manager you may want to get a valid, public trust certificate for this ingress. You can achieve this by adding an extra annotation: