I have a question about HTTPS certificates for ingress in Kubernetes. My goal is to access a service within the cluster using a domain name I registered (lunalovegood.dev) with the registrar (hostinger.com).
I am using a Kubernetes cluster with Docker Desktop. First, I installed the NGINX ingress controller and cert-manager from their official pages. Here are the commands I used:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
The result when I run the command kubectl get svc -n ingress-nginx is:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.107.106.76 localhost 80:31499/TCP,443:31489/TCP 11s
ingress-nginx-controller-admission ClusterIP 10.105.42.37 <none> 443/TCP 11s
Since the EXTERNAL-IP of the ingress-nginx-controller is localhost, I accessed the Default Gateway of my Wi-Fi network and set up port forwarding for ports 1-32767 from my router to my computer, and created a DNS record type A from my domain to the IP address of the router.
Then, following the documentation of cert-manager, I applied the following manifest file:
apiVersion: v1
kind: Namespace
metadata:
name: kuard
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: kuard
name: kuard
spec:
selector:
matchLabels:
app: kuard
replicas: 1
template:
metadata:
labels:
app: kuard
spec:
containers:
- image: gcr.io/kuar-demo/kuard-amd64:1
imagePullPolicy: Always
name: kuard
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
namespace: kuard
name: kuard
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
- port: 443
targetPort: 8080
protocol: TCP
name: https
selector:
app: kuard
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: quickstart-example-tls
namespace: kuard
spec:
secretName: quickstart-example-tls
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- lunalovegood.dev
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard
namespace: kuard
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
ingressClassName: nginx
tls:
- hosts:
- lunalovegood.dev
secretName: quickstart-example-tls
rules:
- host: lunalovegood.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kuard
port:
number: 443
I expected that accessing https://lunalovegood.dev in the browser would display the HTML page of the pod.
I thought the connection would be forwarded as follows: lunalovegood.dev –> my router’s IP port 443 (via DNS record) –> my computer port 443 (since I forwarded the port) –> ingress –> service defined in ingress –> service –> pod.
However, it does not work, and it only works with http:// and the IP address of the router. Browser always said “connection isn’t secure” if I try to use https://<router's ip> or https://<domain> or https://<ip>
I then tried creating a cluster on Azure, thinking port forwarding might not make it appear as an actual node with a real IP address. I followed the same steps (without port forwarding, and the DNS record was assigned to the EXTERNAL-IP of the ingress-nginx-controller).
I stuck here for days. Thank for your help.