7e817a021e
3.4 KiB
slug, title, description, date, draft, tags, categories
| slug | title | description | date | draft | tags | categories |
|---|---|---|---|---|---|---|
| Template | true |
Intro
After have created a Kubernetes cluster in my homelab with kubeadm in [that post]({{< ref "post/8-create-manual-kubernetes-cluster-kubeadm" >}}), my next goal is to expose a simple pod externally, reachable with an URL and secured with a TLS certificate verified by Let's Encrypt.
To achieve that, I will need several components:
- Service: TODO add oneline description
- Ingress: TODO add oneline description
- Ingress Controller: TODO add oneline description
- TLS Certificates: TODO add oneline description
Helm
For these components to work, I will have to install new products. To install them, I will use Helm
Why Helm
explain install Helm
Install Helm
Kubernetes Services
TODO add why we need service
What is a Kubernetes Service
explain what is a Service and its purpose
Different Services
give the list of differents services
ClusterIP
explain what ClusterIP services are
NodePort
explain what NodePort services are
LoadBalancer
explain what LoadBalancer services are
Expose a LoadBalancer Service with BGP
At first, I was thinking of using MetalLB to expose the IP of my services to my home network. This is what I used in the past when I was using my ISP box as router. After reading this post, Use Cilium BGP integration with OPNsense, I could do it differently using BGP with my OPNsense router.
What Is BGP?
BGP (Border Gateway Protocol) is a routing protocol used to exchange network routes between systems. In the Kubernetes homelab context, BGP allows your Kubernetes nodes to advertise IPs directly to your network router or firewall. Your router then knows how to reach the IPs managed by your cluster.
So instead of MetalLB managing IP allocation and ARP replies, your nodes directly tell your router: “Hey, I own 192.168.1.240”.
Legacy MetalLB Approach
Without BGP, MetalLB in Layer 2 mode works like this:
- Assigns a LoadBalancer IP (e.g.,
192.168.1.240) from a pool. - One node responds to ARP for that IP on your LAN.
I know that MetalLB can also work with BGP, but what if my CNI (Cilium) can handle it out of the box?
BGP with Cilium
With Cilium + BGP, you get:
- Cilium’s agent on the node advertises LoadBalancer IPs over BGP.
- Your router learns that IP and routes to the correct node.
- No need for MetalLB.
BGP Setup
On OPNsense
In Cilium
Deploying a LoadBalancer with BGP
Using an IP Address
Using a URL
Kubernetes Ingress
TODO add why we need service
What is a Kubernetes Ingress
explain what is an Ingress and its purpose
How Ingress Work
Ingress Controller
What is an Ingress Controller
explain what is an Ingress Controller and its purpose
Which Ingress Controller to Use
comparison between ingress controller which one I picked and why
Install NGINX Ingress Controller
detail installation of NGINX Ingress Controller verify ingress controller service
Associate a Service to an Ingress
oneline to explain how to use https
Secure Connection with TLS
to use https
Cert-Manager
Install Cert-Manager
install with helm
Setup Cert-Manager
verify clusterissuer
Add TLS in an Ingress
ingress tls code
verify