Proxying an external website with Nginx Ingress

July 15, 2019

Imagine you have a webserver running outside your Kubernetes cluster which you want to integrate in your ingress controller. There are several reasons why you might want to do this:

  • The external webserver isn’t developed in such a way that you can (easily) run it in a container on your cluster.
  • Maybe the external webserver is running in a different data center than your Kubernetes cluster.
  • You want to take the advantage of the automic HTTPS setup of your Nginx Ingress controller.

It turns out it’s actually quite easy to set this up.

In this example, we are assuming the external website is hosted on the IP address 10.20.30.40 and is listening on port 8080. Note that for this example, we assume that port 8080 is serving unencryped plain HTTP.

Also make sure you setup your firewall correctly and limit the IP address on which this webserver accepts connections. You don’t want to open the unencrypted port 8080 to the whole world.

First of all, you need to create a service with an endpoint:

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: <my-external-service>
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  clusterIP: None
  type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: <my-external-service>
subsets:
- addresses:
  - ip: 10.20.30.40
  ports:
  - name: http
    port: 8080
    protocol: TCP

We’re basically telling Kubernetes that we define a service which is linked to an external IP address listening on a specific port. We are using the IP-address to avoid that there are DNS queries involved in this setup.

Loading it in the cluster is done as follows:

$ kubectl apply -f service.yaml

To complete the setup, we add the service to the ingress definition just like we would do with a normal service:

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - <my-domain-name.com>
    secretName: letsencrypt-prod
  rules:
  - host: <my-domain-name.com>
    http:
      paths:
      - backend:
          serviceName: <my-external-service>
          servicePort: 80

Apply this as well and you’re done.

$ kubectl apply -f ingress.yaml

If you now browse to https://my-domain-name.com, the correct content should show up.