Expose an external resource with a Kubernetes Ingress

oen

Diomede

Posted on May 7, 2021

Expose an external resource with a Kubernetes Ingress

The other night I was wandering around my homelab and noticed that I didn't correctly expose my new home assistant instance to the internet. Some months ago, home assistant (from now on HA) found its new permanent home, a Rasperry PI 4 4GB; since we're in lockdown, I didn't need to reach HA outside my local network.

I'm still working from home (and love it), but it's time to fix this now. While choosing which method was the best to expose it, I had an idea, why not use an Ingress in my Kubernetes cluster?

It could seem a little odd, but hear me out:

  • I already have a Kubernetes cluster, with cert-manager configured and working
  • I'm planning to move some service into the cluster, and they'll need to reach HA anyway
  • I want to learn as much as I can about Kubernetes, and this seemed a good chance

So, to achieve my goal, I need one thing: how can I point a Kubernetes Service to an external resource?

Wait, why a Service? Didn't you mention an Ingress before? Yes, you're right but bear with me.

In Kubernetes, an Ingress needs a Service to redirect all the requests it receives, so to properly expose HA with an Ingress, we need to create a Service that can point to it.

Usually, a Service is used to expose a set of Pods; in this way, if different applications need to talk to each other, they don't need to use their pod names (that could change variously), but they can use the Service name.

When we create a Service, another resource is automatically created, an Endpoint. This Endpoint includes the references (all the IP addresses) of the Pods that match the selector we've specified in the Service selector spec.

The Endpoint created in this way will have the same name as the Service we've created.

But here's the thing, we can create a Service without a selector, and if we do that, we also need to create an Endpoint ourselves, and this Endpoint could point to an IP outside the Kubernetes cluster.

So let's see the YAML we need to create to expose HA using a Kubernetes Ingress.

endpoint.yml

apiVersion: v1
kind: Endpoints
metadata:
  name: home-assistant
subsets:
- addresses:
  - ip: 1.1.1.1 # Insert your home-assistant IP here
  ports:
  - name: ha
    port: 8123
    protocol: TCP
Enter fullscreen mode Exit fullscreen mode

service.yml

apiVersion: v1
kind: Service
metadata:
  name: home-assistant
spec:
  ports:
  - name: ha
    port: 80
    protocol: TCP
    targetPort: 8123
  type: ClusterIP
  clusterIP: None
Enter fullscreen mode Exit fullscreen mode

Note: we set the clusterIP property to None on purpose; this tells Kubernetes not to provide an IP to this Service; we don't need it. A Service like this is also known as headless Service.

ingress.yml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
  name: home-assistant
spec:
  rules:
  - host: ha.awesome-domain.com # insert your domain here
    http:
      paths:
      - backend:
          serviceName: home-assistant
          servicePort: ha
        path: /
  tls:
  - hosts:
    - ha.awesome-domain.com # insert your domain here
    secretName: home-assistant-tls
Enter fullscreen mode Exit fullscreen mode

Now, if we run kubectl apply -f ... for all these three files after cert-manager has finished its work, we'll end with a domain with a valid certificate that points to our Home Assistant instance outside of Kubernetes.

And remember that I told you that I want to move some service that uses HA inside my k8s cluster? Now, all I have to do is deploy them and use `home-assistant as the URL for HA instead of using the IP address.

For the sake of completion, if you already have a local domain for your HA instance, you can skip the creation of the Endpoint and use the Service's externalName property directly.

💖 💪 🙅 🚩
oen
Diomede

Posted on May 7, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related