search

cloudflare / cloudflare-ingress-controller

A Kubernetes ingress controller for Cloudflare's Argo Tunnels
Apache License 2.0
363 stars 55 forks source link

Support for ExternalName Services #168

Closed grrywlsn closed 2 years ago

grrywlsn commented 5 years ago

I've been using the Cloudflare ingress controller with services inside Kubernetes successfully for months (running 0.6.5). I'd also like to be able to use the same ingress controller to route traffic to services accessible to, but outside of, Kubernetes.

In this scenario, I want to be able to expose Vault's UI (accessible on an AWS ELB), to Kubernetes as a Service, which can then be used as a backend service for a Cloudflare ingress. This would make use of the ExternalName service: https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-mapping-external-services

I believe something like this is what I'd need to do, but it seems Cloudflare can't support it yet:

apiVersion: v1
kind: Service
metadata:
  name: vault-ui
spec:
  type: ExternalName
  externalName: vault-ui.eu-west-1.elb.amazonaws.com
  ports:
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: argo-tunnel
  name: vault-ui
spec:
  rules:
  - host: vault-ui.mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: vault-ui
          servicePort: https

I think the reason it doesn't work yet is that a Service with ExternalName doesn't have any Endpoints; however, the DNS and port can be curl'd from within the Cloudflare ingress container. I get error: err: \"endpoints 'default/vault-ui' do not exist\""

Is this something that could be added?

mattalberts commented 5 years ago

Part of the ingress-controller's tunnel start/stop conditioning is a check against the existence of service endpoints, which won't exist for this type of service. Instead of using the ingress controller to do this, you should stand up a tunnel directly (a cloudflared pod that maps directly to the service)

mabunixda commented 5 years ago

I also got into this error bypassing from a externalName to ingress. I created a cluster service and a manual endpoint pointing to the internal lan ip i was sharing over the ingress controller. this works in my use case now