Loadbalancer with certificate managed by Hetzner

[sven-borkert]

Hi,

I'm trying to find out how to install the ingress controller in a way that my ingress load balancer will have http on port 80, redirecting to https on port 443. The https service on port 443 should terminate TLS on the load balancer and use a certificate managed by Hetzner, that I previously created manually.

My ingress-nginx-annotations look like this:

controller:
  kind: DaemonSet
  service:
    annotations:
      load-balancer.hetzner.cloud/location: fsn1
      load-balancer.hetzner.cloud/name: Ingress Loadbalancer mydomain.net
      load-balancer.hetzner.cloud/use-private-ip: "true"
      load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
      load-balancer.hetzner.cloud/hostname: mydomain.net
      load-balancer.hetzner.cloud/http-redirect-https: 'true'
      load-balancer.hetzner.cloud/protocol: https
      load-balancer.hetzner.cloud/http-certificates: mydomain.net-cert

This works fine for https on 443, but it also creates a https service on port 80:

Can someone help me to figure out how to make it create the service on port 80 as http instead?

Regards,
Sven

[vitobotta]

Hi! I think the reason is that you specified https for the load-balancer.hetzner.cloud/protocol annotation. Try removing that.

A bit unrelated to your question but why do you want to terminate TLS on the load balancer and manage certificates manually? Unless you have specific requirements for your certificates, you can simplify your setup and use cert-manager to automatically provision and renew certificates e.g. with Let's Encrypt. It's a nice set-and-forget kind of thing.

Also note, that you have enabled proxy protocol on the load balancer. In order for this to work, you also need to enable proxy protocol in the ingress nginx configmap, otherwise Nginx won't be able to "understand" the traffic received from the load balancer.

Ps. Thanks for the sponsorship! I appreciate :)

[sven-borkert]

Hi!

If I remove the annotation load-balancer.hetzner.cloud/protocol: https it creates tcp loadbalancers and does not use the certificate. Currently I just disabled http and all is good. I was just curious how to make it create a https service on 443 and http or tcp on 80 on the Hetzner loadbalancer.

I'm using this config right now, not using http at all:

controller:
  kind: DaemonSet
  service:
    enableHttp: false
    enableHttps: true
    ports:
      https: 443
    targetPorts:
      https: 80
    annotations:
      load-balancer.hetzner.cloud/location: fsn1
      load-balancer.hetzner.cloud/name: Ingress Loadbalancer mydomain.net
      load-balancer.hetzner.cloud/use-private-ip: "true"
      load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
      load-balancer.hetzner.cloud/hostname: mydomain.net
      load-balancer.hetzner.cloud/http-redirect-https: 'true'
      load-balancer.hetzner.cloud/protocol: https
      load-balancer.hetzner.cloud/http-certificates: mydomain.net-cert

(The https-redirect-https has no effect it seems)

I have enabled proxy protocol in the config map, I mostly followed one of your docs.

I find it convenient to use a certificate managed by Hetzner. I pointed my DNS to them, defined the certificate under security->certificates and Hetzner is now doing all the Let's Encrypt stuff and I just got my certificate. I will have a look at cert-manager again, somehow it did not work first time I tried using it and I ended up with the Hetzner managed certificate. Having full TLS between client and ingress controller would be better anyway, but I use my cluster only for playing around at the moment.

I appreciate your project, thanks. :)

Regards,
Sven

[vitobotta]

I've never personally used the setup you're describing (TLS termination on the load balancer plus a certificate managed by Hetzner), so I'm not sure how it works. I've always relied on cert-manager, which has been my go-to solution for years.

That being said, what issues did you encounter with cert-manager? Was it related to the proxy protocol being enabled? When both the load balancer and nginx have the proxy protocol turned on, you need to add a specific annotation with the hostname for the load balancer, which you seem to be using now. Could that have been the problem when you tested cert-manager - maybe the annotation was missing?

[sven-borkert]

I don't remember anymore what went wrong with cert-manager. I guess it's was just my lack of K8s knowledge at that time. I will try again.

[vitobotta]

Yeah I recommend to try it again because it makes things simpler IMO.

[saashqdev]

Hi Guys - is there a full cluster_config.yaml example anywhere that includes a LoadBalancer and all the goodies?

[vitobotta]

@saashqdev hetzner-k3s is mainly designed to help you get a cluster up and running quickly and without much hassle. It doesn't automatically set up workloads for you, though, as that goes beyond its main goal. But there’s a tutorial in the documentation that can show you how to start setting up your workloads.

[saashqdev]

Thanks, I'll check it out.

Update: Up and running - all good.