Networking

In this article we’ll take a look at how to proxy external services through the Kubernetes Gateway API. There are of course more lightweight methods to proxy services, but once you already have the proverbial hammer, why not treat everything like a nail?

The Gateway API SIG (Special Interest Group) recently released v1.0 which spurred my interest in the project. In their own words, If you’re familiar with the older Ingress API, you can think of the Gateway API as analogous to a more-expressive next-generation version of that API.

In this article we’ll explore how to use Traefik in Kubernetes combined with Cert-manager as an ACME (Automatic Certificate Management Environment) client to issue certificates through Let’s Encrypt. If instead of Kubernetes you’re running docker-compose, Major Hayden has an excellent tutorial on how to configure Wildcard LetsEncrypt certificates with Traefik and Cloudflare.

For my homelab I’m running an over-engineered one-node Kubernetes “cluster” using Cilium as the Container Network Interface (CNI). Up until recently I used MetalLB for LoadBalancer IP Address Management (LB-IPAM) and L2 announcements for Address Resolution Protocol (ARP) requests over the local network, but Cilium has now replaced this functionality.

This is going to be a bit of a follow-up on an earlier article on Cloudflare SSH tunneling where we configured SSH-tunneling through Cloudflare’s WARP-client. In this article we’ll configure Cloudflare’s cloudlared-tunnel and a Zero Trust Application to expose a browser rendered terminal to our server.

Being able to log into your servers from everywhere with an internet connection is convenient as you never know when something may decide to break. However, exposing your ssh-connection to the open web can pose security risks if not done correctly.