Providing Domain and TLS certs for Apps Running Outside Kubernetes: A Smart Ingress Hack
If you’re already using Kubernetes, you’ve probably seen how easy it makes handling HTTPS certificates and domains for your applications. But what if you have apps running outside Kubernetes, on VMs, Docker containers, or special hardware? Suddenly, managing HTTPS certificates and domain names can become a real headache.
In this post, I’ll share a practical, straightforward trick that lets you use Kubernetes to manage HTTPS and domain names even for apps running outside your Kubernetes cluster.
The Problem: External Apps Need Love Too
Kubernetes makes life easy with built-in features like automated HTTPS certificates (thanks to cert-manager), domain management, and routing with tools like Traefik or NGINX Ingress. But not everything lives in Kubernetes. You might have:
- Legacy apps that aren’t container-friendly.
- Docker containers running independently on services like AWS EC2.
- Specialized apps that need dedicated hardware or infrastructure.
Without Kubernetes, managing HTTPS certificates manually means a lot of extra work. You risk downtime from expired certificates, complex manual DNS changes, and inconsistent security setups. It’s messy, error-prone, and frustrating.
The Simple Hack: Kubernetes Ingress for External Services
Here’s a smart workaround using Kubernetes’ built-in features. The core idea is creating a Service without selectors and manual Endpoints. This approach lets Kubernetes route traffic from its ingress directly to your external apps.
Step-by-Step Guide
Step 1: Define a Service & Manual Endpoints : This tells Kubernetes exactly where your external app lives, modify this YAML and apply:
apiVersion: v1
kind: Service
metadata:
name: external-app-service
spec:
ports:
- port: 80
targetPort: 8080
---
apiVersion: v1
kind: Endpoints
metadata:
name: external-app-service
subsets:
- addresses:
- ip: 10.240.0.129 # External app's IP
ports:
- port: 8080Step 2: Automated TLS Certificates : Use cert-manager to get free, automated certificates from Let’s Encrypt:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: external-app-cert
spec:
secretName: external-app-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- your-domain.comStep 3: Configure Kubernetes Ingress : Ingress routes traffic from your domain to your external service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: external-app-ingress
spec:
tls:
- hosts:
- your-domain.com
secretName: external-app-tls
rules:
- host: your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: external-app-service
port:
number: 80Architecture
High-Level Overview
Low-Level Overview
How This Works
- Service without selectors lets you manually decide where traffic goes, bypassing Kubernetes automatic pod selection.
- Manual endpoints explicitly map external IP addresses and ports, making Kubernetes think your external app is just another internal service.
- Ingress controller and cert-manager automate HTTPS handling and domain management, just like regular Kubernetes apps.
Basically, Kubernetes acts as a super-smart proxy, automatically handling HTTPS, routing, and domain management while your external app stays right where it is.
What’s the deal
- One Place to Manage Domains & Certificates: Simplify everything with Kubernetes.
- No More Manual HTTPS Headaches: Cert-manager handles certificates automatically.
- Easy to Troubleshoot: Keep routing simple and consistent.
- Flexible Integration: Works perfectly whether your apps are containerized or not.
Real-Life Use Cases
- Legacy Apps: Manage old apps without rewriting them.
- Hybrid Setups: Mix Kubernetes and non-Kubernetes workloads easily.
- Edge Computing: Centralize management of dispersed edge devices.
- Third-Party Integration: Securely manage external API connections.
- Temporary Demos or Dev Environments: Quickly spin up secure, accessible environments.
- Special Compliance Needs: Centralize security for sensitive external systems.
Wrapping It Up
Using Kubernetes ingress for external applications makes your life simpler, your apps more secure, and your setup less error-prone. It’s an elegant hack that gives you the power of Kubernetes, without forcing every app into a Kubernetes cluster.
