Tunneling and DNS services allow internet traffic to reach your clusters.
The KubeSail Agent automatically maintains a secure tunnel between your cluster and the KubeSail Gateway, bypassing any firewalls and allowing simple and reliable access to your apps:
You’ll be able to access your cluster with a domain like “mycluster.username.region.k8g8.com”. All k8g8.com domains are tunneled: the traffic is sent through our gateway system and routed to the Agent on your cluster. This is perfect for home-hosting, IoT and simple use-cases where the cluster may move or have an unreliable connection to the internet or are behind a firewall.
The KubeSail Agent will also periodically set a Dynamic DNS address.
An address like “mycluster.username.region.ksdns.io” will resolve to your cluster’s IP address. All ksdns.io domains use Dynamic DNS. Make sure your firewall is configured properly! This is useful for non-HTTP services such a game-servers and voice applications.
For heavier traffic situations, or for example when using a Cloud Provider. You may want to directly access your cluster via a Load Balancer - This works normally and would bypass the KubeSail agent and connect directly to your Ingress controller. Schedule a chat with us and we can help design a solution!
You can expose your running containers under your own hostname, such as
home.example.com rather than under the generated
ksdns.io hostnames. Add as many domains as you’d like by verifying your domain in the dashboard. Use a CNAME or ALIAS record, say
home.example.com, which points at either your Tunneled or Dynamic DNS Addresses.
The Agent and Gateway maintain a persistent connection, which is used to tunnel HTTP and HTTPS requests from the Gateway to the Agent. All KubeSail Gateway addresses end with
When an HTTPS request is received by the Gateway, we inspect the SNI header packets to determine the hostname and pass the encrypted request (we don’t have the certificate!) to your KubeSail Agent, which in turn routes the request to your Ingress Controller. See kubesail/kubesail-agent for more info! HTTP traffic is also forwarded, based on the
HTTPS & Certificates#
You’ll need to make sure you’ve installed cert-manager. You can install it with:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml
Certificates, you’ll need a
ClusterIssuer and an
ClusterIssuer is a Document that tracks an account with Let’s Encrypt, which will allow you to
Certificate. See the docs for more. A
ClusterIssuer called “letsencrypt” should be automatically created by the KubeSail agent - as long as this exists you should be good to go!
Ingress object routes HTTP/HTTPS traffic to a
Service based on a hostname. These documents are automatically read by the KubeSail Agent. If you create an
Ingress for any domains verified in your Domains portal, traffic will be passed from the Gateway to the Agent.
Also note the
tls section, which will cause a
Certificate to be created automatically!
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: domain-ingress spec: rules: - host: test.mywebsite.com http: paths: - backend: serviceName: my-app servicePort: 8080 tls: - hosts: - test.mywebsite.com secretName: mywebsite-cerfificate