TLS termination has been moved off the VPS edge. The VPS has been configured to simply proxy ports 80 and 443 to an nginx ingress on the cluster. Certmanager was configured to provision certificates for the domain from the cluster backend.

This means that encrypted http traffic is forwarded across the wireguard tunnel, where it is terminated on ingress to the cluster. This opens up easy options to add “dumb” edge nodes that only need an A record, a wireguard link to the cluster, and suitable nginx stream proxy rules.

Helm was used to install certmanager and nginx-ingress, but this may change in the future.

Relevant yaml:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hugo
  namespace: wicknet-dev
  annotations:
    cert-manager.io/issuer: "letsencrypt-prod"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - wicknet.dev
    secretName: wicknet-dev-tls
  rules:
  - host: wicknet.dev
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: hugo
            port:
              number: 80
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  namespace: wicknet-dev
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: # redacted #
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx