Start 1 VM for Kubernetes and one LXD container for NGINX

lxc launch ubuntu:focal adc

lxc launch ubuntu:focal k0 --vm
lxc config set m8s limits.cpu=8 limits.memory=16GB device override m8s root size=50GB
lxc config device override m8s root size=50GB
lxc exec k0 -- snap install microk8s

k0:~/demo.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: demo.uvoo.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: demo
                port:
                  number: 8080

k0

#!/usr/bin/env bash
set -e
alias kubectl='microk8s kubectl'
shopt -s expand_aliases

microk8s enable ingress
microk8s kubectl delete deployment demo | true
microk8s kubectl delete service demo | true
microk8s kubectl delete -f demo.yml | true


microk8s kubectl create deployment demo --image=gcr.io/google-samples/hello-app:1.0
microk8s kubectl expose deployment demo --type=NodePort --port=8080
microk8s kubectl apply -f demo.yml
curl -H "Host: demo.uvoo.io" 127.0.0.1

#!/usr/bin/env bash
set -e

ts=`date +%Y-%m-%d_%H-%M-%S`

clear(){
  sudo iptables-save > /tmp/iptables-save.$ts.ipt
  sudo iptables -P INPUT ACCEPT
  sudo iptables -P FORWARD ACCEPT
  sudo iptables -P OUTPUT ACCEPT
  sudo iptables -t nat -F
  sudo iptables -t mangle -F
  sudo iptables -F
  # sudo iptables -x
  sudo iptables -X -t nat
}

adc_nat(){
  adcip=$(lxc list adc -c 4 | awk '!/IPV4/{ if ( $2 != "" ) print $2}')
  ip=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
  sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip:80
  sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip:443
  sudo iptables -L -n -t nat
}

clear
adc_nat
sudo restart snap  # Will cause downtime but refreshes lxd iptables

Gen self signed cert

lxc exec adc -- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=US/ST=Utah/L=SLC/O=Example Corp/OU=Testing/CN=example.io"

adc:/etc/nginx/conf.d/demo.conf

upstream kub-ingress {
    least_conn;
    server k0;
}

server {
    server_name  demo.uvoo.io;
    listen  80;
    listen  [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    location /hi {
       default_type text/html;
       return 200 "<!DOCTYPE html><h3>Hi!</h3>\n";
    }

    location / {
        proxy_pass  http://kub-ingress;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

Use letsencrypt

curl -k -H "Host: demo.uvoo.io" https://$adcip  # Make sure site is up (this can take several minutes on reboot
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --no-redirect --nginx -d demo.uvoo.io

Hopefully you see something like

Hello, world!
Version: 1.0.0
Hostname: demo-6fcfc5f6f4-llh4c

References

• https://kubernetes.io/docs/tutorials/hello-minikube/
• https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
• https://gist.github.com/davydany/0ad377f6de3c70056d2bd0f1549e1017
• https://linuxcontainers.org/lxd/getting-started-cli/
• https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/