Sure, port doesn’t play a role in certificate generation, only the domain.
I think I can’t use same LB for both clusters, right?
This is my main goal here. I want to avoid setting up a new HA loadbalancer or let the rancher cluster ingress care for the traffic to the user cluster.
My provider (hetzner.de) doesn’t provide any load balancing in cloud by now (only floating IPs). I use two nginx server in a ha installation (nginx, keepalived, letsencrypt) to route the traffic to the internal nodes.
At now tls is performed in nginx on the edge nodes. But I don’t like the solution because I have to store the certificates somewhere to share them between the master and backup nodes. A simple L4 loadbalancing moves this part to the ingress in cluster. Appears for me as a much cleaner solution.
@superseb recommended an authorized cluster endpoint for the user cluster but to be honest I didn’t get how this solves my problem. (See: Rancher HA and User-Cluster in LAN)
This is what I want to achieve.
