This message was deleted.

afaik youll need another ingress at the downstream cluster, it doesnt need to be public facing though

Ok so an extra internal ingress controller on the management cluster (rancher cluster) and exposing the thanos reciever service through an ingress resource using the internal ingress?

im not 100% sure im following what your trying to accomplish, but what we do for all of our aks clusters (including gov ones) is two ingress controllers (two ingressclasses), one called external and one called internal. this way we can explicitly state which class individual ingresses use, as well as defaulting to internal to prevent accidental exposure

I have my rancher management cluster running with an external load balancer (external ingress controller load balancer) and this cluster acts as a central monitoring with a thanos receiver for downstream clusters on which to remote-write. I don't want to expose the thanos receiver service externally and would rather expose it internally so that downstream clusters can access and remote-write to that endpoint. Downstream clusters are on the same network as the management cluster but not on the same subnet. Can i use an extra internal ingress controller on the management cluster to expose the thanos receiver service to the downstream clusters ?

That would be my recommendation yes

Ok thank you 🙂

the ingress is more for kubernetes so that you can have multiple services behind the one ip address/aks loadbalancer. Sure you could technically spin up an aks load balancer for each service but that gets sorta pricey and is less under k8s control

Yes indeed, i will reuse the internal ingress for other services anyway at a later stage when connecting through teleport only!thanks :)