I managed to get it working by updating the rule that maps port 443 -> Service Port. Then I was able to create a certificate for the domain I had pointed to the load balancer.
However, the customization of the rule breaks if the service changes or if I have a node failure. I'm going to post separately on that issue.
So, from a Kubernetes perspective, I created a simple Nginx deployment:
- name: nginx
- containerPort: 80
kubectl create -f 1-deployment.yaml
Created that and I had a number of simple POD's running.
Then I set up a service to connect the load balancer to the POD's:
- port: 443
kubectl create -f 2-service.yaml
When I run the create on the service, the D.O. Load Balancer is created and bound to my droplets. It takes a bit to get up and running, but you'll have to wait for it finish.
Then I had to set up a DNS A record to point to the load balancer. This was required to create the certificate later. I have a demo record from one of my domains pointing to the load balancer, so I just made sure it was updated. The TTL is 3600, so it took a while to update. I could probably lower that, but I'm not sure what the consequences are so I left it (I'm not a DNS guru).
Once the DNS entry is at least set up (even if it hasn't propagated), go into the Load Balancer and update the 1st forward rule that says TCP 443 -> TCP 3xxxx (whatever port is assigned to the service COPY THE PORT).
As soon as I switch the incoming protocol to "HTTPS", the output port gets updated to 80, so you'll want to the past the port you copied. Now it should be HTTPS 443 -> HTTP 3xxxx.
AND... now you have the ability to select a certificate. If you haven't created a Let's Encrypt certificate on DO before, you can do it here on your DNS entry.
When all that is in place, you'll have just wait for the DNS to finish propagated and you're good to go.
Just pray you don't have to rebuild the load balancer, or the DNS will have to be updated. This is where I wish there was a dynamic IP for the load balancer.