Ingress tutorials
Terminate SSL / TLS
In this section, you will learn how to configure SSL/TLS in HAProxy Kubernetes Ingress Controller.
HAProxy Kubernetes Ingress Controller can terminate SSL/TLS for services in your cluster, meaning it will handle encrypting traffic when it leaves the network and decrypting it when it enters. The ingress controller uses a self-signed TLS certificate by default, if you installed with Helm, but you can replace it with your own.
If all of your services reside under the same hostname, you may decide to configure just one TLS certificate. Or, you can set a certificate per Ingress rule. Note that the TLS certificate you use should match your web application’s hostname to be considered valid by web browsers.
Configure a TLS certificate for all services Jump to heading
To add a TLS certificate that applies to all backend services:
-
Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.
Want to try it out in a non-production environment? Use the following OpenSSL command to create your own self-signed certificate and key:
bashopenssl req -x509 \-newkey rsa:2048 \-keyout example.key \-out example.crt \-days 365 \-nodes \-subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com"bashopenssl req -x509 \-newkey rsa:2048 \-keyout example.key \-out example.crt \-days 365 \-nodes \-subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com" -
Create a new TLS secret in your cluster by calling
kubectl create secret
with your TLS certificate and private key files as the--cert
and--key
arguments:bashkubectl create secret tls example-cert \--cert="example.crt" \--key="example.key"bashkubectl create secret tls example-cert \--cert="example.crt" \--key="example.key" -
To associate this TLS secret with the ingress controller, you must update the ingress controller’s ConfigMap. First, get the name of the ConfigMap by calling
kubectl get configmaps
. Below, the ConfigMap exists in thehaproxy-controller
namespace and is namedhaproxy-kubernetes-ingress
:bashkubectl get configmaps --namespace haproxy-controllerbashkubectl get configmaps --namespace haproxy-controlleroutputbashNAME DATA AGEhaproxy-kubernetes-ingress 0 15houtputbashNAME DATA AGEhaproxy-kubernetes-ingress 0 15h -
Replace the ConfigMap with your own. You can either:
-
Call
kubectl edit configmap
to edit the existing ConfigMap:bashkubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingressbashkubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingressThen add an
ssl-certificate
field to thedata
section. Set it to your TLS secret’s namespace and name.
or
-
Create a YAML file that replaces the ConfigMap. Set the
ssl-certificate
field in thedata
section to your TLS secret’s namespace and name.example-configmap.yamlyamlapiVersion: v1kind: ConfigMapmetadata:name: haproxy-kubernetes-ingressnamespace: haproxy-controllerdata:ssl-certificate: "default/example-cert"example-configmap.yamlyamlapiVersion: v1kind: ConfigMapmetadata:name: haproxy-kubernetes-ingressnamespace: haproxy-controllerdata:ssl-certificate: "default/example-cert"Then deploy this to your Kubernetes cluster using
kubectl
.bashkubectl apply -f example-configmap.yamlbashkubectl apply -f example-configmap.yaml
The ingress controller will now use your certificate when serving HTTPS traffic.
-
Configure a TLS certificate for an Ingress rule Jump to heading
This section describes how to configure an TLS certificate for a specific Ingress rule, which allows you to set a different certificate for each hostname.
-
Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.
-
Create a new TLS secret in your cluster by calling
kubectl create secret
with your TLS certificate and private key files as the--cert
and--key
arguments.bashkubectl create secret tls example-cert \--cert="example.crt" \--key="example.key"bashkubectl create secret tls example-cert \--cert="example.crt" \--key="example.key" -
Prepare an Ingress resource that sets the secret’s name as the
secretName
field’s value in thetls
section. Note that you will specify the hostnames for which this certificate should apply. The hostnames in thetls
section should match the hostnames in therules
section.example-ingress.yamlyamlapiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: example-ingressspec:ingressClassName: haproxytls:- secretName: example-certhosts:- "example.com"rules:- host: "example.com"http:paths:- path: /pathType: Prefixbackend:service:name: example-serviceport:number: 8080example-ingress.yamlyamlapiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: example-ingressspec:ingressClassName: haproxytls:- secretName: example-certhosts:- "example.com"rules:- host: "example.com"http:paths:- path: /pathType: Prefixbackend:service:name: example-serviceport:number: 8080Deploy it with
kubectl apply
:bashkubectl apply -f example-ingress.yamlbashkubectl apply -f example-ingress.yamlThe ingress controller will now use your certificate when serving HTTPS traffic for the
example.com
web application.
If this page was useful, please, Leave the feedback.