Terminate SSL / TLS

In this section, you will learn how to configure SSL/TLS in HAProxy Kubernetes Ingress Controller.

HAProxy Kubernetes Ingress Controller can terminate SSL/TLS for services in your cluster, meaning it will handle encrypting traffic when it leaves the network and decrypting it when it enters. The ingress controller uses a self-signed TLS certificate by default, if you installed with Helm, but you can replace it with your own.

If all of your services reside under the same hostname, you may decide to configure just one TLS certificate. Or, you can set a certificate per Ingress rule. Note that the TLS certificate you use should match your web application’s hostname to be considered valid by web browsers.

Configure a TLS certificate for all services Jump to heading #

To add a TLS certificate that applies to all backend services:

1. Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.

   Want to try it out in a non-production environment? Use the following OpenSSL command to create your own self-signed certificate and key:

   bash
   openssl req -x509 \
     -newkey rsa:2048 \
     -keyout example.key \
     -out example.crt \
     -days 365 \
     -nodes \
     -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com"

   bash
   openssl req -x509 \
     -newkey rsa:2048 \
     -keyout example.key \
     -out example.crt \
     -days 365 \
     -nodes \
     -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com"

2. Create a new TLS secret in your cluster by calling kubectl create secret with your TLS certificate and private key files as the --cert and --key arguments:

   bash
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

   bash
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

3. To associate this TLS secret with the ingress controller, you must update the ingress controller’s ConfigMap. First, get the name of the ConfigMap by calling kubectl get configmaps. Below, the ConfigMap exists in the haproxy-controller namespace and is named haproxy-kubernetes-ingress:

   bash
   kubectl get configmaps --namespace haproxy-controller

   bash
   kubectl get configmaps --namespace haproxy-controller

   output
   bash
   NAME                         DATA   AGE
   haproxy-kubernetes-ingress   0      15h

   output
   bash
   NAME                         DATA   AGE
   haproxy-kubernetes-ingress   0      15h

4. Replace the ConfigMap with your own. You can either:

   • Call kubectl edit configmap to edit the existing ConfigMap:

     bash
     kubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingress

     bash
     kubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingress

     Then add an ssl-certificate field to the data section. Set it to your TLS secret’s namespace and name.

   or

   • Create a YAML file that replaces the ConfigMap. Set the ssl-certificate field in the data section to your TLS secret’s namespace and name.

     example-configmap.yaml
     yaml
     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: haproxy-kubernetes-ingress
       namespace: haproxy-controller
     data:
       ssl-certificate: "default/example-cert"

     example-configmap.yaml
     yaml
     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: haproxy-kubernetes-ingress
       namespace: haproxy-controller
     data:
       ssl-certificate: "default/example-cert"

     Then deploy this to your Kubernetes cluster using kubectl.

     bash
     kubectl apply -f example-configmap.yaml

     bash
     kubectl apply -f example-configmap.yaml

   The ingress controller will now use your certificate when serving HTTPS traffic.

Configure a TLS certificate for an Ingress rule Jump to heading #

This section describes how to configure an TLS certificate for a specific Ingress rule, which allows you to set a different certificate for each hostname.

1. Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.

2. Create a new TLS secret in your cluster by calling kubectl create secret with your TLS certificate and private key files as the --cert and --key arguments.

   bash
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

   bash
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

3. Prepare an Ingress resource that sets the secret’s name as the secretName field’s value in the tls section. Note that you will specify the hostnames for which this certificate should apply. The hostnames in the tls section should match the hostnames in the rules section.

   example-ingress.yaml
   yaml
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: example-ingress
   spec:
     ingressClassName: haproxy
     tls:
     - secretName: example-cert
       hosts:
       - "example.com"
     rules:
     - host: "example.com"
       http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: example-service
               port:
                 number: 8080

   example-ingress.yaml
   yaml
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: example-ingress
   spec:
     ingressClassName: haproxy
     tls:
     - secretName: example-cert
       hosts:
       - "example.com"
     rules:
     - host: "example.com"
       http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: example-service
               port:
                 number: 8080

   Deploy it with kubectl apply:

   bash
   kubectl apply -f example-ingress.yaml

   bash
   kubectl apply -f example-ingress.yaml

   The ingress controller will now use your certificate when serving HTTPS traffic for the example.com web application.