Terminate SSL / TLS
In this section, you will learn how to configure SSL/TLS in HAProxy Kubernetes Ingress Controller.
HAProxy Kubernetes Ingress Controller can terminate SSL/TLS for services in your cluster, meaning it will handle encrypting traffic when it leaves the network and decrypting it when it enters. The ingress controller uses a self-signed SSL certificate by default, if you installed with Helm, but you can replace it with your own.
If all of your services reside under the same hostname, you may decide to configure just one SSL certificate. Or, you can set a certificate per Ingress rule. Note that the SSL certificate you use should match your web application’s hostname to be considered valid by web browsers.
Configure an SSL certificate for all services
To add an SSL/TLS certificate that applies to all backend services:
-
Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.
Want to try it out in a non-production environment? Use the following OpenSSL command to create your own self-signed certificate and key:
$ openssl req -x509 \ -newkey rsa:2048 \ -keyout example.key \ -out example.crt \ -days 365 \ -nodes \ -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com" -
Create a new TLS secret in your cluster by calling
kubectl create secretwith your SSL certificate and private key files as the--certand ---keyarguments.$ kubectl create secret tls example-cert \ --cert="example.crt" \ --key="example.key" -
To associate this TLS secret with the ingress controller, you must update the ingress controller’s ConfigMap. First, get the name of the ConfigMap by calling
kubectl get configmaps. Below, the ConfigMap exists in the haproxy-controller namespace and is named haproxy-kubernetes-ingress.$ kubectl get configmaps --namespace haproxy-controller NAME DATA AGE haproxy-kubernetes-ingress 0 15h -
Replace the ConfigMap with your own. You can either:
-
Call
kubectl edit configmapto edit the existing ConfigMap:$ kubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingressThen add an
ssl-certificatefield to thedatasection. Set it to your TLS secret’s namespace and name.
or
-
Create a YAML file that replaces the ConfigMap. Set the
ssl-certificatefield in thedatasection to your TLS secret’s namespace and name.example-configmap.yaml
apiVersion: v1 kind: ConfigMap metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller data: ssl-certificate: "default/example-cert"Then deploy this to your Kubernetes cluster using
kubectl.$ kubectl apply -f example-configmap.yaml
-
The ingress controller will now use your certificate when serving HTTPS traffic.
Configure an SSL certificate for an Ingress rule
This section describes how to configure an SSL/TLS certificate for a specific Ingress rule, which allows you to set a different certificate for each hostname.
-
Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.
-
Create a new TLS secret in your cluster by calling
kubectl create secretwith your SSL certificate and private key files as the--certand ---keyarguments.$ kubectl create secret tls example-cert \ --cert="example.crt" \ --key="example.key" -
Prepare an Ingress resource that declares the secret as the
secretNamefield in thetlssection. Note that you will specify the hosts for which this certificate should apply. The hostnames in thetlssection should match the hostnames in therulessection.example-ingress.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress spec: tls: - secretName: example-cert hosts: - "example.com" rules: - host: "example.com" http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 8080Deploy it with
kubectl apply:$ kubectl apply -f example-ingress.yamlThe ingress controller will now use your certificate when serving HTTPS traffic for the
example.comweb application.
Next up
How to troubleshoot