Kubernetesdevops~5 mins

TLS termination with Ingress in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you want to secure your website or app with HTTPS, TLS termination with Ingress lets the Ingress controller handle the encryption and decryption. This means your backend services get plain HTTP traffic, while users connect securely.

When you want to provide HTTPS access to your Kubernetes services without configuring TLS on each service.

When you want to centralize SSL certificate management in one place for multiple services.

When you want to offload the CPU-intensive TLS encryption from your backend pods.

When you want to use a trusted certificate from a certificate authority for your domain.

When you want to simplify your app deployment by handling TLS at the Ingress level.

Config File - ingress.yaml

ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

This Ingress resource defines TLS termination for the host example.com. The tls section points to a Kubernetes secret named example-tls that holds the TLS certificate and key. The rules section routes HTTP requests for example.com to the backend service example-service on port 80. The annotation nginx.ingress.kubernetes.io/ssl-redirect: "true" ensures HTTP requests are redirected to HTTPS.

Commands

Create a TLS secret named example-tls in Kubernetes using your certificate and private key files. This secret will be used by the Ingress for TLS termination.

Terminal

kubectl create secret tls example-tls --cert=example.com.crt --key=example.com.key

Expected OutputExpected

secret/example-tls created

→

--cert - Path to the TLS certificate file

→

--key - Path to the TLS private key file

Apply the Ingress resource that configures TLS termination and routes traffic to your backend service.

Terminal

kubectl apply -f ingress.yaml

Expected OutputExpected

ingress.networking.k8s.io/example-ingress created

Check the status of the Ingress resource to confirm it is created and has an address assigned.

Terminal

kubectl get ingress example-ingress

Expected OutputExpected

NAME CLASS HOSTS ADDRESS PORTS AGE example-ingress <none> example.com 192.168.99.100 80,443 10s

Test the HTTPS connection to your domain to verify TLS termination is working and the certificate is served.

Terminal

curl -I https://example.com

Expected OutputExpected

HTTP/1.1 200 OK Server: nginx/1.21.0 Date: Thu, 01 Jun 2023 12:00:00 GMT Content-Type: text/html Content-Length: 612 Connection: keep-alive

→

-I - Fetch only HTTP headers to check response status

Key Concept

If you remember nothing else from this pattern, remember: TLS termination at the Ingress lets your cluster handle HTTPS securely while your backend services use simple HTTP.

Common Mistakes

Not creating the TLS secret before applying the Ingress resource

The Ingress controller cannot find the certificate and key, so TLS termination fails and HTTPS won't work.

Always create the TLS secret with your certificate and key before applying the Ingress that references it.

Using the wrong secret name in the Ingress tls section

The Ingress controller looks for a secret that does not exist, so TLS termination fails.

Make sure the secretName in the Ingress matches exactly the name of the TLS secret you created.

Not adding the ssl-redirect annotation to redirect HTTP to HTTPS

Users can still access the site over insecure HTTP, which defeats the purpose of TLS termination.

Add the annotation nginx.ingress.kubernetes.io/ssl-redirect: "true" to force HTTPS.

Summary

Create a TLS secret in Kubernetes with your certificate and private key.

Apply an Ingress resource that references the TLS secret and routes traffic to your backend service.

Verify the Ingress is created and has an external address.

Test HTTPS access to confirm TLS termination is working.