How to Use SSL Certificate with Kubernetes Ingress
To use an
SSL certificate with Kubernetes Ingress, create a Secret containing your TLS certificate and key, then reference this secret in your Ingress resource under the tls section. This enables HTTPS traffic to your services through the Ingress controller.Syntax
The main parts to use SSL with Ingress are:
- Secret: Stores the TLS certificate and private key.
- Ingress tls section: References the secret and specifies the host(s) for HTTPS.
- Ingress rules: Define the host and backend service.
yaml
apiVersion: v1 kind: Secret metadata: name: tls-secret namespace: default type: kubernetes.io/tls data: tls.crt: <base64-encoded-cert> tls.key: <base64-encoded-key> --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 80
Example
This example shows how to create a TLS secret from certificate files and configure an Ingress to use it for HTTPS on example.com.
bash/yaml
# Create TLS secret from cert files kubectl create secret tls tls-secret --cert=./tls.crt --key=./tls.key # Ingress YAML file (ingress.yaml) apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 80 # Apply the ingress kubectl apply -f ingress.yaml
Output
secret/tls-secret created
ingress.networking.k8s.io/example-ingress created
Common Pitfalls
- Not creating the TLS secret before referencing it in the Ingress causes errors.
- Using incorrect secret type; it must be
kubernetes.io/tls. - Forgetting to specify the correct host in both the
tls.hostsandrules.hostfields. - Not enabling SSL redirect annotation if you want HTTP to redirect to HTTPS.
- Certificate and key must be valid and base64 encoded if created manually.
yaml
Wrong secret type example: apiVersion: v1 kind: Secret metadata: name: tls-secret namespace: default # type should be kubernetes.io/tls but is generic here # This will cause Ingress to ignore the TLS secret type: Opaque Correct secret type: apiVersion: v1 kind: Secret metadata: name: tls-secret namespace: default type: kubernetes.io/tls # tls.crt and tls.key must be present
Quick Reference
Remember these key points when using SSL with Ingress:
- Create a TLS secret with
kubectl create secret tls. - Reference the secret in the Ingress
tlssection. - Match the host in
tls.hostsandrules.host. - Use annotations like
nginx.ingress.kubernetes.io/ssl-redirect: "true"to enforce HTTPS. - Ensure your Ingress controller supports TLS (e.g., NGINX Ingress Controller).
Key Takeaways
Create a Kubernetes TLS secret with your certificate and key before using it in Ingress.
Reference the TLS secret in the Ingress resource under the tls section with matching hosts.
Use the correct secret type kubernetes.io/tls for SSL certificates.
Add SSL redirect annotations to force HTTPS if desired.
Ensure your Ingress controller supports TLS termination.