How to Use TLS with Kubernetes Ingress for Secure Traffic
To use
TLS with Kubernetes Ingress, create a TLS secret containing your certificate and key, then reference this secret in the tls section of your Ingress manifest. This enables encrypted HTTPS traffic to your services through the Ingress controller.Syntax
The tls section in an Ingress manifest specifies the hosts and the secret that holds the TLS certificate and private key. The key parts are:
- hosts: List of domain names to secure.
- secretName: Name of the Kubernetes secret containing the TLS certificate and key.
The secret must be of type kubernetes.io/tls and include tls.crt and tls.key data.
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80Example
This example shows how to create a TLS secret from certificate files and use it in an Ingress resource to enable HTTPS for myapp.example.com.
bash/yaml
# Create TLS secret from certificate and key files kubectl create secret tls myapp-tls-secret --cert=./tls.crt --key=./tls.key --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myapp-ingress spec: tls: - hosts: - myapp.example.com secretName: myapp-tls-secret rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp-service port: number: 80
Output
secret/myapp-tls-secret created
ingress.networking.k8s.io/myapp-ingress created
Common Pitfalls
Common mistakes when using TLS with Ingress include:
- Not creating the TLS secret or using the wrong secret name in the Ingress
tls.secretName. - Using a secret with incorrect type or missing
tls.crtandtls.keykeys. - Forgetting to specify the correct host in both the
tls.hostsandrules.hostsections. - Not configuring the Ingress controller to support TLS or missing necessary annotations.
Example of a wrong secret reference and the fix:
yaml
# Wrong secret name (typo)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-ingress
spec:
tls:
- hosts:
- example.com
secretName: wrong-secret-name
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
# Correct secret name
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-ingress
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80Quick Reference
Tips for using TLS with Kubernetes Ingress:
- Always create a TLS secret with
kubectl create secret tlsbefore referencing it. - Match the
hostsin thetlssection with therules.host. - Check your Ingress controller documentation for any required annotations to enable TLS.
- Use valid certificates trusted by clients or use Let's Encrypt with cert-manager for automation.
Key Takeaways
Create a TLS secret with your certificate and key before using it in Ingress.
Reference the TLS secret in the Ingress
tls.secretName and specify matching hosts.Ensure your Ingress controller supports TLS and is properly configured.
Match hosts in both
tls.hosts and rules.host sections exactly.Use trusted certificates or automate with cert-manager for production setups.