Kubernetes Ingress TLS
An Ingress is a Kubernetes resource that lets you define a reverse proxy that exposes services in your cluster to anything outside your container, including internal infrastructure or the internet.
To enable this type of connection, you can specify a kubernetes.io/tls
Secret (aka a TLS Secret) for your Ingress to use for TLS (see the official Kubernetes docs for more).
What's a TLS Secret?
A kubernetes.io/tls
Secret is a Kubernetes object type designed to hold an X.509 certificate (tls.crt) and private key (tls.key) for use with TLS. Like other Secrets, TLS Secrets can be mounted into pods, read/written by clients with appropriate access, and can be referenced by some other resources.
An Admission Controller intercepts requests to the Kubernetes API server and are used to limit requests to create, delete, modify objects or connect to proxy. For example, the Nginx Admission Controller will reconfigure Nginx for you.
An Ingress Controller is a type of Admission Controller that gets called when an Ingress
resource is created, updated, or deleted, and manages the proxy.
When connecting anything outside Kubernetes to services inside Kubernetes, we recommend securing your Ingress resources by using Smallstep Certificate Manager in combination with step-issuer
and Kubernetes’ cert-manager utility. You can find the detailed instructions here.
We often talk with users who want to enable mutual TLS authentication (mTLS) for these connections. To add mutual TLS, in addition to issuing server certificates for your Ingress Controllers, you need to issue certificates to the clients connecting into your Kubernetes cluster. These clients could be humans, applications using an API, external services, or any other workload that needs to interact with the cluster.
The Smallstep toolchain is designed to provide reach to all the things in your system. We can automate the issuance and renewal of certificates to secure all your mutual TLS connections. We make it easy to connect users to single sign-on, or unlock the power of internal ACME for automation. Have Questions? We are here to help. Just reach out and ask.
This content is designed to help you configure Kubernetes to use private certificates. If you are looking to enable publicly trusted certificates to connect your cluster to the internet, we recommend using Let’s Encrypt with Kubernetes cert-manager.