Terminate SSL / TLS

In this section, you will learn how to configure SSL/TLS in HAProxy Kubernetes Ingress Controller.

HAProxy Kubernetes Ingress Controller can terminate SSL/TLS for services in your cluster, meaning it will handle encrypting traffic when it leaves the network and decrypting it when it enters. The ingress controller uses a self-signed TLS certificate by default, if you installed with Helm, but you can replace it with your own.

If all of your services reside under the same hostname, you may decide to configure just one TLS certificate. Or, you can set a certificate per Ingress rule. Note that the TLS certificate you use should match your web application’s hostname to be considered valid by web browsers.

Configure a TLS certificate for all services Jump to heading #

To add a TLS certificate that applies to all backend services:

1. Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.

   Want to try it out in a non-production environment? Use the following OpenSSL command to create your own self-signed certificate and key:

   nix
   openssl req -x509 \
     -newkey rsa:2048 \
     -keyout example.key \
     -out example.crt \
     -days 365 \
     -nodes \
     -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com"

   nix
   openssl req -x509 \
     -newkey rsa:2048 \
     -keyout example.key \
     -out example.crt \
     -days 365 \
     -nodes \
     -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=example.com"

2. Create a new TLS secret in your cluster by calling kubectl create secret with your TLS certificate and private key files as the --cert and --key arguments:

   nix
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

   nix
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

3. To associate this TLS secret with the ingress controller, you must update the ingress controller’s ConfigMap. First, get the name of the ConfigMap by calling kubectl get configmaps. Below, the ConfigMap exists in the haproxy-controller namespace and is named haproxy-kubernetes-ingress:

   nix
   kubectl get configmaps --namespace haproxy-controller

   nix
   kubectl get configmaps --namespace haproxy-controller

   output
   text
   NAME                         DATA   AGE
   haproxy-kubernetes-ingress   0      15h

   output
   text
   NAME                         DATA   AGE
   haproxy-kubernetes-ingress   0      15h

4. Replace the ConfigMap with your own. You can either:

   • Call kubectl edit configmap to edit the existing ConfigMap:

     nix
     kubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingress

     nix
     kubectl edit configmap --namespace haproxy-controller haproxy-kubernetes-ingress

     Then add an ssl-certificate field to the data section. Set it to your TLS secret’s namespace and name.

   or

   • Create a YAML file that replaces the ConfigMap. Set the ssl-certificate field in the data section to your TLS secret’s namespace and name.

     example-configmap.yaml
     yaml
     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: haproxy-kubernetes-ingress
       namespace: haproxy-controller
     data:
       ssl-certificate: "default/example-cert"

     example-configmap.yaml
     yaml
     apiVersion: v1
     kind: ConfigMap
     metadata:
       name: haproxy-kubernetes-ingress
       namespace: haproxy-controller
     data:
       ssl-certificate: "default/example-cert"

     Then deploy this to your Kubernetes cluster using kubectl.

     nix
     kubectl apply -f example-configmap.yaml

     nix
     kubectl apply -f example-configmap.yaml

   The ingress controller will now use your certificate when serving HTTPS traffic.

Configure a TLS certificate for an Ingress rule Jump to heading #

This section describes how to configure an TLS certificate for a specific Ingress rule, which allows you to set a different certificate for each hostname.

1. Acquire a TLS certificate and key. Be sure that your certificate and key files use the base64-encoded format.

2. Create a new TLS secret in your cluster by calling kubectl create secret with your TLS certificate and private key files as the --cert and --key arguments.

   nix
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

   nix
   kubectl create secret tls example-cert \
     --cert="example.crt" \
     --key="example.key"

3. Prepare an Ingress resource that sets the secret’s name as the secretName field’s value in the tls section. Note that you will specify the hostnames for which this certificate should apply. The hostnames in the tls section should match the hostnames in the rules section.

   example-ingress.yaml
   yaml
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: example-ingress
   spec:
     ingressClassName: haproxy
     tls:
     - secretName: example-cert
       hosts:
       - "example.com"
     rules:
     - host: "example.com"
       http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: example-service
               port:
                 number: 8080

   example-ingress.yaml
   yaml
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: example-ingress
   spec:
     ingressClassName: haproxy
     tls:
     - secretName: example-cert
       hosts:
       - "example.com"
     rules:
     - host: "example.com"
       http:
         paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: example-service
               port:
                 number: 8080

   Deploy it with kubectl apply:

   nix
   kubectl apply -f example-ingress.yaml

   nix
   kubectl apply -f example-ingress.yaml

   The ingress controller will now use your certificate when serving HTTPS traffic for the example.com web application.