Updated on 2024-11-11 GMT+08:00

Configuring an HTTPS Certificate for an Nginx Ingress

HTTPS certificates can be configured for ingresses to provide security services.

  1. Use kubectl to access the cluster. For details, see Connecting to a Cluster Using kubectl.
  2. Ingress supports two TLS secret types: kubernetes.io/tls and IngressTLS. IngressTLS is used as an example. For details, see Creating a Secret. For details about examples of the kubernetes.io/tls secret and its description, see TLS secrets.

    Create a YAML file named ingress-test-secret.yaml. The file name can be customized.

    vi ingress-test-secret.yaml
    The YAML file is configured as follows:
    apiVersion: v1
    data:
      tls.crt: LS0******tLS0tCg==
      tls.key: LS0tL******0tLS0K
    kind: Secret
    metadata:
      annotations:
        description: test for ingressTLS secrets
      name: ingress-test-secret
      namespace: default
    type: IngressTLS

    In the preceding information, tls.crt and tls.key are only examples. Replace them with the actual files. The values of tls.crt and tls.key are Base64-encoded.

  3. Create a secret.

    kubectl create -f ingress-test-secret.yaml

    If information similar to the following is displayed, the secret has been created:

    secret/ingress-test-secret created

    Check the created secret.

    kubectl get secrets

    If information similar to the following is displayed, the secret has been created:

    NAME                         TYPE                                  DATA      AGE
    ingress-test-secret          IngressTLS                            2         13s

  4. Create a YAML file named ingress-test.yaml. The file name can be customized.

    vi ingress-test.yaml
    For clusters of v1.23 or later:
    apiVersion: networking.k8s.io/v1
    kind: Ingress 
    metadata: 
      name: ingress-test
      namespace: default
    spec:
      tls: 
      - hosts: 
        - foo.bar.com
        secretName: ingress-test-secret  # Replace it with your TLS key certificate.
      rules:
        - host: foo.bar.com
          http:
            paths:
              - path: /
                backend:
                  service:
                    name: <your_service_name>  # Replace it with the name of your target Service.
                    port:
                      number: <your_service_port>  # Replace it with the port number of your target Service.
                property:
                  ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
                pathType: ImplementationSpecific
      ingressClassName: nginx
    For clusters of v1.21 or earlier:
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress 
    metadata: 
      name: ingress-test
      annotations: 
        kubernetes.io/ingress.class: nginx
    spec:
      tls: 
      - hosts: 
        - foo.bar.com
        secretName: ingress-test-secret   # Replace it with your TLS key certificate.
      rules: 
      - host: foo.bar.com
        http: 
          paths: 
          - path: '/'
            backend: 
              serviceName: <your_service_name>  # Replace it with the name of your target Service.
              servicePort: <your_service_port>  # Replace it with the port number of your target Service.
      ingressClassName: nginx

  5. Create an ingress.

    kubectl create -f ingress-test.yaml

    If information similar to the following is displayed, the ingress has been created:

    ingress/ingress-test created

  6. Check the created ingress.

    kubectl get ingress

    If information similar to the following is displayed, the ingress has been created:

    NAME          CLASS   HOSTS     ADDRESS          PORTS   AGE
    ingress-test  nginx   *         121.**.**.**     80      10s

  7. Enter https://121.**.**.**:443 in the address box of the browser to access the workload (for example, Nginx workload).

    121.**.**.** indicates the IP address of the unified load balancer.