Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

TLS for Ingress/Gateway

TLS (Transport Layer Security) encrypts traffic between clients and your Kubernetes services. It’s essential for protecting sensitive data in transit.

Why TLS?

TLS provides:

  • Encryption - Data is encrypted in transit
  • Authentication - Verifies server identity
  • Integrity - Detects tampering
  • Compliance - Required by many regulations

TLS for Ingress

Basic TLS Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
spec:
  tls:
  - hosts:
    - example.com
    secretName: tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

Create TLS Secret

kubectl create secret tls tls-secret \
  --cert=tls.crt \
  --key=tls.key

cert-manager

cert-manager automates certificate management:

Install

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml

Create ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Use in Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - example.com
    secretName: tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

Gateway API TLS

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tls-gateway
spec:
  listeners:
  - name: https
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - name: tls-secret
    allowedRoutes:
      namespaces:
        from: All

mTLS

Mutual TLS authenticates both client and server:

Istio mTLS

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

Best Practices

  1. Use cert-manager - Automate certificate management
  2. Enable TLS everywhere - Encrypt all external traffic
  3. Use strong ciphers - Configure secure TLS settings
  4. Rotate certificates - Keep certificates up to date
  5. Monitor expiration - Alert before certificates expire

See Also