Sign in Subscribe
Compare

Configuring TLS for Kubernetes Ingress: Best Practices and YAML Example

Andrios Robert

1 min read

The cluster was exposed, and the fix could not wait.

Ingress resources with proper TLS configuration are the lock and key of secure Kubernetes traffic. Configure them wrong, and you open the door to attackers, failed connections, and broken deployments. Configure them right, and every packet passes in full encryption, verified at the edge.

What is an Ingress Resource with TLS?
In Kubernetes, an Ingress defines how external traffic reaches your services. Adding TLS to an Ingress means the controller terminates HTTPS at the edge, serving certificates that authenticate your domain and encrypt data in transit. The YAML specifies your secret name and matching hosts, giving the controller everything it needs to establish secure SSL connections.

Core YAML Structure for TLS in Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: secure-ingress
 annotations:
 kubernetes.io/ingress.class: nginx
spec:
 tls:
 - hosts:
 - example.com
 secretName: tls-secret
 rules:
 - host: example.com
 http:
 paths:
 - path: /
 pathType: Prefix
 backend:
 service:
 name: my-service
 port:
 number: 80

The spec.tls block binds your certificate to the host. The secretName must match a Kubernetes Secret containing tls.crt and tls.key. Store these securely, generated from a trusted CA or via cert-manager automation.

Annotations and Controller Behavior
Ingress controllers like NGINX or Traefik respect TLS settings differently. NGINX honors nginx.ingress.kubernetes.io/ssl-redirect and nginx.ingress.kubernetes.io/force-ssl-redirect, ensuring all HTTP requests are upgraded to HTTPS. Use nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" when your upstream also speaks TLS.

Best Practices for TLS Configuration in Ingress

  • Use strong cipher suites configured through your controller’s settings.
  • Automate certificate renewal with cert-manager.
  • Match Ingress hosts exactly to your certificate’s CN or SAN.
  • Enable HTTP/2 for performance—most controllers allow this via annotations.
  • Test using curl -vk https://your-domain and confirm full handshake success.

Misconfigured TLS leads to downtime and exposes traffic. A well-defined Ingress resource with correct TLS ensures encrypted, trusted communication from the first hit to the last byte.

See it live in minutes. Deploy a secure TLS-enabled Ingress on your cluster with hoop.dev—skip the manual grind, and get results now.

Sign up for more like this.

Enter your email
Subscribe