TLS (Transport Layer Security) encrypts traffic between users and your apps. In Kubernetes, you enable HTTPS on Ingress using a TLS certificate (from Letβs Encrypt, your CA, or self-signed for dev).
β Why?
- Security: Prevents eavesdropping/man-in-the-middle
- Compliance: Required for PCI, HIPAA, etc.
- SEO: Google ranks HTTPS sites higher
Like a sealed envelope vs a postcard:
- HTTP = postcard (anyone can read it)
- HTTPS = sealed envelope (only recipient can open)
Step 1: Create a TLS Secret (Self-Signed for Dev)
# Generate a private key + self-signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\\
-keyout tls.key -out tls.crt \\\\
-subj "/CN=web.example.com"
# Create Kubernetes Secret
kubectl create secret tls web-tls-secret \\\\
--key tls.key \\\\
--cert tls.crt
π For production: Use cert-manager + Letβs Encrypt (covered in best practices).
Step 2: Update Your Ingress to Use TLS
# ingress-tls.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
meta
name: main-ingress
spec:
tls: # β Add TLS section
- hosts:
- web.example.com
secretName: web-tls-secret # β Reference the Secret
rules:
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
Apply:
kubectl apply -f ingress-tls.yaml
Step 3: Test HTTPS
# Get Traefik IP (same as before)
INGRESS_IP=$(kubectl get svc -n kube-system traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
# Test with curl (ignore self-signed cert warning)
curl -k <https://web.example.com> --resolve web.example.com:443:$INGRESS_IP
# β
Returns nginx welcome page over HTTPS!
β Result: Your app is now served over encrypted HTTPS!
# TLS Secret
kubectl create secret tls my-tls-secret --key tls.key --cert tls.crt
# Ingress with TLS
spec:
tls:
- hosts: ["myapp.com"]
secretName: my-tls-secret
rules:
- host: myapp.com
http: ...