About Configuring Ingress
Cloudentity Helm Chart provides support for Ingress resources. Various Ingress controllers, for example, nginx-ingress or traefik, can be used to serve Cloudentity. By default, Cloudentity Helm Chart is preconfigured to use nginx.
To enable the Ingress integration, set the ingress.enabled
parameter to true
.
In the most common Ingress-integration scenario, one host name is mapped to the deployment.
ingress.hosts
array property can be used to set the host name.ingress.tls
parameter can be used to add the TLS configuration for this host.
acp:
ingress:
## If true, ACP Ingress will be created
##
enabled: true
## ACP Ingress hostname
## Must be provided if Ingress is enabled
##
hosts:
- host: acp.example.com
paths:
- path: /
pathType: ImplementationSpecific
Prerequisites
- Kubernetes cluster v1.16+
- Kubernetes Ingress controller
- Helm v3.0+
Ingress TLS
To manually configure TLS, obtain a key & certificate pair for the address(es) you wish to protect.
-
Create a TLS secret in the namespace.
kubectl create secret tls acp-server-tls --cert=path/to/tls.cert --key=path/to/tls.key
acp: ingress: enabled: true hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-tls hosts: - acp.example.com
-
Optionally you can include your certiicate directly in values.
acp: ingress: enabled: true hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-tls hosts: - acp.example.com tlsSecrets: - name: acp-server-tls cert: | -----BEGIN CERTIFICATE----- <certificate body> -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- <certificate body> -----END RSA PRIVATE KEY-----
Ingress TLS with cert-manager
If your cluster allows an automatic creation/retrieval of TLS certificates (for example, cert-manager), you can automatically provision TLS certificates for Ingress resources via annotations on your Ingresses.
acp:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: acp.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: acp-server-tls
hosts:
- acp.example.com
I your cluster does not allow external HTTP traffic to validate certificate, you can use external-dns to validate certificate on DNS level.
Ingress mTLS
Additional ingress can be enabled for mTLS communication to Cloudentity. This is useful in cases where primary ingress does not have capabilities of passing client certificates to its endpoints. This is advanced functionality and should be used with caution.
Configutaion is the same as base ingress with addition to serverURLMtls
parameter.
serverURLMtls: https://mtls.acp.example.com:8443
ingressMtls:
enabled: true
hosts:
- host: mtls.acp.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: acp-server-mtls
hosts:
- mtls.acp.example.com