Deployment and Operations

Configuring Ingress Controllers to Serve Cloudentity

Ingress resources are supported by Cloudentity Helm Chart. Learn how to configure an Ingress controller, like nginx-ingress or traefik, to serve Cloudentity.

About Configuring Ingress

Cloudentity Helm Chart provides support for Ingress resources. Various Ingress controllers, for example, nginx-ingress or traefik, can be used to serve Cloudentity. By default, Cloudentity Helm Chart is preconfigured to use nginx.

To enable the Ingress integration, set the ingress.enabled parameter to true.

In the most common Ingress-integration scenario, one host name is mapped to the deployment.

  • ingress.hosts array property can be used to set the host name.
  • ingress.tls parameter can be used to add the TLS configuration for this host.
acp:
  ingress:
    ## If true, ACP Ingress will be created
    ##
    enabled: true

    ## ACP Ingress hostname
    ## Must be provided if Ingress is enabled
    ##
    hosts:
      - host: acp.example.com
        paths:
          - path: /
            pathType: ImplementationSpecific

Prerequisites

  • Kubernetes cluster v1.16+
  • Kubernetes Ingress controller
  • Helm v3.0+

Ingress TLS

To manually configure TLS, obtain a key & certificate pair for the address(es) you wish to protect.

  • Create a TLS secret in the namespace.

    kubectl create secret tls acp-server-tls --cert=path/to/tls.cert --key=path/to/tls.key
    
    acp:
      ingress:
        enabled: true
        hosts:
          - host: acp.example.com
            paths:
              - path: /
                pathType: ImplementationSpecific
        tls:
          - secretName: acp-server-tls
            hosts:
              - acp.example.com
    
  • Optionally you can include your certiicate directly in values.

    acp:
      ingress:
        enabled: true
        hosts:
          - host: acp.example.com
            paths:
              - path: /
                pathType: ImplementationSpecific
        tls:
          - secretName: acp-server-tls
            hosts:
              - acp.example.com
        tlsSecrets:
          - name: acp-server-tls
            cert: |
              -----BEGIN CERTIFICATE-----
              <certificate body>
              -----END CERTIFICATE-----          
            key: |
              -----BEGIN RSA PRIVATE KEY-----
              <certificate body>
              -----END RSA PRIVATE KEY-----          
    

Ingress TLS with cert-manager

If your cluster allows an automatic creation/retrieval of TLS certificates (for example, cert-manager), you can automatically provision TLS certificates for Ingress resources via annotations on your Ingresses.

acp:
  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: acp.example.com
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: acp-server-tls
        hosts:
          - acp.example.com

I your cluster does not allow external HTTP traffic to validate certificate, you can use external-dns to validate certificate on DNS level.

Ingress mTLS

Additional ingress can be enabled for mTLS communication to Cloudentity. This is useful in cases where primary ingress does not have capabilities of passing client certificates to its endpoints. This is advanced functionality and should be used with caution.

Configutaion is the same as base ingress with addition to serverURLMtls parameter.

serverURLMtls: https://mtls.acp.example.com:8443
ingressMtls:
  enabled: true
  hosts:
    - host: mtls.acp.example.com
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: acp-server-mtls
      hosts:
        - mtls.acp.example.com