TLS certificates

Use TLS certificates with your managed DNS service

Most ingress controllers support TLS termination in-cluster.

For that, they need access to the TLS Certificate and Private Key.

By default, the ingress Resource Definition resource will reference a tls-cert resource with the same Resource ID as the dns it is routing from.

In order to satisfy that, the simplest thing to do is to create a tls-cert Resource Definition with the same matching criteria as that for the DNS resource definition.

Static TLS certificates

If you have a static wildcard certificate that you want to use, it can be injected by using the humanitec/template driver.

You will need a template defining the Secret manifest that will contain the certificate and also specify the secret name it will be injected with.

The following examples assume that you have a wildcard certificate for *.example.com and that you want to inject it into the tls-cert resource with the same ID as the dns resource.

Init template

The init template is used to generate the tlsSecretName field that will be used by the ingress resource to reference the tls-cert resource.

tlsSecretName: {{ .id }}-tls

Manifests template

The manifest’s template is used to generate the Secret manifest that will be injected into the cluster.

tls_secret.yaml:
  location: namespace
  data:
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/tls
    metadata:
      name: {{ .init.tlsSecretName }}
    data:
      tls.crt: {{ .outputs.secrets.tls_crt | b64enc }}
      tls.key: {{ .outputs.secrets.tls_key | b64enc }}

Values template

The values template is used to generate the tls-cert resource definition.

tls_secret_name: {{ .init.tlsSecretName }}

Secrets template

The secret’s template is used to generate the actual certificate and private key.

tls_crt: |
  -----BEGIN CERTIFICATE-----
  MIIDITCCAWiqrIdx2rPPn+G+gKO7SBH9UynjDKgpSela3+XnaVXMP9sbdpE60LEJ
  ...
  ojSzdq6OvLABJKxE6N0ukQPiW8NXQvga9ltnoraxZ9dhAaYvmA==
  -----END CERTIFICATE-----


tls_key: |
  -----BEGIN PRIVATE KEY-----
  MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC2jud0ozO5qacH
  ...
  ufjZCQaXMLwfVgmhgYr/62jV7YFXFF==
  -----END PRIVATE KEY-----

Resolving TLS at the load balancer

It is also common to let cloud providers manage certificates at the edge, for example at the Load Balancer. In this case, no tls-cert resource is needed in the cluster. Instead, the ingress resource must be configured not to do TLS termination.

If you are using the humanitec/ingress driver, you can simply set the no_tls field to true.

Routes

Ingress Controllers