- Home
- Integration and extensions
- Networking
- TLS certificates
-
- Overview
-
- Overview
- Deploy your Application
- Manage your Java application
- Migrate an Application
- Provision Amazon S3 Buckets
- Deploy an Amazon S3 Resource to production
- Set up the reference architecture in your cloud
- Scaffold a new Workload and create staging and prod Environments
- Update Resource Definitions for related Applications
- Provision a Redis cluster on AWS using Terraform
- Perform daily developer activities (debug, rollback, diffs, logs)
- Deploy ephemeral Environments
-
-
TLS certificates
Use TLS certificates with your managed DNS service
On this page
Most ingress controllers support TLS termination in-cluster.
For that, they need access to the TLS Certificate and Private Key.
By default, the ingress
Resource Definition resource will reference a tls-cert
resource with the same Resource ID as the dns
it is routing from.
In order to satisfy that, the simplest thing to do is to create a tls-cert
Resource Definition with the same matching criteria as that for the DNS resource definition.
Static TLS certificates #
If you have a static wildcard certificate that you want to use, it can be injected by using the humanitec/template
driver.
You will need a template defining the Secret manifest that will contain the certificate and also specify the secret name it will be injected with.
The following examples assume that you have a wildcard certificate for *.example.com
and that you want to inject it into the tls-cert
resource with the same ID as the dns
resource.
Init template
The init template is used to generate the tlsSecretName
field that will be used by the ingress
resource to reference the tls-cert
resource.
tlsSecretName: {{ .id }}-tls
Manifests template
The manifest’s template is used to generate the Secret manifest that will be injected into the cluster.
tls_secret.yaml:
location: namespace
data:
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ .init.tlsSecretName }}
data:
tls.crt: {{ .outputs.secrets.tls_crt | b64enc }}
tls.key: {{ .outputs.secrets.tls_key | b64enc }}
Values template
The values template is used to generate the tls-cert
resource definition.
tls_secret_name: {{ .init.tlsSecretName }}
Secrets template
The secret’s template is used to generate the actual certificate and private key.
tls_crt: |
-----BEGIN CERTIFICATE-----
MIIDITCCAWiqrIdx2rPPn+G+gKO7SBH9UynjDKgpSela3+XnaVXMP9sbdpE60LEJ
...
ojSzdq6OvLABJKxE6N0ukQPiW8NXQvga9ltnoraxZ9dhAaYvmA==
-----END CERTIFICATE-----
tls_key: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC2jud0ozO5qacH
...
ufjZCQaXMLwfVgmhgYr/62jV7YFXFF==
-----END PRIVATE KEY-----
Resolving TLS at the load balancer #
It is also common to let cloud providers manage certificates at the edge, for example at the Load Balancer.
In this case, no tls-cert
resource is needed in the cluster. Instead, the ingress
resource must be configured not to do TLS termination.
If you are using the humanitec/ingress
driver, you can simply set the no_tls
field to true
.