Configuring Ingress Controllers to Serve Cloudentity
Ingress resources are supported by Cloudentity Helm Chart. Learn how to configure an Ingress controller, like nginx-ingress or traefik, to serve Cloudentity.
About Configuring Ingress
Cloudentity Helm Chart provides support for Ingress resources. Various Ingress controllers, for example, nginx-ingress or traefik, can be used to serve Cloudentity. By default, Cloudentity Helm Chart is preconfigured to use nginx.
To enable the Ingress integration, set the ingress.enabled
parameter to true
.
In the most common Ingress-integration scenario, one host name is mapped to the deployment.
ingress.hosts
array property can be used to set the host name.ingress.tls
parameter can be used to add the TLS configuration for this host.
acp: ingress: ## If true, ACP Ingress will be created ## enabled: true ## ACP Ingress hostname ## Must be provided if Ingress is enabled ## hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific
Prerequisites
Kubernetes cluster v1.16+
Kubernetes Ingress controller
Helm v3.0+
Ingress TLS
To manually configure TLS, obtain a key & certificate pair for the address(es) you wish to protect.
Create a TLS secret in the namespace.
kubectl create secret tls acp-server-tls --cert=path/to/tls.cert --key=path/to/tls.key
acp: ingress: enabled: true hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-tls hosts: - acp.example.com
Optionally you can include your certiicate directly in values.
acp: ingress: enabled: true hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-tls hosts: - acp.example.com tlsSecrets: - name: acp-server-tls cert: | -----BEGIN CERTIFICATE----- <certificate body> -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- <certificate body> -----END RSA PRIVATE KEY-----
Ingress TLS with cert-manager
If your cluster allows an automatic creation/retrieval of TLS certificates (for example, cert-manager), you can automatically provision TLS certificates for Ingress resources via annotations on your Ingresses.
acp: ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-tls hosts: - acp.example.com
I your cluster does not allow external HTTP traffic to validate certificate, you can use external-dns to validate certificate on DNS level.
Ingress mTLS
Additional ingress can be enabled for mTLS communication to Cloudentity. This is useful in cases where primary ingress does not have capabilities of passing client certificates to its endpoints. This is advanced functionality and should be used with caution.
Configuration is the same as base ingress with addition to serverURLMtls
parameter.
serverURLMtls: https://mtls.acp.example.com:8443 ingressMtls: enabled: true hosts: - host: mtls.acp.example.com paths: - path: / pathType: ImplementationSpecific tls: - secretName: acp-server-mtls hosts: - mtls.acp.example.com