{{/* Secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext). If the TLS configuration section in an Ingress specifies different hosts, they are multiplexed on the same port according to the hostname specified through the SNI TLS extension (provided the Ingress controller supports SNI). The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. For example: apiVersion: v1 kind: Secret metadata: name: testsecret-tls namespace: default data: tls.crt: base64 encoded cert tls.key: base64 encoded key type: kubernetes.io/tls Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN) for https-example.foo.com. Note: There is a gap between TLS features supported by various Ingress controllers. Please refer to documentation on nginx, GCE, or any other platform specific Ingress controller to understand how TLS works in your environment. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls */}} {{- if and .Values.include .Values.ingress.enabled .Values.ingress.hostname }} {{- if and .Values.ingress.tls ( empty .Values.ingress.secret ) }} {{- $sans := .Values.ingress.alternateDnsNames | default list -}} {{- $certTTL := .Values.ingress.certValidityDuration | int | default 365 }} {{- $crt := genSelfSignedCert .Values.ingress.hostname (list ) ( $sans ) $certTTL }} apiVersion: v1 kind: Secret metadata: name: tls-{{ .Values.ingress.hostname }} namespace: {{ include "lib.namespace" . }} labels: app.kubernetes.io/component: {{ include "lib.componentName" . }} {{- include "lib.labels" . | nindent 4 }} {{- include "app.ingressLabels" . | nindent 4 }} {{- include "app.additionalIngressLabels" . | nindent 4 }} annotations: {{- include "lib.annotations" . | indent 4 }} {{- include "app.ingressAnnotations" . | indent 4 }} {{- include "app.additionalIngressAnnotations" . | indent 4 }} data: tls.crt: {{ $crt.Cert | b64enc }} tls.key: {{ $crt.Key | b64enc }} type: kubernetes.io/tls {{- end }} {{- end }}