Skip to main content

How to expose Kubernetes services with an Ingress and TLS

An Ingress plus a controller routes external HTTP and HTTPS traffic to services by host and path, with TLS terminated centrally via cert-manager. Point DNS at the controller and test each route.

Difficulty
Intermediate
Duration
40 minutes
Steps
6

Exposing services with Ingress

An Ingress defines HTTP and HTTPS routing rules into the cluster. An Ingress controller, such as the NGINX controller, watches those rules and configures a load balancer. This lets many services share one external entry point with host- and path-based routing and centralized TLS.

Prerequisites

  • One or more Services exposing your apps.
  • Permission to install a controller and a DNS name you can update.

Steps

1. Install an Ingress controller

helm install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace

Get its external address with kubectl get svc -n ingress-nginx.

2. Create backing services

Ensure each app has a ClusterIP Service, for example web on port 80 and api on port 80.

3. Define host and path rules

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
spec:
  ingressClassName: nginx
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 80
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 80

4. Point DNS at the controller

Create an A or CNAME record for app.example.com pointing to the controller's external IP or hostname.

5. Add TLS with cert-manager

Install cert-manager, create a ClusterIssuer for Let's Encrypt, then annotate the Ingress and add a tls block:

  tls:
    - hosts: [app.example.com]
      secretName: app-tls

cert-manager provisions and renews the certificate into the named Secret.

6. Test routing

curl https://app.example.com/
curl https://app.example.com/api/health

Verification

Confirm the Ingress has an address with kubectl get ingress. Browse to the host and verify the certificate is valid and trusted. Confirm / reaches the web service and /api reaches the api service.

Next Steps

Add rate limiting and authentication annotations, enable HTTP-to-HTTPS redirect, and consider the Gateway API as the more expressive successor to Ingress for advanced routing.

Prerequisites

  • Services running in the cluster
  • Cluster admin to install a controller
  • A DNS name you control

Steps

  • 1
    Install an Ingress controller
  • 2
    Create backing services
  • 3
    Define host and path rules
  • 4
    Point DNS at the controller
  • 5
    Add TLS with cert-manager
  • 6
    Test routing

Category

Containers