The Ingress Management application is a powerful tool designed to simplify and standardize ingress configuration across your entire environment and provides a streamlined approach to manage ingress resources centrally, ensuring consistency, scalability, and operational efficiency for all applications.
The Ingress Management Application is divided into three key modules:
1. Certificates: This module facilitates the management of SSL/TLS certificates. While optional, it offers a centralized approach to certificate provisioning, allowing for consistency across all ingress objects. It also supports the issuance of wildcard certificates, which are particularly useful for securing multiple subdomains. Currently, wildcard certificate issuance is supported only on Google Cloud Platform (GCP) using CloudDNS as the DNS01 challenge solver. If preferred, certificate provisioning can still be handled directly from the Ingress module.
2. Ingresses: This module provides configuration options for creating and managing ingress objects. It streamlines the process of defining routing rules, load balancing, and other ingress-related settings.
3. Dependencies: enable integration with external secret storages like cloud providers SSM on OnePassword for pre-generated certificate management. Currently, 1Password is supported. Refer to the Dependency Documentation for setup instructions.
The Certificates section defines SSL/TLS certificate settings for namespaces and applications. The parameters allow for flexibility in managing certificate provisioning and renewal.
Example Configuration
certificates:
# name of namespace where to provision certificate secret.
namespace1:
# Name of certifacte to provision. It will be prefixed with the name of the Ingress application.
certificate1:
# Certificate duration: Optional, defaults to 1 year = 8760h0m0s
duration: 8760h0m0s
# Cluster issuer to use for certificate generation. Optional, defaults to cto2b.
issuer: cto2b-clouddns
# private key is optional, by default cert-manager will generate RSA 2048 bit private key
privateKey:
algorithm: ECDSA
size: 256
rotationPolicy: Never # Optional, defaults to Always. Can
#renewBefore: Optional, defaults to 180h0m0s, which means to renew certificate 7 days before expiration
renewBefore: 180h0m0s
dnsNames:
- '*.example.com' Parameters description
| Parameter | Description | Default | Optional/Required |
| duration | Specifies the validity period of the certificate. | 1 year (8760h0m0s) | Optional |
| issuer | Defines the cluster issuer to use for certificate generation. | cto2b | Optional |
| renewBefore | Time before expiration to renew the certificate. | 7 days (180h0m0s) | Optional |
| privateKey.algorithm | Algorithm for the private key (e.g., RSA, ECDSA). | RSA | Optional |
| privateKey.size | The size of the private key in bits (e.g., 2048 for RSA or 256 for ECDSA). | 2048 | Optional |
| privateKey.rotationPolicy | Determines key rotation behavior during renewal. | Always | Optional |
| dnsNames | List of DNS names to include in the certificate, supporting wildcards. | N/A | Required |
It is possible to provide as many
certifcateblocks as needed, as well in as manynamespaceas needed.
The Ingresses section centralizes the management of ingress resources, including TLS settings, middlewares, and routing rules for namespaces and applications.
Example configuration
ingresses:
enabled: true
##True by default
# Namespaces where to provision ingresses. Can be severaral namespaces.
namespace1:
enabled: true
##True by default
## Enable/disable ingress per-namespace
## Ingress definition for an app. Used to create ingress, tls and middlewares. Can be several ingresses per application.
ingress1:
enabled: true
##True by default
# Enable/disable specific ingress in the namespace
clusterIssuer: "cto2b" # Cluster issuer to use for certificate generation.
ingressClassName: "traefik" # Ingress class name.
## Namespace where ingress will be deployed.
## TLS block for ingress configuration. If not defined, no TLS will be configured.
tls:
secretName: "special-ingress-tls"
generateCertificates: true # If true, cert-manager will create a certificate for the host, otherwise secretName of existing secret should be provided with tls.key and tls.crt keys.
options:
## https://doc.traefik.io/traefik/https/tls/#tls-options
minVersion: VersionTLS13
clientAuth:
clientAuthType: RequireAndVerifyClientCert
## Secret should contain tls.ca / ca.crt key.
secretNames:
- special-ingress-clien-secret
middlewares:
## https://doc.traefik.io/traefik/middlewares/overview
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
basicAuth:
secret: authsecret2
hosts:
- host: tenant1.foo.com
rules:
- path: "/"
pathType: "Prefix"
backendService: "bacend-service1"
backendServicePort: 9090
- path: "/info"
pathType: "Exact"
backendService: "bacend-service11"
backendServicePort: 9091
- host: tenant2.foo.com
rules:
- path: "/"
pathType: "Mixed"
backendService: "bacend-sersadasdavice1"
backendServicePort: 9091
Parameters description
| Parameter | Description |
Default |
Optional/Required |
|---|---|---|---|
| enabled | Enables or disables ingress management globally. |
true |
Optional |
| namespace1.enabled | Enables or disables ingress management for a specific namespace. |
true |
Optional |
| ingress1.enabled | Enables or disables a specific ingress within a namespace. |
true |
Optional |
| clusterIssuer | Specifies the cluster issuer for certificate generation. |
N/A |
Required if tls is enabled |
| ingressClassName | Defines the ingress class name to use (e.g., traefik). |
N/A |
Optional |
| tls.secretName | Name of the secret containing TLS certificate and key. If generateCertificates is true, cert-manager generates it. |
N/A |
Required if TLS is enabled |
| tls.generateCertificates | If true, cert-manager will create a certificate for the host; otherwise, an existing secret must be provided. |
true |
Optional |
| tls.options.minVersion | Specifies the minimum TLS version to support (e.g., VersionTLS13). |
N/A |
Optional |
| tls.options.clientAuth | Client authentication settings, including clientAuthType and secretNames for CA certificates. |
N/A |
Optional |
| middlewares.ipWhiteList | Middleware configuration for IP whitelisting. Specifies allowed IP ranges. |
N/A |
Optional |
| middlewares.basicAuth | Middleware configuration for Basic Authentication. Requires a secret containing credentials. |
N/A |
Optional |
| hosts.host | Specifies the hostnames to route traffic (e.g., tenant1.foo.com). |
N/A |
Required |
| rules.path | Defines the path for routing (e.g., / or /info) and specifies the backend service and port for each rule. |
N/A |
Required |
| rules.pathType | Specifies the path matching type (Prefix, Exact, Mixed). |
N/A |
Required |
| dependency.onepassword | Defines dependencies, such as secrets stored in 1Password, for accessing credentials. |
N/A |
Optional |
For full list of allowed middlewares please refer to Traefik Middlewares Documenation
For full list of possible TLS Options please refer to Traefik TLS Options Documentation
The Ingress Management application includes support for 1Password integration. For detailed instructions on setup and usage, refer to the Dependency Documentation.