Bozobooks.com: Fullstack k8s application blog series
Ingress & TLS/HTTPS with nginx, cert-manager & Vault
Chapter 8: In this blog, we will configure our ingress to use TLS/HTTPS, to access our web application. To generate the certificates we will use Vault, and then to manage certificates we will be using cert-manager
Architecture
Ingress exposes the services, that we are built to the outside world. It provides the HTTP and HTTPS routes, that are defined by the ingress resource. To provide a secured connection, HTTPS/TLS is used, and for that, we will need to integrate ingress with a certificate authority (CA). The certificates that are issued by CA, also need to be managed. Jetstack’s cert-manager provides a Kubernetes native framework to manage the certificates and integrates with Ingress. For CA, we can use Let’s Encrypt, Hashicorp Vault, Vernafi etc.
Since we already have a vault cluster in our environment, it makes more sense to integrate cert-manager with Vault public key infrastructure (PKI) secret engine to generate X.509 certificate. cert-manager provides an Issuer interface, which can be used to implement the vault as the certificate issuer. The diagram below shows a very high-level interaction diagram between the cert-manager and the vault, on how the certificates are generated and managed by cert-manager.