# TLS Configuration

This guide demonstrates how to configure TLS termination for an [Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/).

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Prerequisite

The [Ingress configuration](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/ingress-configuration) must be completed before proceeding.

## [Ingress-NGINX Controller](https://kubernetes.github.io/ingress-nginx/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         nginx.ingress.kubernetes.io/auth-tls-secret: <namespace>/<secret-name>
   ```
2. [Create a TLS secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/) from a given public/private PEM formatted key pair.

   ```shell
   kubectl create secret tls <secret-name> --cert=path/to/tls.cert --key=path/to/tls.key
   ```
3. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Ingress-Nginx Controller documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication) for further assistance.

## [GKE Ingress Controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         ingress.gcp.kubernetes.io/pre-shared-cert: <certificate-name>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [GKE Ingress Controller documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs) for further assistance.

## [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         alb.ingress.kubernetes.io/certificate-arn: <certificate-arn>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [AWS Load Balancer Controller documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#ssl) for further assistance.

## [AKS Application Gateway Ingress Controller](https://azure.github.io/application-gateway-kubernetes-ingress/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         appgw.ingress.kubernetes.io/appgw-ssl-certificate: <certificate-name>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Application Gateway Ingress Controller documentation](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/#appgw-ssl-certificate) for further assistance.

## [Traefik](https://traefik.io/traefik/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       annotations:
         traefik.ingress.kubernetes.io/router.tls: "true"
       hostname: <immuta-fqdn>
       tls: true
       # If left unset the TLS secret name defaults to <hostname>-tls
       secretName: <secret-name>
   ```
2. [Create a TLS secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/) from a given public/private PEM formatted key pair.

   ```shell
   kubectl create secret tls <secret-name> --cert=path/to/tls.cert --key=path/to/tls.key
   ```
3. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Traefik documentation](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#certificates-management) for further assistance.