# TLS Configuration

This guide demonstrates how to configure TLS termination for an [Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/).

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Prerequisite

The [Ingress configuration](/latest/configuration/self-managed-deployment/configure/ingress-configuration.md) must be completed before proceeding.

## [Ingress-NGINX Controller](https://kubernetes.github.io/ingress-nginx/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         nginx.ingress.kubernetes.io/auth-tls-secret: <namespace>/<secret-name>
   ```
2. [Create a TLS secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/) from a given public/private PEM formatted key pair.

   ```bash
   kubectl create secret tls <secret-name> --cert=path/to/tls.cert --key=path/to/tls.key
   ```
3. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```

Refer to the [Ingress-Nginx Controller documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication) for further assistance.

## [GKE Ingress Controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         ingress.gcp.kubernetes.io/pre-shared-cert: <certificate-name>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```

Refer to the [GKE Ingress Controller documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs) for further assistance.

## [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         alb.ingress.kubernetes.io/certificate-arn: <certificate-arn>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```

Refer to the [AWS Load Balancer Controller documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#ssl) for further assistance.

## [AKS Application Gateway Ingress Controller](https://azure.github.io/application-gateway-kubernetes-ingress/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         appgw.ingress.kubernetes.io/appgw-ssl-certificate: <certificate-name>
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```

Refer to the [Application Gateway Ingress Controller documentation](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/#appgw-ssl-certificate) for further assistance.

## [Traefik](https://traefik.io/traefik/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       annotations:
         traefik.ingress.kubernetes.io/router.tls: "true"
       hostname: <immuta-fqdn>
       tls: true
       # If left unset the TLS secret name defaults to <hostname>-tls
       secretName: <secret-name>
   ```
2. [Create a TLS secret](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/) from a given public/private PEM formatted key pair.

   ```bash
   kubectl create secret tls <secret-name> --cert=path/to/tls.cert --key=path/to/tls.key
   ```
3. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4
   ```

Refer to the [Traefik documentation](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#certificates-management) for further assistance.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/latest/configuration/self-managed-deployment/configure/tls-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.