This article provides a comprehensive guide to configuring SSL encryption and setting up Ingress for secure access to the meshIQ platform in Kubernetes-based environments. While these are distinct components, they are closely related in containerized deployments, as SSL often terminates at the ingress level, and ingress provides unified access.
Why SSL and Ingress Are Important
- SSL ensures encrypted communication across all microservices within the meshIQ platform.
- Ingress provides a single point of entry into the platform, simplifying access and configuration.
Though SSL is optional for testing environments, it is strongly recommended for production use.
Ingress Setup
Key Configuration (values.yaml)
Configure ingress in the global.ingress block:
- enabled: Set to
trueto enable ingress - class: Set to
nginx - clusterSubDomain / subdomain: Define the DNS name used for the platform
- addNamespace: Appends the deployment namespace to ingress hosts
- annotations: Add custom rules (e.g., force HTTPS)
- hosts: Maps hostnames to services (default config is usually sufficient)
- tls: Must be enabled to avoid SSL handshake issues
DNS Record Setup
Make sure to create an A Record in your DNS provider pointing your (sub)domain to the load balancer IP used by the ingress controller.
SSL Configuration
SSL can be globally enabled through the Helm chart using the global.service.useSSL flag in values.yaml.
There are two main approaches for providing SSL certificates:
Approach 1: File-Based SSL Setup
- Place your signed certificates (
.crt), private key (.key), and keystore (.jks) into the/config/meshiq/directory of your Helm chart. - Update the
global.service.ssl.useSSLvalue totrue. - If your files are password-protected, encode the passwords in Base64 and add them to the
global.service.ssl.configsection.
Avoid mixing SSL and non-SSL services—it can lead to communication issues.
Approach 2: Kubernetes Secrets (Recommended for Production)
- Create a Kubernetes Secret containing your certificates and keys:
kubectl create secret generic ssl-bundle -n meshiq-deployment \ --from-file=site.jks=/path/to/site.jks \ --from-file=server.crt=/path/to/server.crt \ --from-file=server.key=/path/to/server.key \ --from-literal=keystorePassword='changeit' \ --from-literal=keyPassword='changeit' \ --from-literal=truststorePassword='changeit'
- Reference this secret in your
values.yamlfile:global: service: ssl: sslSecretName: ssl-bundle
This approach securely stores sensitive data within the cluster.
Using Certificate Aliases Per Application
If your keystore contains multiple aliases, you can assign a specific certificate to a service using the keyAlias field:
track:
service:
keyAlias: my-cert-alias