K8sCalc

kubernetes

Kubernetes Ingress Generator

Generate Kubernetes Ingress YAML for nginx Ingress Controller or Traefik IngressRoute. Supports TLS with cert-manager, path routing, and Let's Encrypt configuration.

Kubernetes Ingress and TLS with cert-manager

Ingress is the Kubernetes mechanism for routing external HTTP/HTTPS traffic to internal services.

nginx vs Traefik Output

nginx uses the standard Ingress API with annotations:

yaml
annotations:
  kubernetes.io/ingress.class: nginx
  cert-manager.io/cluster-issuer: letsencrypt-prod
  nginx.ingress.kubernetes.io/ssl-redirect: "true"

Traefik uses IngressRoute CRDs with a cleaner syntax:

yaml
spec:
  entryPoints: [websecure]
  routes:
    - match: Host(`app.example.com`)
      services: [{name: my-app, port: 80}]
  tls:
    certResolver: letsencrypt-prod

cert-manager Setup

bash
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace \
  --set installCRDs=true
yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

Frequently Asked Questions

What's the difference between Ingress and IngressRoute?

Ingress is the standard Kubernetes API — works with any compliant controller (nginx, HAProxy, etc.) via annotations. IngressRoute is a Traefik-specific CRD that uses a cleaner YAML structure with middleware chains and native TCP/UDP routing. If you use Traefik, IngressRoute is preferred over the compatibility Ingress mode.

How does cert-manager issue Let's Encrypt certificates?

cert-manager watches for Ingress resources with the cert-manager.io/cluster-issuer annotation. It creates a Certificate resource, completes the ACME HTTP-01 or DNS-01 challenge with Let's Encrypt, stores the cert in a Secret, and the Ingress controller reads that Secret for TLS termination. Renewal is automatic.

Should I use letsencrypt-prod or letsencrypt-staging?

Always test with staging first. Let's Encrypt prod has rate limits (5 failed attempts per domain per hour). Staging certs are not trusted by browsers but have no rate limits. Once cert-manager is working with staging, switch to prod.

How do I route multiple hostnames or paths?

Add multiple rules to the same Ingress. Each rule can have a different host or path. For path routing, use pathType: Prefix for matching path prefixes, or pathType: Exact for exact paths. nginx supports regex via annotations; Traefik IngressRoute supports full regex in the match expression.

Related Calculators

K8s Bandwidth