Ingress & TLS
Configure external access to NetBox and TLS certificate management.
NetBox URLs
Set netbox.urls to define the external URLs where NetBox is accessible. The operator uses these to configure ingress resources:
netboxEnterprise:
spec:
netbox:
urls:
- "https://netbox.example.com"
Ingress Controller
The chart includes an optional ingress-nginx dependency for environments that don't already have an ingress controller:
| Key | Type | Default | Description |
|---|---|---|---|
ingress.enabled | bool | false | Deploy the bundled ingress-nginx controller |
ingress.controller.kind | string | DaemonSet | Controller deployment type |
ingress.controller.hostNetwork | bool | true | Use host networking |
ingress.controller.dnsPolicy | string | ClusterFirstWithHostNet | Pod DNS policy, paired with host networking |
ingress.controller.containerPort.http | int | 80 | HTTP listen port |
ingress.controller.containerPort.https | int | 443 | HTTPS listen port |
ingress.controller.config.ssl-redirect | string | "false" | Redirect HTTP to HTTPS at the controller |
ingress.controller.config.ipv6-enabled | string | "false" | Enable IPv6 listeners |
ingress.controller.service.type | string | ClusterIP | Controller Service type (host networking handles external traffic) |
ingress.controller.extraArgs.default-ssl-certificate | string | kotsadm/kotsadm-tls | Namespace/name of the default TLS secret |
ingress.controller.admissionWebhooks.enabled | bool | false | Enable the ingress-nginx admission webhook |
ingress.controller.watchIngressWithoutClass | bool | true | Process Ingress resources that omit an ingress class |
ingress.controller.imagePullPolicy | string | IfNotPresent | Controller image pull policy (air gap compatible) |
For most deployments, use your cluster's existing ingress controller and leave ingress.enabled: false.
If you already have an ingress controller (e.g., ingress-nginx, Traefik, or a cloud load balancer), you don't need to enable the bundled one. Just set netbox.urls and the operator creates the appropriate Ingress resource.
TLS Certificates
Using a Pre-Created Secret
Create a TLS secret in the NetBox namespace:
kubectl -n netbox create secret tls netbox-tls \
--cert=path/to/tls.crt \
--key=path/to/tls.key
The operator will use the TLS secret matching the configured URL hostname.
Using cert-manager
If cert-manager is installed in your cluster, you can annotate the Ingress to automatically provision certificates. Add annotations to the NetBoxEnterprise:
netboxEnterprise:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
TLS Keychain
The tlsKeychain provides a centralized way to manage CA and client certificates referenced by PostgreSQL, Redis, and Hydra TLS configurations:
netboxEnterprise:
spec:
tlsKeychain:
caCertificateSecrets:
- name: postgres-ca # Logical name referenced in tlsConfig
secret: my-pg-ca-secret # Kubernetes secret name (defaults to name)
key: ca.crt # Key within the secret (default: ca.crt)
clientCertificateSecrets:
- name: postgres-client
secret: my-pg-client-cert
certKey: tls.crt # Certificate key (default: tls.crt)
privateKey: tls.key # Private key (default: tls.key)
Then reference these by name in component TLS configurations:
postgresql:
external: true
tlsConfig:
sslmode: verify-full
keychainCaCertificates:
- postgres-ca
keychainClientCertificate: postgres-client
See PostgreSQL TLS and Redis TLS for detailed examples.
Extra CA Certificates
Use netboxEnterprise.spec.extraCaCertificates to add PEM-encoded CA certificates to the trust bundle used by NetBox and the operator. This is separate from tlsKeychain, which scopes certificates to individual component connections.
| Key | Type | Default | Description |
|---|---|---|---|
netboxEnterprise.spec.extraCaCertificates | list | [] | Additional trusted CA certificates (PEM) added to the system trust bundle |
Next Steps
- Security - TLS best practices and network policies
- External Database - TLS setup for external PostgreSQL