Ingress & TLS
Configure external access to NetBox and TLS certificate management.
NetBox URLs
Set netbox.urls to define the external URLs where NetBox is accessible. The operator uses these to configure ingress resources:
netboxEnterprise:
spec:
netbox:
urls:
- "https://netbox.example.com"
Ingress Controller
The chart includes an optional ingress-nginx dependency for environments that don't already have an ingress controller:
| Key | Type | Default | Description |
|---|---|---|---|
ingress.enabled | bool | false | Deploy the bundled ingress-nginx controller |
ingress.controller.kind | string | DaemonSet | Controller deployment type |
ingress.controller.hostNetwork | bool | true | Use host networking |
ingress.controller.containerPort.http | int | 80 | HTTP listen port |
ingress.controller.containerPort.https | int | 443 | HTTPS listen port |
For most deployments, use your cluster's existing ingress controller and leave ingress.enabled: false.
If you already have an ingress controller (e.g., ingress-nginx, Traefik, or a cloud load balancer), you don't need to enable the bundled one. Just set netbox.urls and the operator creates the appropriate Ingress resource.
TLS Certificates
Using a Pre-Created Secret
Create a TLS secret in the NetBox namespace:
kubectl -n netbox create secret tls netbox-tls \
--cert=path/to/tls.crt \
--key=path/to/tls.key
The operator will use the TLS secret matching the configured URL hostname.
Using cert-manager
If cert-manager is installed in your cluster, you can annotate the Ingress to automatically provision certificates. Add annotations to the NetBoxEnterprise:
netboxEnterprise:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
TLS Keychain
The tlsKeychain provides a centralized way to manage CA and client certificates referenced by PostgreSQL, Redis, and Hydra TLS configurations:
netboxEnterprise:
spec:
tlsKeychain:
caCertificateSecrets:
- name: postgres-ca # Logical name referenced in tlsConfig
secret: my-pg-ca-secret # Kubernetes secret name (defaults to name)
key: ca.crt # Key within the secret (default: ca.crt)
clientCertificateSecrets:
- name: postgres-client
secret: my-pg-client-cert
certKey: tls.crt # Certificate key (default: tls.crt)
privateKey: tls.key # Private key (default: tls.key)
Then reference these by name in component TLS configurations:
postgresql:
external: true
tlsConfig:
sslmode: verify-full
keychainCaCertificates:
- postgres-ca
keychainClientCertificate: postgres-client
See PostgreSQL TLS and Redis TLS for detailed examples.
Next Steps
- Security — TLS best practices and network policies
- External Database — TLS setup for external PostgreSQL