How to setup HTTPS access to a local development cluster

Why HTTPS on a Local Dev Cluster

Since Google’s SameSite Cookie Changes Roll-out, you will find it is getting harder to test a local Web UI client with an API backend running in a local K8s dev cluster. Firstly, you need to set your cookie’s SameSite setting to “None” in order to enable cross-origin requests. However, a cookie with “SameSite=None” setting only will also be rejected by Google Chrome unless you set “Secure=true” to make the cookie only available through HTTPS connections. This makes HTTPS access a “must-have” when test your local cluster for the use case above.


Install Cert Manager

To issue a self-signed certificate for your cluster, you need to install cert-manager first:

kubectl apply -f
# If you haven't install jetstack helm chart repo yet
helm repo add jetstack

# Create namespace for cert-manager
kubectl create namespace cert-manager

# install cert manager v1.7.3
helm upgrade --namespace cert-manager --version 1.7.3 --install cert-manager jetstack/cert-manager

Create Self-Signed Cert Issuer

Run the following command:

kubectl apply -f

to create a ClusterIssuer with name selfsigned-issuer.

Setting Up Ingress for deployed MAGDA

kind: Ingress
  name: local-ingress
  annotations: selfsigned-issuer
    # optional allow max file upload size 100M 100M 100M
    - host:
          - backend:
                name: gateway
                  number: 80
            path: /
            pathType: "Prefix"
    - hosts:
      secretName: magda-local-cert-tls


kubectl -n [my-namespace] apply -f ingress.yaml

to create the ingress in the your MAGDA deployment namespace.

Access your cluster via HTTPS

To make test domain accessible locally, you also need to add the following entry to file /etc/hosts (on windows, it is c:\Windows\System32\Drivers\etc\hosts):

# Here is your minikube cluster IP.
# You can use command `minikube ip` to find it out.

Please note: When you use minikube with docker driver (e.g. on an Apple M1 machine), you won’t be able to access the ingress exposed services via minikube IP. You need to run minikube tunnel to make the service avaiable via local ip instead. You will also need to map to IP instead in /etc/hosts.

Before access your test domain, you also need to make your local machine trust the self-signed certificate issued by local issuer.

Generally, you can: