Prerequisites

• An ingress provides network access for backend workloads. Ensure that a workload is available in a cluster. If no workload is available, deploy a workload by referring to Creating a Deployment, Creating a StatefulSet, or Creating a DaemonSet.
• A Service has been configured for the workload. Table 1 lists the supported Service types. You can deploy a sample Service by referring to Intra-Cluster Access (ClusterIP) or NodePort.

  ENI LoadBalancer refers to the passthrough networking backed by using a CCE Turbo cluster and a dedicated ELB load balancer.

• If you need to add an Nginx ingress, ensure that the nginx-ingress add-on has been installed in the cluster. For details, see Installing the Add-on.

Precautions

• Do not modify any configuration of a load balancer on the ELB console. Otherwise, the Service will be abnormal. If you have modified the configuration, uninstall the nginx-ingress add-on and reinstall it.
• The URL registered in an ingress forwarding policy must be the same as the URL exposed by the backend Service. Otherwise, a 404 error will be returned.
• The selected or created load balancer must be in the same VPC as the current cluster, and it must match the load balancer type (private or public network).
• The load balancer has at least two listeners, and ports 80 and 443 are not occupied by listeners.

Creating an Nginx Ingress

This section uses an Nginx workload as an example to describe how to create an Nginx ingress.

1. Log in to the CCE console and access the cluster details page.
2. Choose Networking in the navigation pane, click the Ingresses tab, and click Create Service in the upper right corner.
3. Set ingress parameters.
   • Name: Specify a name of an ingress, for example, nginx-ingress-demo.
   • Namespace: Select the namespace to which the ingress is to be added.
   • nginx-ingress: This option is displayed only when the nginx-ingress add-on has been installed in the cluster.

     After you switch on , nginx-ingress is interconnected to provide layer-7 access. You can configure the following parameters:

     TLS: nginx-ingress supports HTTP and HTTPS. The default listening port reserved during nginx-ingress installation is 80 for HTTP requests and 443 for HTTPS requests. To use HTTPS, you need to configure the server certificate.

     • Server Certificate: When creating an HTTPS listener, you need to bind an IngressTLS certificate to support encrypted authentication for HTTPS data transmission. For details on how to create a secret, see Creating a Secret.
     • SNI: Server Name Indication (SNI) is an extended protocol of TLS. It allows multiple TLS-based access domain names to be provided for external systems using the same IP address and port. Different domain names can use different security certificates. After SNI is enabled, the client is allowed to submit the requested domain name when initiating a TLS handshake request. After receiving the TLS request, the load balancer searches for the certificate based on the domain name in the request. If the certificate corresponding to the domain name is found, the load balancer returns the certificate for authorization. Otherwise, the default certificate (server certificate) is returned for authorization.
   • Forwarding Policies: When the access address of a request matches the forwarding policy (a forwarding policy consists of a domain name and URL), the request is forwarded to the corresponding target Service for processing. Click Add Forwarding Policies to add multiple forwarding policies.
     • Domain Name: actual domain name. Ensure that the entered domain name has been registered and archived. After the ingress is created, bind the domain name to the IP address of the automatically created load balancer (IP address of the ingress access address). If a domain name rule is configured, the domain name must always be used for access.
     • URL Matching Rule: Prefix match is supported. If the URL is set to /healthz, the URL that meets the prefix can be accessed. For example, /healthz/v1 and /healthz/v2.
     • URL: access path to be registered, for example, /healthz.
     • Destination Service: Select an existing Service or create a Service. Services that do not meet search criteria are automatically filtered out.
     • Destination Service Port: Select the access port of the destination Service.
     • Operation: Click Delete to delete the configuration.
   • Annotation: The value is in the format of key:value. You can use annotations to query the configurations supported by nginx-ingress.

4. After the configuration is complete, click Create.

   After the ingress is created, it is displayed in the ingress list.