Configuring HTTPS Backend Services for a LoadBalancer Ingress
Ingresses can interconnect with backend services of different protocols. By default, the backend proxy channel of an ingress is HTTP-compliant. To create an HTTPS channel, add the following configuration to the annotations field:
kubernetes.io/elb.pool-protocol: https
Prerequisites
- A CCE standard or Turbo cluster is available, and the cluster version meets the following requirements:
- v1.23: v1.23.8-r0 or later
- v1.25: v1.25.3-r0 or later
- Other clusters of later versions
- An available workload has been deployed in the cluster for external access. If no workload is available, deploy a workload by referring to Creating a Deployment, Creating a StatefulSet, or Creating a DaemonSet.
- A Service for external access has been configured for the workload. Services Supported by LoadBalancer Ingresses lists the Service types supported by LoadBalancer ingresses.
- You can obtain a trusted certificate from a certificate provider. For details, see Purchasing an SSL Certificate.
Notes and Constraints
- Ingresses can interconnect with HTTPS backend services only when dedicated load balancers are used.
- When an ingress interconnects with an HTTPS backend service, the ingress protocol must be HTTPS.
Configuring an HTTPS Backend Service
You can configure an HTTPS backend Service for an ingress using either the CCE console or kubectl.
- Log in to the CCE console and click the cluster name to access the cluster console.
- Choose Services & Ingresses in the navigation pane, click the Ingresses tab, and click Create Ingress in the upper right corner.
- Configure ingress parameters.
This example explains only key parameters for configuring HTTPS backend Services. You can configure other parameters as required. For details, see Creating a LoadBalancer Ingress on the Console.
Table 1 Key parameters Parameter
Description
Example
Name
Enter an ingress name.
ingress-test
Load Balancer
Select a load balancer to be associated with the ingress or automatically create a load balancer. In this example, only dedicated load balancers are supported.
Dedicated
Listener
- External Protocol: Select HTTPS for an HTTPS backend Service for an ingress.
- External Port: specifies the port of the load balancer listener. The default HTTPS port is 443.
- Certificate Source: Select ELB server certificate.
- Server Certificate: Use a certificate created on ELB.
If no certificate is available, go to the ELB console and create one. For details, see Adding a Certificate.
- Backend Protocol: Select HTTPS.
- External Protocol: HTTPS
- External Port: 443
- Certificate Source: ELB server certificate
- Server Certificate: cert-test
- Backend Protocol: HTTPS
Forwarding Policy
- Domain Name: Enter an actual domain name to be accessed. If it is left blank, the ingress can be accessed through the IP address. Ensure that the domain name has been registered and licensed. Once a forwarding policy is configured with a domain name specified, you must use the domain name for access.
- Path Matching Rule: Select Prefix match, Exact match, or RegEx match.
- Path: Enter the path provided by a backend application for external access. The path added must be valid in the backend application, or the forwarding cannot take effect.
- Destination Service: Select an existing Service or create a Service. Any Services that do not match the search criteria will be filtered out automatically.
- Destination Service Port: Select the access port of the destination Service.
- Domain Name: You do not need to configure this parameter.
- Path Matching Rule: Prefix match
- Path: /
- Destination Service: nginx
- Destination Service Port: 80
Figure 1 Configuring an HTTPS backend Service
- Click OK.
- Use kubectl to access the cluster. For details, see Connecting to a Cluster Using kubectl.
- Create a YAML file named ingress-test.yaml. The file name can be customized.
vi ingress-test.yaml
An example YAML file of an ingress associated with an existing load balancer is as follows:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-test namespace: default annotations: kubernetes.io/elb.port: '443' kubernetes.io/elb.id: <your_elb_id> # In this example, an existing dedicated load balancer is used. Replace its ID with the ID of your dedicated load balancer. kubernetes.io/elb.class: performance kubernetes.io/elb.pool-protocol: https # Interconnected HTTPS backend service kubernetes.io/elb.tls-ciphers-policy: tls-1-2 spec: tls: - secretName: ingress-test-secret rules: - host: '' http: paths: - path: '/' backend: service: name: <your_service_name> # Replace it with the name of your target Service. port: number: 80 property: ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH pathType: ImplementationSpecific ingressClassName: cce
- Create an ingress.
kubectl create -f ingress-test.yaml
If information similar to the following is displayed, the ingress has been created:
ingress/ingress-test created
- Check the created ingress.
kubectl get ingress
If information similar to the following is displayed, the ingress has been created:
NAME CLASS HOSTS ADDRESS PORTS AGE ingress-test cce * 121.**.**.** 80,443 10s
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot