Updated on 2024-11-12 GMT+08:00

Configuring HTTPS Backend Services for a LoadBalancer Ingress

Ingresses can interconnect with backend services of different protocols. By default, the backend proxy channel of an ingress is HTTP-compliant. To create an HTTPS channel, add the following configuration to the annotations field:

kubernetes.io/elb.pool-protocol: https

Prerequisites

  • A CCE standard or Turbo cluster is available, and the cluster version meets the following requirements:
    • v1.23: v1.23.8-r0 or later
    • v1.25: v1.25.3-r0 or later
    • Other clusters of later versions
  • An available workload has been deployed in the cluster for external access. If no workload is available, deploy a workload by referring to Creating a Deployment, Creating a StatefulSet, or Creating a DaemonSet.
  • A Service for external access has been configured for the workload. Services Supported by LoadBalancer Ingresses lists the Service types supported by LoadBalancer ingresses.
  • You can obtain a trusted certificate from a certificate provider. For details, see Purchasing an SSL Certificate.

Notes and Constraints

  • Ingresses can interconnect with HTTPS backend services only when dedicated load balancers are used.
  • When an ingress interconnects with an HTTPS backend service, the ingress protocol must be HTTPS.

Configuring an HTTPS Backend Service

You can configure an HTTPS backend Service for an ingress using either the CCE console or kubectl.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. Choose Services & Ingresses in the navigation pane, click the Ingresses tab, and click Create Ingress in the upper right corner.
  3. Configure ingress parameters.

    This example explains only key parameters for configuring HTTPS backend Services. You can configure other parameters as required. For details, see Creating a LoadBalancer Ingress on the Console.

    Table 1 Key parameters

    Parameter

    Description

    Example

    Name

    Enter an ingress name.

    ingress-test

    Load Balancer

    Select a load balancer to be associated with the ingress or automatically create a load balancer. In this example, only dedicated load balancers are supported.

    Dedicated

    Listener

    • External Protocol: Select HTTPS for an HTTPS backend Service for an ingress.
    • External Port: specifies the port of the load balancer listener. The default HTTPS port is 443.
    • Certificate Source: Select ELB server certificate.
    • Server Certificate: Use a certificate created on ELB.

      If no certificate is available, go to the ELB console and create one. For details, see Adding a Certificate.

    • Backend Protocol: Select HTTPS.
    • External Protocol: HTTPS
    • External Port: 443
    • Certificate Source: ELB server certificate
    • Server Certificate: cert-test
    • Backend Protocol: HTTPS

    Forwarding Policy

    • Domain Name: Enter an actual domain name to be accessed. If it is left blank, the ingress can be accessed through the IP address. Ensure that the domain name has been registered and licensed. Once a forwarding policy is configured with a domain name specified, you must use the domain name for access.
    • Path Matching Rule: Select Prefix match, Exact match, or RegEx match.
    • Path: Enter the path provided by a backend application for external access. The path added must be valid in the backend application, or the forwarding cannot take effect.
    • Destination Service: Select an existing Service or create a Service. Any Services that do not match the search criteria will be filtered out automatically.
    • Destination Service Port: Select the access port of the destination Service.
    • Domain Name: You do not need to configure this parameter.
    • Path Matching Rule: Prefix match
    • Path: /
    • Destination Service: nginx
    • Destination Service Port: 80
    Figure 1 Configuring an HTTPS backend Service

  4. Click OK.
  1. Use kubectl to access the cluster. For details, see Connecting to a Cluster Using kubectl.
  2. Create a YAML file named ingress-test.yaml. The file name can be customized.

    vi ingress-test.yaml

    An example YAML file of an ingress associated with an existing load balancer is as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: ingress-test
      namespace: default
      annotations:
        kubernetes.io/elb.port: '443'
        kubernetes.io/elb.id: <your_elb_id>    # In this example, an existing dedicated load balancer is used. Replace its ID with the ID of your dedicated load balancer.
        kubernetes.io/elb.class: performance
        kubernetes.io/elb.pool-protocol: https  # Interconnected HTTPS backend service
        kubernetes.io/elb.tls-ciphers-policy: tls-1-2
    spec:
      tls: 
        - secretName: ingress-test-secret
      rules:
        - host: ''
          http:
            paths:
              - path: '/'
                backend:
                  service:
                    name: <your_service_name>  # Replace it with the name of your target Service.
                    port:
                      number: 80
                property:
                  ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
                pathType: ImplementationSpecific
      ingressClassName: cce

  3. Create an ingress.

    kubectl create -f ingress-test.yaml

    If information similar to the following is displayed, the ingress has been created:

    ingress/ingress-test created

  4. Check the created ingress.

    kubectl get ingress

    If information similar to the following is displayed, the ingress has been created:

    NAME          CLASS    HOSTS     ADDRESS          PORTS   AGE
    ingress-test  cce      *         121.**.**.**     80,443  10s