Updated on 2025-08-12 GMT+08:00

Configuring HTTPS for a LoadBalancer Service

Configuring an HTTPS Service

You can create a Service for a workload after it is created. Creating a Service has no impact on the workload. Once created, the Service can be used by the workload for network access immediately.

  1. Log in to the ELB console and click Create Certificate.
  2. Log in to the CCI 2.0 console.
  3. In the navigation pane, choose Services. On the right of the page, click Create from YAML.
  4. Import or add a YAML file.

    The following is an example YAML file.

    • Resource description in the service.yaml file:
      apiVersion: cci/v2
      kind: Service
      metadata:
        name: kubectl-test
        namespace: kubectl
        annotations:
          kubernetes.io/elb.class: elb
          kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported.
          kubernetes.io/elb.protocol-port: "http:443"  # HTTP and port number, which must be the same as that in spec.ports.
          kubernetes.io/elb.cert-id: "17e3b4f4bc40471c86741dc3aa211379"  # Certificate ID of the LoadBalancer Service
      spec:
        selector:
          app: kubectl-test # Label of the associated workload
        ports:
          - name: service-0
            targetPort: 80   # Container port
            port: 443      # Access port (load balancer's port for accessing the workload)
            protocol: TCP    # Set the protocol to TCP.
        type: LoadBalancer
    • Resource description in the service.json file:
      {
      	"apiVersion": "cci/v2",
      	"kind": "Service",
      	"metadata": {
      		"name": "kubectl-test",
      		"namespace": "kubectl",
      		"annotations": {
                              "kubernetes.io/elb.class": "elb",
      			"kubernetes.io/elb.id": "1234567890"  # Load balancer ID. Only dedicated load balancers are supported.
                              "kubernetes.io/elb.protocol-port": "https:443"  # HTTPS and port number, which must be the same as that in spec.ports.
                              "kubernetes.io/elb.cert-id": "17e3b4f4bc40471c86741dc3aa211379" # Certificate ID of the LoadBalancer Service
      		}
      	},
      	"spec": {
      		"selector": {
      			"app": "kubectl-test" # Label of the associated workload
      		},
      		"ports": [
      			{
      				"name": "service-0",
      				"targetPort": 80,     # Container port
      				"port": 443,          # Access port of the Service
      				"protocol": "TCP",    # Set the protocol to TCP.
      				"type": "LoadBalancer"
      			}
      		]
      	}
      }

  5. Click OK. Access the workload through the load balancer's IP address and port in the format of <IP-address>:<port>.

Updating a Service

After you add a Service, you can update the access port of the Service.

  1. Log in to the CCI 2.0 console.
  2. In the navigation pane, choose Services. On the Services page, select the target namespace, locate the Service, and click Edit YAML in the Operation column.
  3. Only the access port can be modified.

    spec.ports[i].port: indicates the access port. The port number ranges from 1 to 65535. You need to change the value of kubernetes.io/elb.protocol-port accordingly.

  4. Click OK. The Service will be updated for the workload.

Parameters for an HTTPS Service

You can refer to the following table to add the annotations to configure a listener for an HTTPS Service.

Parameter

Description

kubernetes.io/elb.http2-enable

Whether HTTP/2 is enabled. Request forwarding using HTTP/2 improves the access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server.

Value options:

  • true: enabled
  • false: disabled (default value)
    CAUTION:

    HTTP/2 can be enabled or disabled only for HTTPS listeners. This option is invalid when the listeners use HTTP. The default value is false.

kubernetes.io/elb.tls-certificate-ids

IDs of SNI certificates used in ELB, separated by commas (,). Each SNI certificate must contain domain names.

To obtain the value, log in to the ELB console and choose Elastic Load Balance > Certificates.

kubernetes.io/elb.security-pool-protocol

If the listener uses HTTPS, you can set the backend protocol to HTTPS. The backend protocol of an existing listener cannot be changed. If you want to change the backend protocol, you need to add a new listener to the load balancer.

  • true: enabled
  • false: disabled

kubernetes.io/elb.tls-ciphers-policy

Security policy used by a listener.

Value options include tls-1-0-inherit, tls-1-0, tls-1-1, tls-1-2, tls-1-2-strict, tls-1-2-fs, tls-1-0-with-1-3, tls-1-2-fs-with-1-3, and hybrid-policy-1-0. The default value is tls-1-0.

This option is available for HTTPS listeners of dedicated load balancers.

kubernetes.io/elb.x-forwarded-port

If this option is enabled, the listening port of the load balancer can be transferred to backend servers through the HTTP header of the packet.

  • true: enabled
  • false: disabled

This option is available for HTTP/HTTPS listeners of dedicated load balancers.

kubernetes.io/elb.x-forwarded-for-port

If this option is enabled, the source port of the client can be transferred to backend servers through the HTTP header of the packet.

  • true: enabled
  • false: disabled

This option is available for HTTP/HTTPS listeners of dedicated load balancers.

kubernetes.io/elb.x-forwarded-host

If this option is enabled, X-Forwarded-Host will be rewritten using the Host field in the request and transferred to backend servers.

  • true: enabled
  • false: disabled

This option is available for HTTP/HTTPS listeners of dedicated load balancers.

kubernetes.io/elb.gzip-enabled

Data compression.

  • true: Data compression is enabled, and specific file types will be compressed.
  • false: Data compression is disabled, and no files will be compressed. By default, data compression is disabled.

The files in the following format can be compressed:

  • Brotli can compress all file formats.
  • GZIP can compress the files of the following types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

This option is available for HTTP/HTTPS listeners of dedicated load balancers.