Configuring HTTPS for a LoadBalancer Service
Configuring an HTTPS Service
You can create a Service for a workload after it is created. Creating a Service has no impact on the workload. Once created, the Service can be used by the workload for network access immediately.
- Log in to the ELB console and click Create Certificate.
- Log in to the CCI 2.0 console.
- In the navigation pane, choose Services. On the right of the page, click Create from YAML.
- Import or add a YAML file.
The following is an example YAML file.
- Resource description in the service.yaml file:
apiVersion: cci/v2 kind: Service metadata: name: kubectl-test namespace: kubectl annotations: kubernetes.io/elb.class: elb kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported. kubernetes.io/elb.protocol-port: "http:443" # HTTP and port number, which must be the same as that in spec.ports. kubernetes.io/elb.cert-id: "17e3b4f4bc40471c86741dc3aa211379" # Certificate ID of the LoadBalancer Service spec: selector: app: kubectl-test # Label of the associated workload ports: - name: service-0 targetPort: 80 # Container port port: 443 # Access port (load balancer's port for accessing the workload) protocol: TCP # Set the protocol to TCP. type: LoadBalancer
- Resource description in the service.json file:
{ "apiVersion": "cci/v2", "kind": "Service", "metadata": { "name": "kubectl-test", "namespace": "kubectl", "annotations": { "kubernetes.io/elb.class": "elb", "kubernetes.io/elb.id": "1234567890" # Load balancer ID. Only dedicated load balancers are supported. "kubernetes.io/elb.protocol-port": "https:443" # HTTPS and port number, which must be the same as that in spec.ports. "kubernetes.io/elb.cert-id": "17e3b4f4bc40471c86741dc3aa211379" # Certificate ID of the LoadBalancer Service } }, "spec": { "selector": { "app": "kubectl-test" # Label of the associated workload }, "ports": [ { "name": "service-0", "targetPort": 80, # Container port "port": 443, # Access port of the Service "protocol": "TCP", # Set the protocol to TCP. "type": "LoadBalancer" } ] } }
- Resource description in the service.yaml file:
- Click OK. Access the workload through the load balancer's IP address and port in the format of <IP-address>:<port>.
Updating a Service
After you add a Service, you can update the access port of the Service.
- Log in to the CCI 2.0 console.
- In the navigation pane, choose Services. On the Services page, select the target namespace, locate the Service, and click Edit YAML in the Operation column.
- Only the access port can be modified.
spec.ports[i].port: indicates the access port. The port number ranges from 1 to 65535. You need to change the value of kubernetes.io/elb.protocol-port accordingly.
- Click OK. The Service will be updated for the workload.
Parameters for an HTTPS Service
You can refer to the following table to add the annotations to configure a listener for an HTTPS Service.
Parameter |
Description |
---|---|
kubernetes.io/elb.http2-enable |
Whether HTTP/2 is enabled. Request forwarding using HTTP/2 improves the access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server. Value options:
|
kubernetes.io/elb.tls-certificate-ids |
IDs of SNI certificates used in ELB, separated by commas (,). Each SNI certificate must contain domain names. To obtain the value, log in to the ELB console and choose Elastic Load Balance > Certificates. |
kubernetes.io/elb.security-pool-protocol |
If the listener uses HTTPS, you can set the backend protocol to HTTPS. The backend protocol of an existing listener cannot be changed. If you want to change the backend protocol, you need to add a new listener to the load balancer.
|
kubernetes.io/elb.tls-ciphers-policy |
Security policy used by a listener. Value options include tls-1-0-inherit, tls-1-0, tls-1-1, tls-1-2, tls-1-2-strict, tls-1-2-fs, tls-1-0-with-1-3, tls-1-2-fs-with-1-3, and hybrid-policy-1-0. The default value is tls-1-0. This option is available for HTTPS listeners of dedicated load balancers. |
kubernetes.io/elb.x-forwarded-port |
If this option is enabled, the listening port of the load balancer can be transferred to backend servers through the HTTP header of the packet.
This option is available for HTTP/HTTPS listeners of dedicated load balancers. |
kubernetes.io/elb.x-forwarded-for-port |
If this option is enabled, the source port of the client can be transferred to backend servers through the HTTP header of the packet.
This option is available for HTTP/HTTPS listeners of dedicated load balancers. |
kubernetes.io/elb.x-forwarded-host |
If this option is enabled, X-Forwarded-Host will be rewritten using the Host field in the request and transferred to backend servers.
This option is available for HTTP/HTTPS listeners of dedicated load balancers. |
kubernetes.io/elb.gzip-enabled |
Data compression.
The files in the following format can be compressed:
This option is available for HTTP/HTTPS listeners of dedicated load balancers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot