Configuring HTTPS for a LoadBalancer Service

Configuring an HTTPS Service

You can create a Service for a workload after it is created. Creating a Service has no impact on the workload. Once created, the Service can be used by the workload for network access immediately.

Log in to the ELB console and click Create Certificate.
Log in to the CCI 2.0 console.
In the navigation pane, choose Services. On the right of the page, click Create from YAML.

Import or add a YAML file.

The following is an example YAML file.

Resource description in the service.yaml file:

apiVersion: cci/v2
kind: Service
metadata:
  name: kubectl-test
  namespace: kubectl
  annotations:
    kubernetes.io/elb.class: elb
    kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported.
    kubernetes.io/elb.protocol-port: "http:443"  # HTTP and port number, which must be the same as that in spec.ports.
    kubernetes.io/elb.cert-id: "17e3b4f4bc40471c86741dc3aa211379"  # Certificate ID of the LoadBalancer Service
spec:
  selector:
    app: kubectl-test # Label of the associated workload
  ports:
    - name: service-0
      targetPort: 80   # Container port
      port: 443      # Access port (load balancer's port for accessing the workload)
      protocol: TCP    # Set the protocol to TCP.
  type: LoadBalancer

Resource description in the service.json file:

{
	"apiVersion": "cci/v2",
	"kind": "Service",
	"metadata": {
		"name": "kubectl-test",
		"namespace": "kubectl",
		"annotations": {
                        "kubernetes.io/elb.class": "elb",
			"kubernetes.io/elb.id": "1234567890"  # Load balancer ID. Only dedicated load balancers are supported.
                        "kubernetes.io/elb.protocol-port": "https:443"  # HTTPS and port number, which must be the same as that in spec.ports.
                        "kubernetes.io/elb.cert-id": "17e3b4f4bc40471c86741dc3aa211379" # Certificate ID of the LoadBalancer Service
		}
	},
	"spec": {
		"selector": {
			"app": "kubectl-test" # Label of the associated workload
		},
		"ports": [
			{
				"name": "service-0",
				"targetPort": 80,     # Container port
				"port": 443,          # Access port of the Service
				"protocol": "TCP",    # Set the protocol to TCP.
				"type": "LoadBalancer"
			}
		]
	}
}

Click OK. Access the workload through the load balancer's IP address and port in the format of <IP-address>:<port>.

Updating a Service

After you add a Service, you can update the access port of the Service.

Log in to the CCI 2.0 console.
In the navigation pane, choose Services. On the Services page, select the target namespace, locate the Service, and click Edit YAML in the Operation column.
Only the access port can be modified.

spec.ports[i].port: indicates the access port. The port number ranges from 1 to 65535. You need to change the value of kubernetes.io/elb.protocol-port accordingly.
Click OK. The Service will be updated for the workload.

Parameters for an HTTPS Service

You can refer to the following table to add the annotations to configure a listener for an HTTPS Service.

Parameter	Description
kubernetes.io/elb.http2-enable	Whether HTTP/2 is enabled. Request forwarding using HTTP/2 improves the access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server. Value options: true: enabled false: disabled (default value) CAUTION: HTTP/2 can be enabled or disabled only for HTTPS listeners. This option is invalid when the listeners use HTTP. The default value is false.
kubernetes.io/elb.tls-certificate-ids	IDs of SNI certificates used in ELB, separated by commas (,). Each SNI certificate must contain domain names. To obtain the value, log in to the ELB console and choose Elastic Load Balance > Certificates.
kubernetes.io/elb.security-pool-protocol	If the listener uses HTTPS, you can set the backend protocol to HTTPS. The backend protocol of an existing listener cannot be changed. If you want to change the backend protocol, you need to add a new listener to the load balancer. true: enabled false: disabled
kubernetes.io/elb.tls-ciphers-policy	Security policy used by a listener. Value options include tls-1-0-inherit, tls-1-0, tls-1-1, tls-1-2, tls-1-2-strict, tls-1-2-fs, tls-1-0-with-1-3, tls-1-2-fs-with-1-3, and hybrid-policy-1-0. The default value is tls-1-0. This option is available for HTTPS listeners of dedicated load balancers.
kubernetes.io/elb.x-forwarded-port	If this option is enabled, the listening port of the load balancer can be transferred to backend servers through the HTTP header of the packet. true: enabled false: disabled This option is available for HTTP/HTTPS listeners of dedicated load balancers.
kubernetes.io/elb.x-forwarded-for-port	If this option is enabled, the source port of the client can be transferred to backend servers through the HTTP header of the packet. true: enabled false: disabled This option is available for HTTP/HTTPS listeners of dedicated load balancers.
kubernetes.io/elb.x-forwarded-host	If this option is enabled, X-Forwarded-Host will be rewritten using the Host field in the request and transferred to backend servers. true: enabled false: disabled This option is available for HTTP/HTTPS listeners of dedicated load balancers.
kubernetes.io/elb.gzip-enabled	Data compression. true: Data compression is enabled, and specific file types will be compressed. false: Data compression is disabled, and no files will be compressed. By default, data compression is disabled. The files in the following format can be compressed: Brotli can compress all file formats. GZIP can compress the files of the following types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json. This option is available for HTTP/HTTPS listeners of dedicated load balancers.