Help Center/ Cloud Container Engine/ User Guide (Ankara Region)/ Network/ Ingresses/ LoadBalancer Ingresses/ Configuring an HTTPS Certificate for a LoadBalancer Ingress
Updated on 2024-12-04 GMT+08:00

Configuring an HTTPS Certificate for a LoadBalancer Ingress

Ingresses support TLS certificates and secure your Services with HTTPS.

You can use a TLS secret certificate configured in the cluster and the ELB certificate.

If HTTPS is enabled for the same port of the same load balancer of multiple ingresses, you must select the same certificate.

Using a TLS Secret Certificate

  1. Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
  2. Ingress supports two TLS secret types: kubernetes.io/tls and IngressTLS. IngressTLS is used as an example. For details, see Creating a Secret. For details about examples of the kubernetes.io/tls secret and its description, see TLS secrets.

    Create a YAML file named ingress-test-secret.yaml. The file name can be customized.

    vi ingress-test-secret.yaml

    The YAML file is configured as follows:
    apiVersion: v1
    data:
      tls.crt: LS0******tLS0tCg==
      tls.key: LS0tL******0tLS0K
    kind: Secret
    metadata:
      annotations:
        description: test for ingressTLS secrets
      name: ingress-test-secret
      namespace: default
    type: IngressTLS

    In the preceding information, tls.crt and tls.key are only examples. Replace them with the actual files. The values of tls.crt and tls.key are Base64-encoded.

  3. Create a secret.

    kubectl create -f ingress-test-secret.yaml

    If information similar to the following is displayed, the secret has been created:

    secret/ingress-test-secret created

    View the created secret.

    kubectl get secrets

    If information similar to the following is displayed, the secret has been created:

    NAME                         TYPE                                  DATA      AGE
    ingress-test-secret          IngressTLS                            2         13s

  4. Create a YAML file named ingress-test.yaml. The file name can be customized.

    vi ingress-test.yaml

    Default security policy (kubernetes.io/elb.tls-ciphers-policy) is supported only in clusters of v1.17.17 or later.

    The following uses the automatically created load balancer as an example. The YAML file is configured as follows:

    For clusters of v1.21 or earlier:

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress 
    metadata: 
      name: ingress-test
      annotations: 
        kubernetes.io/elb.class: performance
        kubernetes.io/ingress.class: cce
        kubernetes.io/elb.port: '443'
        kubernetes.io/elb.autocreate: 
          '{
              "type": "public",
              "bandwidth_name": "cce-bandwidth-******",
              "bandwidth_chargemode": "bandwidth",
              "bandwidth_size": 5,
              "bandwidth_sharetype": "PER",
              "eip_type": "5_bgp",
              "available_zone": [
                  ""
              ],
              "elb_virsubnet_ids":["b4bf8152-6c36-4c3b-9f74-2229f8e640c9"],
              "l7_flavor_name": "L7_flavor.elb.s1.small"
           }'
        kubernetes.io/elb.tls-ciphers-policy: tls-1-2
    spec:
      tls: 
      - secretName: ingress-test-secret
      rules: 
      - host: foo.bar.com
        http: 
          paths: 
          - path: '/'
            backend: 
              serviceName: <your_service_name>  # Replace it with the name of your target Service.
              servicePort: 80
            property:
              ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
    For clusters of v1.23 or later:
    apiVersion: networking.k8s.io/v1
    kind: Ingress 
    metadata: 
      name: ingress-test
      annotations: 
        kubernetes.io/elb.class: performance
        kubernetes.io/elb.port: '443'
        kubernetes.io/elb.autocreate: 
          '{
              "type": "public",
              "bandwidth_name": "cce-bandwidth-******",
              "bandwidth_chargemode": "bandwidth",
              "bandwidth_size": 5,
              "bandwidth_sharetype": "PER",
              "eip_type": "5_bgp",
              "available_zone": [
                  ""
              ],
              "elb_virsubnet_ids":["b4bf8152-6c36-4c3b-9f74-2229f8e640c9"],
              "l7_flavor_name": "L7_flavor.elb.s1.small"
           }'
        kubernetes.io/elb.tls-ciphers-policy: tls-1-2
    spec:
      tls: 
      - secretName: ingress-test-secret
      rules: 
      - host: foo.bar.com
        http: 
          paths: 
          - path: '/'
            backend: 
              service:
                name: <your_service_name>  # Replace it with the name of your target Service.
                port: 
                  number: 8080             # Replace 8080 with the port number of your target Service.
            property:
              ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
            pathType: ImplementationSpecific
      ingressClassName: cce 
    Table 1 Key parameters

    Parameter

    Mandatory

    Type

    Description

    kubernetes.io/elb.security_policy_id

    No

    String

    The ID of the custom security group policy in ELB. Obtain it on the ELB console. This field takes effect only when HTTPS is used and has a higher priority than the default security policy.

    kubernetes.io/elb.tls-ciphers-policy

    No

    String

    The default value is tls-1-2, which is the default security policy used by the listener and takes effect only when HTTPS is used.

    Options:

    • tls-1-0
    • tls-1-1
    • tls-1-2
    • tls-1-2-strict

    For details of cipher suites for each security policy, see Table 2.

    tls

    No

    Array of strings

    When HTTPS is used, this parameter must be added to specify the secret certificate.

    Multiple independent domain names and certificates can be added. For details, see Configuring SNI for a LoadBalancer Ingress.

    secretName

    No

    String

    This parameter is mandatory if HTTPS is used. Set this parameter to the name of the created secret.

    Table 2 tls_ciphers_policy

    Security Policy

    TLS Version

    Cipher Suite

    tls-1-0

    TLS 1.2

    TLS 1.1

    TLS 1.0

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA:AES256-SHA

    tls-1-1

    TLS 1.2

    TLS 1.1

    tls-1-2

    TLS 1.2

    tls-1-2-strict

    TLS 1.2

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

  5. Create an ingress.

    kubectl create -f ingress-test.yaml

    If information similar to the following is displayed, the ingress has been created.

    ingress/ingress-test created

    View the created ingress.

    kubectl get ingress

    If information similar to the following is displayed, the ingress has been created and the workload is accessible.

    NAME             HOSTS     ADDRESS          PORTS   AGE
    ingress-test     *         121.**.**.**     80      10s

  6. Enter https://121.**.**.**:443 in the address box of the browser to access the workload (for example, Nginx workload).

    121.**.**.** indicates the IP address of the unified load balancer.

Using the ELB Certificate

To use the ELB certificate, you can specify the annotations kubernetes.io/elb.tls-certificate-ids.

  1. If you specify both the IngressTLS certificate and the ELB certificate, the latter is used.
  2. CCE does not check whether the ELB certificate is valid. It only checks whether the certificate exists.
  3. Only clusters of v1.19.16-r2, v1.21.5-r0, v1.23.3-r0, or later support the ELB certificate.

For clusters of v1.21 or earlier:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress 
metadata: 
  name: ingress-test
  annotations: 
    kubernetes.io/ingress.class: cce
    kubernetes.io/elb.port: '443'
    kubernetes.io/elb.id: 0b9a6c4d-bd8b-45cc-bfc8-ff0f9da54e95
    kubernetes.io/elb.class: union
    kubernetes.io/elb.tls-certificate-ids: 058cc023690d48a3867ad69dbe9cd6e5,b98382b1f01c473286653afd1ed9ab63
spec:
  rules: 
  - host: ''
    http: 
      paths: 
      - path: '/'
        backend: 
          serviceName: <your_service_name>  # Replace it with the name of your target Service.
          servicePort: 80
        property:
          ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
For clusters of v1.23 or later:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-test
  namespace: default
  annotations:
    kubernetes.io/elb.port: '443'
    kubernetes.io/elb.id: 0b9a6c4d-bd8b-45cc-bfc8-ff0f9da54e95
    kubernetes.io/elb.class: union
    kubernetes.io/elb.tls-certificate-ids: 058cc023690d48a3867ad69dbe9cd6e5,b98382b1f01c473286653afd1ed9ab63
spec:
  rules:
    - host: ''
      http:
        paths:
          - path: '/'
            backend:
              service:
                name: <your_service_name>  # Replace it with the name of your target Service.
                port: 
                  number: 8080             # Replace 8080 with the port number of your target Service.
            property:
              ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
            pathType: ImplementationSpecific
  ingressClassName: cce
Table 3 Key parameters

Parameter

Type

Description

kubernetes.io/elb.tls-certificate-ids

String

ELB certificate IDs, which are separated by comma (,). The list length is greater than or equal to 1. The first ID in the list is the server certificate, and the other IDs are SNI certificates in which a domain name must be contained.

If an SNI certificate cannot be found based on the domain name requested by the client, the server certificate will be returned by default.

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, and click Certificates in the navigation pane. In the load balancer list, copy the ID under the target certificate name.