Ingress Certificate Management

Last updated: 2020-05-28 10:52:14

    Introduction

    When creating an Ingress by using the HTTPS listening protocol, choose an appropriate server certificate to ensure access security. This document describes how to use Ingress certificates. Certificate-related annotations are as follows:

    • kubernetes.io/ingress.http-rules
    • kubernetes.io/ingress.https-rules
    • kubernetes.io/ingress.rule-mix
    • qcloud_cert_id (read-only)

    Notes

    • qcloud_cert_id in Ingress annotations is read-only. It enables you to quickly view the certificate ID for the current Ingress.
    • The Secret certificate resource must be in the same namespace as the Ingress resource.
    • When creating an Ingress, the console will automatically create a Secret certificate resource with the same name. If the Secret resource name already exists, the Ingress cannot be created.
    • By default, an Ingress in TKE does not use a Secret resource that is in use. However, a Secret certificate resource can be used by multiple Ingresses. Note that updating a Secret updates all relevant Ingress certificates.

    Directions

    Using certificates in the console

    1. Log in to the CLB console and click Certificate Management in the left sidebar. On the Certificate Management page, create a certificate.
    2. See Creating an Ingress for more information on how to create an Ingress.
      In this step, select Https:443 as the listening port and select the appropriate server certificate.
    • When HTTPS service is enabled for an Ingress created in the console, a Secret resource with the same name will be created to store the certificate ID. Then, this Secret is used and listened to in the Ingress.
    • When you modify a certificate in the TKE console, the certificate of the current Ingress is modified. Note that if multiple Ingresses are configured to use the same Secret, the certificates of the CLBs corresponding to these Ingresses will also be modified.
    • After modifying a certificate in the CLB console, be sure to follow the steps of modifying a certificate to modify the Secret certificate resource with the same name, which is generated by the console by default when creating an Ingress with the certificate. Otherwise, the certificate of the Ingress continues to use the previous version, and the certificate update fails.

    Kubectl guide

    Configuring a certificate and creating an HTTPS service

    1. Run the following command to calculate the ID of certificate "XczRzegn".
      echo -n "XczRzegn" | base64
      The returned result is as follows:
      WGN6UnplZ24=
    2. Create a Secret resource
      • Use Base64 manual encoding as the encoding method. The sample YAML file is as follows:
        apiVersion: v1
        data:
        qcloud_cert_id: WGN6UnplZ24= ## Set the certificate ID to XczRzegn
        kind: Secret
        metadata:
        name: tencent-com-cert
        namespace: default
        type: Opaque
      • Base64 automatic encoding: use stringData for declaration during creation to avoid manual Base64 encoding. The sample YAML file is as follows:
        apiVersion: v1
        stringData:
        qcloud_cert_id: XczRzegn
        kind: Secret
        metadata:
        name: tencent-com-cert
        namespace: default
        type: Opaque
    3. Create an Ingress resource
      When creating an Ingress resource, specify the backend Service as sample-service:80 and secretName as tencent-com-cert. The sample YAML file is as follows:
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
        annotations:
          kubernetes.io/ingress.class: qcloud
          qcloud_cert_id: XczRzegn
        name: sample-ingress
        namespace: default
      spec:
        rules:
        - http:
            paths:
            - backend:
                serviceName: sample-service
                servicePort: 80
            path: /
        tls:
        - secretName: tencent-com-cert
      

    Modifying a certificate

    1. Run the following command to use the default editor to open the Secret that needs to be modified.
      kubectl edit secrets
      This document uses the Secret described in Creating a Secret Resource as an example. First, run the following command:
      kubectl edit secrets tencent-com-cert
    2. Modify the Secret resource and change the value of qcloud_cert_id to the new certificate ID.

      Similar to the creation of a Secret, modifying a Secret certificate ID requires Base64 encoding. Select Base64 manual encoding or specify stringData to perform Base64 automatic encoding based on your actual needs.

    Mixed rule configuration

    TKE Ingress Controller supports mixed configuration of HTTP or HTTPS rules. To do this, complete the following steps:

    1. Enable mixed rules
      Set kubernetes.io/ingress.rule-mix to True.
      If no TLS is configured in the Ingress template, no certificate resources are available. In this case, all rules are exposed as HTTP services, and the preceding annotations do not take effect.
    2. Match rules
      Match each rule in the Ingress with kubernetes.io/ingress.http-rules and kubernetes.io/ingress.https-rules, and add matched rules to the corresponding rule set. If no rules in the Ingress are matched, these rules are added to the HTTPS rule set by default.
    3. Verify matches
      When matching rules, verify Host, Path, ServiceName, and ServicePort (where Host defaults to VIP Path defaults to /).
      Note that IPv6 CLBs do not support providing default domain names.

    YAML sample

    Refer to the following YAML sample to enable mixed rules and to configure the backend service to be open to HTTP or HTTPS services.

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.http-rules: '[{"host":"www.tencent.com","path":"/","backend":{"serviceName":"sample-service","servicePort":"80"}}]'
        kubernetes.io/ingress.https-rules: '[{"host":"www.tencent.com","path":"/","backend":{"serviceName":"sample-service","servicePort":"80"}}]'
        kubernetes.io/ingress.rule-mix: "true"
        kubernetes.io/ingress.class: qcloud
        qcloud_cert_id: XczRzegn
      name: sample-ingress
      namespace: default
    spec:
      rules:
      - host: www.tencent.com
        http:
          paths:
          - backend:
              serviceName: sample-service
              servicePort: 80
            path: /
      tls:
      - secretName: tencent-com-cert

    FAQs

    • Can I modify tls.secretName in an Ingress to point to another Secret resource?
      Yes, you can. After updating, the new certificate specified in the Secret will be quickly synchronized to the CLB corresponding to the Ingress.

    • How can I obtain the certificate ID?
      Log in to the CLB console and click Certificate Management in the left sidebar. Then, you can obtain the ID on the Certificate Management page.

    Reference

    For more information, see the official Kubernetes document for Secret.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help