This document describes how to use an Ingress certificate. You can configure an Ingress certificate in the following scenarios:
TKE allows you to configure a certificate for a CLB HTTPS listener that is created for an Ingress by using the
spec.tls field in the Ingress. Where,
secretName indicates a Kubernetes Secret resource that contains a Tencent Cloud certificate ID, as shown in the following example:
spec: tls: - hosts: - www.abc.com secretName: secret-tls-2
apiVersion: v1 stringData: qcloud_cert_id: Xxxxxxxx ## Set the certificate ID as Xxxxxxxx. kind: Secret metadata: name: tencent-com-cert namespace: default type: Opaque
Alternatively, you can create a Secret in the TKE console. For more information, see Secret Management. The main parameters are described as follows:
- Name: set a custom name. This document uses
cos-secretas an example.
- Secret Type: select Opaque. This type is suitable for saving key certificates and configuration files. The value is Base64-coded.
- Validity Range: select a range as required and ensure that the Secret is in the same namespace as the Ingress.
- Content: set the variable name to
qcloud_cert_idand the variable value to the certificate ID of qcloud_cert_id.
spec.secretNameis set and no hosts are configured, the certificate will be configured for all HTTPS forwarding rules, as shown in the following example:
spec: tls: - secretName: secret-tls
spec: tls: - hosts: - *.abc.com secretName: secret-tls
www.abc.comwill use the certificate that is described in
spec: tls: - hosts: - *.abc.com secretName: secret-tls-1 - hosts: - www.abc.com secretName: secret-tls-2
Ensure that the certificate ID in the Secret meets requirements.
Skip this step if you already have the target certificate.
Server Certificate: indicates an SSL certificate. An encrypted HTTP protocol based on the SSL certificate for secure data transmission enables a site to be switched from Hypertext Transfer Protocol (HTTP) to Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS).
Create an Ingress object. For more information, see Ingress Management. During the creation, select
Https:443 as the listening port.
- When HTTPS service is enabled for an Ingress object created in the console, a Secret resource with the same name will be created to store the certificate ID. Then, this Secret is used and referenced to in the Ingress.
- The mappings between domain names and certificates that can be configured in TLS are as follows:
- A level-1 domain name with the wildcard can be configured.
- If a domain name matches several certificates, a certificate is randomly selected. We recommend that you not use different certificates for the same domain name.
- You must configure certificates for all HTTPS domain names. Otherwise, the Ingress object may fail to be created.
- To modify a certificate, you need to verify all Ingress objects that use the certificate. If multiple Ingress objects are configured with the same Secret resource, the CLB certificates of these Ingress objects will be modified simultaneously.
- You need to modify a certificate by modifying its Secret because the Secret content includes your Tencent Cloud certificate ID.
[secret-name]with the name of the target secret.
kubectl edit secrets [secret-name]
qcloud_cert_idto the new certificate ID.
stringDatato perform Base64 automatic encoding based on your actual needs.
Run the following command to open the Ingress object to be modified in the default editor. Modify the YAML file and save the modification.
kubectl edit ingress <ingressname> -n <namespaces>