Help & Documentation>Tencent Kubernetes Engine

Mixed Use of HTTP and HTTPS Protocols through Ingress

Last updated: 2023-09-26 14:37:53

On this page:

Mixed Rules

In default scenarios, if TLS is not configured in Ingress, services will be exposed through HTTP protocols. If TLS is configured in Ingress, services will be exposed through HTTPS protocols. You can only expose services described by Ingress through one type of the protocol. To deal with this limitation, TKE supports the mixed use of both protocols.
This document describes how to expose services through HTTP and HTTPS protocols simultaneously. Specifically, enable mixed protocols and configure all forwarding rules to kubernetes.io/ingress.http-rules and kubernetes.io/ingress.https-rules annotations.

Rule Format

The rule format for kubernetes.io/ingress.http-rules and kubernetes.io/ingress.https-rules is a Json Array. The format of each object is as follows:
{
  "host": "<domain>",
  "path": "<path>",
  "backend": {
    "serviceName": "<service name>",
    "servicePort": "<service port>"
  }
}

Configuration Directions

TKE Ingress Controller supports mixed configuration of HTTP and HTTPS rules. The steps are as follows:
1. Enable mixed rules by adding the annotation kubernetes.io/ingress.rule-mix in Ingress and setting it to true.
2. Rule Matching matches each forwarding rule in Ingress with kubernetes.io/ingress.http-rules and kubernetes.io/ingress.https-rules, adding them to the corresponding rule sets. If no matching rule is found in the Ingress annotations, it will be added to the HTTPS rule set by default.
3. Validation Match When matching, please verify Host, Path, ServiceName, and ServicePort. The default Host is VIP, and the default Path is /.
Note
IPv6 load balancing does not have an IPv4 address and cannot provide the default domain name functionality.

Sample

Sample Ingress: sample-ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.http-rules: '[{"host":"www.tencent.com","path":"/","backend":{"serviceName":"sample-service","servicePort":"80"}}]'
    kubernetes.io/ingress.https-rules: '[{"host":"www.tencent.com","path":"/","backend":{"serviceName":"sample-service","servicePort":"80"}}]'
    kubernetes.io/ingress.rule-mix: "true"
  name: sample-ingress
  namespace: default
spec:
  rules:
  - host: www.tencent.com
    http:
      paths:
      - backend:
          serviceName: sample-service
          servicePort: 80
        path: /
  tls:
  - secretName: tencent-com-cert
This example contains the following configuration:
It describes the default certificate. The certificate ID should exist in the Secret resource tencent-com-cert.
It enables mixed protocols and describes the forwarding rule that is described in ingress.spec.rule in both kubernetes.io/ingress.http-rules and kubernetes.io/ingress.https-rules.
In this case, CLB will configure forwarding rules in both HTTP and HTTPS protocols to expose services.
中国站 - English