yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
5bfde208c6a3b9762f764fc1f1877b3d8e6ec4db
doc-exports/docs/cce/umn/cce_10_0841.html
qiujiandong1 5bfde208c6 CCE UMN 20260323 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-03-24 15:35:48 +00:00

103 lines
16 KiB
HTML
Raw Blame History

<a name="cce_10_0841"></a><a name="cce_10_0841"></a>
<h1 class="topictitle1">Configuring SNI for a LoadBalancer Service</h1>
<div id="body0000001807704850"><p id="cce_10_0841__p10554647142415">An <span class="keyword" id="cce_10_0841__keyword7726103682520">SNI</span> certificate is an extended server certificate that allows the same IP address and port number to provide multiple access domain names for external systems. Different security certificates can be used based on the domain names requested by clients to ensure HTTPS communication security.</p>
<p id="cce_10_0841__p42221334205117">When configuring SNI, you need to add a certificate associated with a domain name. The client submits the requested domain name information when initiating an SSL handshake request. After receiving the SSL request, the load balancer searches for the certificate based on the domain name. If the certificate is found, the load balancer will return it to the client. If the certificate is not found, the load balancer will return the default server certificate.</p>
<div class="note" id="cce_10_0841__note162811435810"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0841__p19269144025418">After SNI is configured, if you delete the SNI configuration on the CCE console or delete the target annotation from the YAML file, the configuration on the ELB will be retained.</p>
</div></div>
<div class="section" id="cce_10_0841__section1217816043419"><h4 class="sectiontitle">Prerequisites</h4><ul id="cce_10_0841__ul461132212385"><li id="cce_10_0841__li148691314135118">A Kubernetes cluster is available and the cluster version meets the following requirements:<ul id="cce_10_0841__ul11869814115110"><li id="cce_10_0841__li1886951435115">v1.23: v1.23.13-r0 or later</li><li id="cce_10_0841__li3869414185117">v1.25: v1.25.8-r0 or later</li><li id="cce_10_0841__li573712112417">v1.27: v1.27.5-r0 or later</li><li id="cce_10_0841__li147371021132418">v1.28: v1.28.3-r0 or later</li><li id="cce_10_0841__li194601627112417">Other clusters of later versions</li></ul>
</li></ul>
<ul id="cce_10_0841__ul11453637191613"><li id="cce_10_0841__li9769830193420">You have created one or more SNI certificates in ELB and specified a domain name in these certificates. </li><li id="cce_10_0841__li2045311379169">To create a cluster using commands, ensure kubectl is used. For details, see <a href="cce_10_0107.html">Accessing a Cluster Using kubectl</a>.</li></ul>
</div>
<div class="section" id="cce_10_0841__section83941158134"><h4 class="sectiontitle">Using the CCE Console</h4><ol id="cce_10_0841__ol11182813184815"><li id="cce_10_0841__li330462393220"><span>Log in to the <span id="cce_10_0841__cce_10_0004_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0841__li1651955651312"><span>In the navigation pane, choose <strong id="cce_10_0841__b201890535353443"><span id="cce_10_0841__text9765124722315">Services &amp; Ingresses</span></strong>. In the upper right corner, click <span class="uicontrol" id="cce_10_0841__uicontrol2882149653443"><b>Create Service</b></span>.</span></li><li id="cce_10_0841__li185190567138"><span>Configure Service parameters. In this example, only mandatory parameters required for using SNI are listed. For details about how to configure other parameters, see <a href="cce_10_0681.html#cce_10_0681__section84162025538">Using the CCE Console</a>.</span><p><ul id="cce_10_0841__ul4446314017144"><li id="cce_10_0841__li6462394317144"><strong id="cce_10_0841__b1851101893514">Service Name</strong>: Specify a Service name, which can be the same as the workload name.</li><li id="cce_10_0841__li89543531070"><strong id="cce_10_0841__b183914845043028">Service Type</strong>: Select <strong id="cce_10_0841__b87235632443028">LoadBalancer</strong>.</li><li id="cce_10_0841__li43200017144"><strong id="cce_10_0841__b8342741205392">Selector</strong>: Add a label and click <strong id="cce_10_0841__b13174691915392">Confirm</strong>. The Service will use this label to select pods. You can also click <strong id="cce_10_0841__b174805016653947">Reference Workload Label</strong> to use the label of an existing workload. In the dialog box that is displayed, select a workload and click <strong id="cce_10_0841__b18755929353947">OK</strong>.</li><li id="cce_10_0841__li14384123818176"><strong id="cce_10_0841__b193232001141941">Load Balancer</strong>: Select a load balancer type and creation mode.<ul id="cce_10_0841__ul589211413819"><li id="cce_10_0841__li1995101610373"><a name="cce_10_0841__li1995101610373"></a><a name="li1995101610373"></a>A load balancer can be dedicated or shared. To enable HTTP/HTTPS on the listener port of a dedicated load balancer, the type of the load balancer must be <span class="uicontrol" id="cce_10_0841__uicontrol64548119954342"><b>Application (HTTP/HTTPS)</b></span> or <span class="uicontrol" id="cce_10_0841__uicontrol87936278254342"><b>Network (TCP/UDP) &amp; Application (HTTP/HTTPS)</b></span>.</li><li id="cce_10_0841__li13266657143911">This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see <a href="cce_10_0681.html#cce_10_0681__table026610571395">Table 1</a>.</li></ul>
</li><li id="cce_10_0841__li158271501592"><strong id="cce_10_0841__b85720294244218">Port</strong><ul id="cce_10_0841__ul3499201217144"><li id="cce_10_0841__li4649265917144"><strong id="cce_10_0841__b65605381955555">Protocol</strong>: Select <strong id="cce_10_0841__b42436443655555">TCP</strong>. If you select <strong id="cce_10_0841__b14574129655555">UDP</strong>, HTTP and HTTPS will be unavailable.</li><li id="cce_10_0841__li353122153610"><strong id="cce_10_0841__b128325988855610">Service Port</strong>: the port used by the Service. The port ranges from 1 to 65535.</li><li id="cce_10_0841__li475042104417"><strong id="cce_10_0841__b31482107294">Container Port</strong>: the port that the workload listens on. For example, Nginx uses port 80 by default.</li><li id="cce_10_0841__li8911126175719"><strong id="cce_10_0841__b432164634917">Frontend Protocol</strong>: In this example, HTTPS must be enabled for the Service to use SNI. For a <a href="#cce_10_0841__li1995101610373">dedicated load balancer</a>, to use HTTP/HTTPS, the type of the load balancer must be <strong id="cce_10_0841__b11146919366">Application (HTTP/HTTPS)</strong>.</li></ul>
</li><li id="cce_10_0841__li1567510365916"><strong id="cce_10_0841__b58302540544328">Listener</strong><ul id="cce_10_0841__ul38353035910"><li id="cce_10_0841__li187883173610"><strong id="cce_10_0841__b105526309618">SSL Authentication</strong>: Select this option if <strong id="cce_10_0841__b16552730564">Frontend Protocol</strong> is set to <strong id="cce_10_0841__b175523301661">HTTPS</strong>. Dedicated load balancers are available in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. <ul id="cce_10_0841__ul1710811473613"><li id="cce_10_0841__li1837443723520"><strong id="cce_10_0841__b637951000">One-way authentication</strong>: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select two-way authentication.</li><li id="cce_10_0841__li6964158133615"><strong id="cce_10_0841__b12319195365020">Two-way authentication</strong>: Both the clients and the load balancer authenticate each other. This ensures only authenticated clients can access the load balancer. No additional backend server configuration is required if you select this option.</li></ul>
</li><li id="cce_10_0841__li1219103263614"><strong id="cce_10_0841__b1629193155117">CA Certificate</strong>: If <strong id="cce_10_0841__b166291837515">SSL Authentication</strong> is set to <strong id="cce_10_0841__b2063012313513">Two-way authentication</strong>, add a CA certificate to authenticate the client. A CA certificate is issued by a Certificate Authority (CA) and is used to verify the issuer of the client's certificate. If HTTPS two-way authentication is enabled, HTTPS connections can be established only if the client provides a certificate issued by a specific CA.</li><li id="cce_10_0841__li983517014595"><strong id="cce_10_0841__b714659077405">Server Certificate</strong>: Select a server certificate as the default certificate. </li><li id="cce_10_0841__li1883511013595"><strong id="cce_10_0841__b18841032142713">SNI</strong>: Add an SNI certificate containing a domain name. <p id="cce_10_0841__p166921451713">If the server cannot find an SNI certificate matching the client-requested domain name, it will return the default server certificate.</p>
</li><li id="cce_10_0841__li1027969193913"><strong id="cce_10_0841__b16572102116488">Security Policy</strong>: If <strong id="cce_10_0841__b9572122117488">Frontend Protocol</strong> is set to <strong id="cce_10_0841__b8572202104816">HTTPS</strong>, you can select a security policy. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later.</li><li id="cce_10_0841__li142441213914"><strong id="cce_10_0841__b2118799243103815">Backend Protocol</strong>: If <strong id="cce_10_0841__b139371322201610">Frontend Protocol</strong> is set to <strong id="cce_10_0841__b17937142213161">HTTPS</strong>, HTTP or HTTPS can be used to access the backend server. The default value is <strong id="cce_10_0841__b494173409103815">HTTP</strong>. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later.</li></ul>
</li></ul>
</p></li><li id="cce_10_0841__li179082217613"><span>Click <strong id="cce_10_0841__b536933613208">OK</strong>.</span></li></ol>
</div>
<div class="section" id="cce_10_0841__section13870162923316"><h4 class="sectiontitle">Using kubectl</h4><div class="p" id="cce_10_0841__p5555947202415">This section uses an existing load balancer as an example. An example YAML file of a SNI-compliant Service is as follows:<pre class="screen" id="cce_10_0841__screen0555174710241">apiVersion: v1
kind: Service
metadata:
name: test
labels:
app: test
namespace: default
annotations:
kubernetes.io/elb.class: performance # Load balancer type
kubernetes.io/elb.id: <i><span class="varname" id="cce_10_0841__varname063416164416">65318265-4f01-4541-a654-fa74e439dfd3</span></i> # ID of an existing load balancer
kubernetes.io/elb.protocol-port: <i><span class="varname" id="cce_10_0841__varname68451644165218">https:80</span></i> # Port where SNI is to be enabled
kubernetes.io/elb.cert-id: <i><span class="varname" id="cce_10_0841__varname1232565916387">b64ab636f1614e1a960b5249c497a880</span></i> # HTTPS server certificate
kubernetes.io/elb.tls-certificate-ids: <i><span class="varname" id="cce_10_0841__varname1980113410397">5196aa70b0f143189e4cb54991ba2286,8125d71fcc124aabbe007610cba42d60</span></i> # SNI certificate IDs
kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
spec:
selector:
app: test
externalTrafficPolicy: Cluster
ports:
- name: cce-service-0
targetPort: 80
nodePort: 0
port: 80
protocol: TCP
type: LoadBalancer
loadBalancerIP: <i><span class="varname" id="cce_10_0841__varname1524614364719">**.**.**.**</span></i> # Private IP address of the load balancer</pre>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0841__table198992093301" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Key parameters</caption><thead align="left"><tr id="cce_10_0841__row9899598301"><th align="left" class="cellrowborder" valign="top" width="24%" id="mcps1.3.6.3.2.4.1.1"><p id="cce_10_0841__p1089911973015">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="12%" id="mcps1.3.6.3.2.4.1.2"><p id="cce_10_0841__p1289917983020">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="64%" id="mcps1.3.6.3.2.4.1.3"><p id="cce_10_0841__p18992912307">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0841__row969262945319"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.6.3.2.4.1.1 "><p id="cce_10_0841__p206921229115318">kubernetes.io/elb.protocol-port</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.6.3.2.4.1.2 "><p id="cce_10_0841__p139341449533">String</p>
</td>
<td class="cellrowborder" valign="top" width="64%" headers="mcps1.3.6.3.2.4.1.3 "><p id="cce_10_0841__p16921829195319">If a Service is HTTP/HTTPS-compliant, configure the protocol and port number in the format of "protocol:port".</p>
<p id="cce_10_0841__p1514038155920">where,</p>
<ul id="cce_10_0841__ul475121635916"><li id="cce_10_0841__li675111619595"><strong id="cce_10_0841__b378399182576">protocol</strong>: specifies the protocol used by the listener port. The value can be <strong id="cce_10_0841__b1930446145576">http</strong> or <strong id="cce_10_0841__b1878701731576">https</strong>.</li><li id="cce_10_0841__li675416135918"><strong id="cce_10_0841__b3094749915845">ports</strong>: Service ports specified by <strong id="cce_10_0841__b13378383435845">spec.ports[].port</strong>.</li></ul>
<p id="cce_10_0841__p2060420155411">For example, to use SNI, the Service protocol must be <strong id="cce_10_0841__b16941530103717">https</strong> and the Service port must be <strong id="cce_10_0841__b12945301374">80</strong>. Therefore, the parameter value is <strong id="cce_10_0841__b294730103717">https:80</strong>.</p>
</td>
</tr>
<tr id="cce_10_0841__row196651518195317"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.6.3.2.4.1.1 "><p id="cce_10_0841__p1665111865317">kubernetes.io/elb.cert-id</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.6.3.2.4.1.2 "><p id="cce_10_0841__p8519144510532">String</p>
</td>
<td class="cellrowborder" valign="top" width="64%" headers="mcps1.3.6.3.2.4.1.3 "><p id="cce_10_0841__p1266517186536">ID of an ELB certificate, which is used as the HTTPS server certificate.</p>
<p id="cce_10_0841__p6842101018719">How to obtain: Log in to the <span id="cce_10_0841__ph181898315611">ELB console</span> and choose <strong id="cce_10_0841__b177919597389">Certificates</strong>. In the certificate list, copy the ID under the target certificate name.</p>
</td>
</tr>
<tr id="cce_10_0841__row189919913017"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.6.3.2.4.1.1 "><p id="cce_10_0841__p1887122073013">kubernetes.io/elb.tls-certificate-ids</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.6.3.2.4.1.2 "><p id="cce_10_0841__p188991591302">String</p>
</td>
<td class="cellrowborder" valign="top" width="64%" headers="mcps1.3.6.3.2.4.1.3 "><p id="cce_10_0841__p158991292302">In ELB, the IDs of SNI certificates that must contain a domain name are separated by commas (,).</p>
<p id="cce_10_0841__p151935344219">If the server cannot find an SNI certificate matching the client-requested domain name, it will return the default server certificate.</p>
<p id="cce_10_0841__p266917129452">How to obtain: Log in to the <span id="cce_10_0841__ph13362178103915">ELB console</span> and choose <strong id="cce_10_0841__b2362987395">Certificates</strong>. In the certificate list, copy the ID under the target certificate name.</p>
</td>
</tr>
<tr id="cce_10_0841__row7457163651710"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.6.3.2.4.1.1 "><p id="cce_10_0841__p194051945201813">kubernetes.io/elb.client-ca-cert-id</p>
</td>
<td class="cellrowborder" valign="top" width="12%" headers="mcps1.3.6.3.2.4.1.2 "><p id="cce_10_0841__p14405445111820">String</p>
</td>
<td class="cellrowborder" valign="top" width="64%" headers="mcps1.3.6.3.2.4.1.3 "><p id="cce_10_0841__p7405245131818">Required only for mutual authentication. The ELB certificate ID serves as the CA certificate.</p>
<p id="cce_10_0841__p04053453188">How to obtain: Log in to the <span id="cce_10_0841__ph2405174561820">ELB console</span> and choose <strong id="cce_10_0841__b659191618175">Certificates</strong>. In the certificate list, copy the ID under the target certificate name.</p>
<p id="cce_10_0841__p12405114513187">Dedicated load balancers are available in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. </p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0014.html">LoadBalancer</a></div>
</div>
</div>
View Git Blame Copy Permalink