Release Notes and Announcements

Release Notes

Announcements

Release Notes

Product Introduction

Overview

Strengths

Architecture

Scenarios

Features

Concepts

Native Kubernetes Terms

Common High-Risk Operations

Regions and Availability Zones

Service Regions and Service Providers

Open Source Components

Purchase Guide

Purchase Instructions

Purchase a TKE General Cluster

Purchasing Native Nodes

Purchasing a Super Node

Getting Started

Beginner’s Guide

Quickly Creating a Standard Cluster

Examples

Container Application Deployment Check List

Cluster Configuration

General Cluster Overview

Cluster Management

Network Management

Storage Management

Node Management

GPU Resource Management

Remote Terminals

Application Configuration

Workload Management

Service and Configuration Management

Component and Application Management

Auto Scaling

Container Login Methods

Observability Configuration

Ops Observability

Cost Insights and Optimization

Scheduler Configuration

Scheduling Component Overview

Resource Utilization Optimization Scheduling

Business Priority Assurance Scheduling

QoS Awareness Scheduling

Security and Stability

TKE Security Group Settings

Identity Authentication and Authorization

Application Security

Multi-cluster Management

Planned Upgrade

Backup Center

Cloud Native Service Guide

Cloud Service for etcd

TMP

TKE Serverless Cluster Guide

TKE Registered Cluster Guide

Use Cases

Cluster

Serverless Cluster

Scheduling

Security

Service Deployment

Network

Release

Logs

Monitoring

OPS

Terraform

DevOps

Auto Scaling

Containerization

Microservice

Cost Management

Hybrid Cloud

Troubleshooting

Disk Full

High Workload

Memory Fragmentation

Cluster DNS Troubleshooting

Cluster kube-proxy Troubleshooting

Cluster API Server Inaccessibility Troubleshooting

Service and Ingress Inaccessibility Troubleshooting

Common Service & Ingress Errors and Solutions

Engel Ingres appears in Connechtin Reverside

CLB Ingress Creation Error

Troubleshooting for Pod Network Inaccessibility

Pod Status Exception and Handling

Authorizing Tencent Cloud OPS Team for Troubleshooting

CLB Loopback

API Documentation

History

Introduction

API Category

Making API Requests

Elastic Cluster APIs

Resource Reserved Coupon APIs

Cluster APIs

Third-party Node APIs

Relevant APIs for Addon

Network APIs

Node APIs

Node Pool APIs

TKE Edge Cluster APIs

Cloud Native Monitoring APIs

Scaling group APIs

Super Node APIs

Other APIs

Data Types

Error Codes

TKE API 2022-05-01

FAQs

TKE General Cluster

TKE Serverless Cluster

About OPS

Hidden Danger Handling

About Services

Image Repositories

About Remote Terminals

Event FAQs

Resource Management

Service Agreement

TKE Service Level Agreement

TKE Serverless Service Level Agreement

Glossary

Access to Tencent Cloud WAF

PDF

Mode fokus

Ukuran font

Terakhir diperbarui: 2024-08-12 17:48:23

Background
Tencent Cloud WAF (WAF) supports access to Tencent Cloud CLB (CLB), but it requires a Layer 7 Listener (HTTP/HTTPS):
﻿
However, Nginx Ingress uses a Layer 4 CLB Listener by default:
﻿
This document shows you how to change the CLB Listener used by Nginx Ingress to a layer-7 listener.
Using the Specify-protocol Annotation
The TKE service supports using the service.cloud.tencent.com/specify-protocol annotation to modify the CLB listener protocol. For details, see Service Extension Protocol.
values.yaml configuration example:
controller:
  service:
    annotations:
      service.cloud.tencent.com/specify-protocol: |﻿
        {
          "80": {
            "protocol": [
              "HTTP"
            ],
            "hosts": {
              "a.example.com": {},
              "b.example.com": {}
            }
          },
          "443": {
            "protocol": [
              "HTTPS"
            ],
            "hosts": {
              "a.example.com": {
                "tls": "cert-secret-a"
              },
              "b.example.com": {
                "tls": "cert-secret-b"
              }
            }
          }
        }
The domain names involved in the actual Ingress rules also need to be configured in the hosts field of the annotation.
An HTTPS listener requires a certificate. First, create a certificate in My Certificates, and then create a Secret in the TKE cluster (in the namespace where Nginx Ingress is located). The Key of the Secret is qcloud_cert_id, and the Value is the corresponding certificate ID. Then refer to the secret name in the annotation.
targetPorts needs to direct the HTTPS port to port 80 (HTTP) of Nginx Ingress to avoid CLB's port 443 traffic being forwarded to Nginx Ingress's port 443 (which would lead to double certificates and forward failure).
If HTTP traffic is not needed, set enableHttp to false.
Note:
To redirect HTTP traffic to HTTPS, find the CLB instance used by Nginx Ingress in the CLB console (the instance ID can be obtained by viewing the YAML file of Nginx Ingress Controller service), and manually configure the redirection rules on the instance page:
﻿
Directions
1. Upload the certificate and copy the certificate ID in My Certificates.
2. Create the corresponding certificate secret in the namespace of Nginx Ingress (referencing the certificate ID):
apiVersion: v1
kind: Secret
metadata:
  name: cert-secret-test
  namespace: ingress-nginx
stringData: # Using stringData eliminates the need of manual base64 transcoding
  # highlight-next-line
  qcloud_cert_id: E2pcp0Fy
type: Opaque
3. Configure values.yaml:
controller: # The following configuration replaces the dependent image with the mirror image on docker hub to ensure it can be pulled in the Chinese mainland environment
  image:
    registry: docker.io
    image: k8smirror/ingress-nginx-controller
  admissionWebhooks:
    patch:
      image:
        registry: docker.io
        image: k8smirror/ingress-nginx-kube-webhook-certgen
  defaultBackend:
    image:
      registry: docker.io
      image: k8smirror/defaultbackend-amd64
  opentelemetry:
    image:
      registry: docker.io
      image: k8smirror/ingress-nginx-opentelemetry
  service:
    enableHttp: false
    targetPorts:
      https: http
    annotations:
      service.cloud.tencent.com/specify-protocol: |﻿
        {
          "80": {
            "protocol": [
              "HTTP"
            ],
            "hosts": {
              "test.example.com": {}
            }
          },
          "443": {
            "protocol": [
              "HTTPS"
            ],
            "hosts": {
              "test.example.com": {
                "tls": "cert-secret-test"
              }
            }
          }
        }
4. If needed, you can redirect HTTP to HTTPS automatically by configuring the redirection rule in the CLB console:
﻿
5. Deploy test applications and Ingress rules:
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx
spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: nginx
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - image: nginx:latest
          name: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
spec:
  ingressClassName: nginx
  rules:
    - host: test.example.com
      http:
        paths:
          - backend:
              service:
                name: nginx
                port:
                  number: 80
            path: /
            pathType: Prefix
6. After configuring hosts or domain name resolution, test if the feature works properly:
﻿
﻿
Configuring WAF
After Nginx Ingress is configured, if the corresponding CLB listener has been changed to HTTP/HTTPS, it satisfies the prerequisite for Nginx Ingress to connect to WAF. You can then follow the instructions in the WAF Official Documentation to complete the WAF access to Nginx Ingress.