kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Complete documentation of SSL-on-AWS. (#5357) 

The SSL-on-AWS documentation was missing a critical annotation, without which SSL termination doesn't work (all ports are configured to use SSL).

This also fixes the indentation of the existing YAML.
This commit is contained in:
Jesse Kinkead 2017-09-09 09:48:50 -07:00 committed by Steve Perry
parent fdbe5086a0
commit eac3d83e94
1 changed files with 44 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/concepts/services-networking/service.md
View File

@ -479,25 +479,25 @@ metadata:
{% include tabs.md %}
#### SSL support on AWS
For partial SSL support on clusters running on AWS, starting with 1.3 two
For partial SSL support on clusters running on AWS, starting with 1.3 three
annotations can be added to a `LoadBalancer` service:
```
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
```
The first specifies which certificate to use. It can be either a
The first specifies the ARN of the certificate to use. It can be either a
certificate from a third party issuer that was uploaded to IAM or one created
within AWS Certificate Manager.
```yaml
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: (https|http|ssl|tcp)
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: (https|http|ssl|tcp)
```
The second annotation specifies which protocol a pod speaks. For HTTPS and
@ -512,6 +512,40 @@ ELB at the other end of its connection) when forwarding requests.
TCP and SSL will select layer 4 proxying: the ELB will forward traffic without
modifying the headers.
```yaml
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: (comma-separated-port-names)
```
The third annotation indicates which port(s) should accept SSL traffic on the ELB. If a certificate is set on the
Service, the default is to configure all ports on the ELB to use SSL. This is not typically desired for HTTP servers.
A complete HTTP Service supporting SSL might look like:
```yaml
kind: Service
apiVersion: v1
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
type: LoadBalancer
ports:
- port: 80
name: http
targetPort: 8080
- port: 443
name: https
targetPort: 8080
selector:
app: MyApp
```
### External IPs
If there are external IPs that route to one or more cluster nodes, Kubernetes services can be exposed on those