My microservices use https to communicate and the ingress communicates via http to them.
I’ve already tried adding the Kong-ingress and it doesn’t work (yaml attached below)
I have 2 questions
How do I make sure Kong uses https to communicate with my microservices? In the official K8s ingress, I just an annotation called : nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
That KongIngress looks correct–perhaps you’re missing an override annotation on your Service? In either case, I usually recommend applying the annotation directly to the Service just to simplify the number of resources you need to manage–most configuration no longer requires a separate KongIngress.
If you’re referring to the upstream connection, there’s no need to disable HTTP/2: it’s not actually supported upstream. Downstream/client protocol support is controlled by listen directives, whose syntax we do mostly share with NGINX. You’ll need to modify the default listen string to remove it, e.g. by setting
That side is what’s controlled by the listen string: if you have http2 present in the listen with ssl, the proxy will offer it. If it’s absent, it won’t be advertised, and clients will be forced to use HTTP/1.x.
It was an easy override in k8s-nginx via the configmap but I’ve failed to find any such documentation for Kong.
My final questions is :
How do I get the ingress to use https with the services? Add the override and protocol annotations for the service and the ingress also? Does this service need to be a normal kubernetes service or does this have to be a KongService? What’s the difference here and will it impact any functionality? Is it possible to just use a normal K8s service?
Not sure I follow–if you’re asking how to require HTTPS for clients, that’s handled via the protocols annotation on the Ingress. You can combine that with the redirect behavior annotation to determine how HTTP requests matching that route are handled.
You’ll always use standard K8S Ingress and Service resources: KongIngress resources can augment either (despite the name) when attached via override annotations, but KongIngress doesn’t completely replace either. KongIngress exists because there are a number of Kong proxy features that don’t fit cleanly into any fields on the the K8S resources, so we provide it to configure those.
Most features exposed by KongIngress are now also available via annotations, but there are some (namely the healthcheck and load-balancing behavior under the upstream section of a KongIngress) that are still available via KongIngress only.