Ingress can't use HTTPS as backend protocol

My microservices use https to communicate and the ingress communicates via http to them.

I’ve already tried adding the Kong-ingress and it doesn’t work (yaml attached below)

I have 2 questions

1. How do I make sure Kong uses https to communicate with my microservices? In the official K8s ingress, I just an annotation called : nginx.ingress.kubernetes.io/backend-protocol : "HTTPS"

2. How do I enforce HTTP 1.1 instead of HTTP 2?

apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: kong-ingress-configuration
upstream:
  slots: 10
  hash_on: none
  hash_fallback: none
  healthchecks:
    threshold: 25
    active:
      concurrency: 10
      healthy:
        http_statuses:
        - 200
        - 302
        interval: 0
        successes: 0
      http_path: "/api"
      timeout: 1
      unhealthy:
        http_failures: 0
        http_statuses:
        - 429
        interval: 0
        tcp_failures: 0
        timeouts: 0
    passive:
      healthy:
        http_statuses:
        - 200
        successes: 0
      unhealthy:
        http_failures: 0
        http_statuses:
        - 429
        - 503
        tcp_failures: 0
        timeouts: 0
proxy:
  protocol: https

There’s no official standard for specifying the upstream protocol–some Kubernetes documentation uses NGINX annotations for historical reasons (it was the first implementation), but anything not defined in the Ingress spec itself is vendor-specific. Our annotation for this is https://docs.konghq.com/kubernetes-ingress-controller/1.0.x/references/annotations/#konghqcomprotocol on the Service.

That KongIngress looks correct–perhaps you’re missing an override annotation on your Service? In either case, I usually recommend applying the annotation directly to the Service just to simplify the number of resources you need to manage–most configuration no longer requires a separate KongIngress.

If you’re referring to the upstream connection, there’s no need to disable HTTP/2: it’s not actually supported upstream. Downstream/client protocol support is controlled by listen directives, whose syntax we do mostly share with NGINX. You’ll need to modify the default listen string to remove it, e.g. by setting

KONG_PROXY_LISTEN="0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 ssl reuseport backlog=16384"

in your environment variables.

I meant http 1.1 for web clients not upstream. Like a web browser to the load balancer

That side is what’s controlled by the listen string: if you have http2 present in the listen with ssl, the proxy will offer it. If it’s absent, it won’t be advertised, and clients will be forced to use HTTP/1.x.

Okay, that’s clear to me now.

It was an easy override in k8s-nginx via the configmap but I’ve failed to find any such documentation for Kong.

My final questions is :

How do I get the ingress to use https with the services? Add the override and protocol annotations for the service and the ingress also? Does this service need to be a normal kubernetes service or does this have to be a KongService? What’s the difference here and will it impact any functionality? Is it possible to just use a normal K8s service?

Not sure I follow–if you’re asking how to require HTTPS for clients, that’s handled via the protocols annotation on the Ingress. You can combine that with the redirect behavior annotation to determine how HTTP requests matching that route are handled.

You’ll always use standard K8S Ingress and Service resources: KongIngress resources can augment either (despite the name) when attached via override annotations, but KongIngress doesn’t completely replace either. KongIngress exists because there are a number of Kong proxy features that don’t fit cleanly into any fields on the the K8S resources, so we provide it to configure those.

Most features exposed by KongIngress are now also available via annotations, but there are some (namely the healthcheck and load-balancing behavior under the upstream section of a KongIngress) that are still available via KongIngress only.