ASM gateway supports the creation of HTTPS type listening on SLB side
Prerequisite
• An ASM instance has been created. For details, see Creating an ASM Instance.
• An ACK cluster has been created. For details, see Creating a managed Kubernetes cluster.
• Add clusters to ASM instances. For details, see Adding a Cluster to an ASM Instance.
Background Information
How to create an HTTPS type listener for K8s Service
You need to create a certificate on the Alibaba Cloud console and record the cert-id first, and then use the following Annotation to create an HTTPS-type SLB.
Note: The HTTPS request will be decrypted at the SLB layer, and then sent to the backend Pod in the form of an HTTP request.
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
name: sample
namespace: default
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: sample
type: LoadBalancer
Step 1: Prepare the certificate required by SLB
In this example, a certificate and private key are generated for aliyun.com.
If you already have a certificate and private key available for aliyun.com, you need to name the key aliyun.com.key and the certificate aliyun.com.crt. If not, the following steps can be performed through openssl to generate a certificate and key.
1. Execute the following command to create a root certificate and private key.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
2. Execute the following command to generate a certificate and private key for the aliyun.com server.
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
3. Create a certificate in the SLB console
To configure HTTPS monitoring, you can directly use the certificate in the SSL certificate service or upload the required server certificate and CA certificate issued by a third party to the traditional load balancer.
Step 2: Create a listener of HTTPS type
Alibaba Cloud ASM provides the function of customizing the ingress gateway service, and specific functional parameters can be defined through YAML configuration.
In the following configuration, an HTTPS SLB will be created through serviceAnnotation, and the HTTPS request with port 443 will be decrypted at the SLB layer, and then sent to port 80 of the backend Pod in the form of HTTP request.
apiVersion: istio.alibabacloud.com/v1beta1
kind: Istio Gateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
....
ports:
- name: http-0
port: 80
protocol: HTTP
targetPort: 80
- name: https-1
port: 443
protocol: HTTPS
targetPort: 80
....
serviceAnnotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
....
serviceType: LoadBalancer
Results of the
View through the ASM console, select the corresponding service grid instance in the console, select the ASM gateway in the left navigation bar, and view the corresponding information on the right page.
Run the following command to access the httpbin service through the HTTPS protocol.
curl -k https://{replace with the real IP address of the ingress gateway}:443/headers
{
"headers": {
"Accept": "*/*",
"Host": "xxxx",
"Remoteip": "xxxx",
"User-Agent": "curl/7.79.1",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "xxxx",
"X-Forwarded-Client-Cert":
}
}
• An ASM instance has been created. For details, see Creating an ASM Instance.
• An ACK cluster has been created. For details, see Creating a managed Kubernetes cluster.
• Add clusters to ASM instances. For details, see Adding a Cluster to an ASM Instance.
Background Information
How to create an HTTPS type listener for K8s Service
You need to create a certificate on the Alibaba Cloud console and record the cert-id first, and then use the following Annotation to create an HTTPS-type SLB.
Note: The HTTPS request will be decrypted at the SLB layer, and then sent to the backend Pod in the form of an HTTP request.
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
name: sample
namespace: default
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: sample
type: LoadBalancer
Step 1: Prepare the certificate required by SLB
In this example, a certificate and private key are generated for aliyun.com.
If you already have a certificate and private key available for aliyun.com, you need to name the key aliyun.com.key and the certificate aliyun.com.crt. If not, the following steps can be performed through openssl to generate a certificate and key.
1. Execute the following command to create a root certificate and private key.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
2. Execute the following command to generate a certificate and private key for the aliyun.com server.
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
3. Create a certificate in the SLB console
To configure HTTPS monitoring, you can directly use the certificate in the SSL certificate service or upload the required server certificate and CA certificate issued by a third party to the traditional load balancer.
Step 2: Create a listener of HTTPS type
Alibaba Cloud ASM provides the function of customizing the ingress gateway service, and specific functional parameters can be defined through YAML configuration.
In the following configuration, an HTTPS SLB will be created through serviceAnnotation, and the HTTPS request with port 443 will be decrypted at the SLB layer, and then sent to port 80 of the backend Pod in the form of HTTP request.
apiVersion: istio.alibabacloud.com/v1beta1
kind: Istio Gateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
....
ports:
- name: http-0
port: 80
protocol: HTTP
targetPort: 80
- name: https-1
port: 443
protocol: HTTPS
targetPort: 80
....
serviceAnnotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
....
serviceType: LoadBalancer
Results of the
View through the ASM console, select the corresponding service grid instance in the console, select the ASM gateway in the left navigation bar, and view the corresponding information on the right page.
Run the following command to access the httpbin service through the HTTPS protocol.
curl -k https://{replace with the real IP address of the ingress gateway}:443/headers
{
"headers": {
"Accept": "*/*",
"Host": "xxxx",
"Remoteip": "xxxx",
"User-Agent": "curl/7.79.1",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "xxxx",
"X-Forwarded-Client-Cert":
}
}
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
