Use cert-manager to manage certificates for ASM gateways - Alibaba Cloud Service Mesh

cert-manager is a certificate lifecycle management system that can be used to issue and deploy certificates. You can use cert-manager to issue certificates for Service Mesh (ASM) gateways. This way, you can use the ASM gateways to access services over HTTPS. This ensures data transmission security. This topic describes how to use cert-manager to manage certificates for ASM gateways.

Background information

cert-manager allows you to issue self-signed certificates and Domain Name System (DNS) certificates. You can load the certificates on ASM gateways and use the ASM gateways to access services over HTTPS. The two types of certificates have the following differences:

Self-signed certificate: Self-signed certificates can be used only for encryption. They cannot be used for authentication. You can use an ASM gateway on which a self-signed certificate is loaded to access services over HTTPS in command-line tools. However, a self-signed certificate is not trusted by web browsers. A web browser marks HTTPS connections that use a self-signed certificate and displays an error message indicating that the connections have potential risks. Therefore, you cannot use an ASM gateway on which a self-signed certificate is loaded to access services over HTTPS in web browsers.
DNS certificate: DNS certificates are issued by Certificate Authorities (CAs) and can be used for both encryption and authentication. Compared with self-signed certificates, DNS certificates provide higher security and are trusted by web browsers. You can use an ASM gateway on which a DNS certificate is loaded to access services over HTTPS in both command-line tools and web browsers.

Note

If an error occurs when you use cert-manager in a cluster on the data plane, you can join the DingTalk group 30421250 for consultation.

Prerequisites

Install cert-manager in your cluster

Install Helm on your computer. For more information, see Helm.
Use kubectl to connect to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Run the following command to create a namespace named cert-manager:
```
kubectl create namespace cert-manager
```
Run the following command to add a cert-manager chart:
```
helm repo add jetstack https://charts.jetstack.io
```
Run the following command to obtain the latest information about the cert-manager chart:
```
helm repo update
```
Run the following command to install cert-manager:
Note
The version of cert-manager must be compatible with the Kubernetes version. For more information about the mapping between cert-manager versions and Kubernetes versions, see Supported Releases.
```
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.14  \
  --set installCRDs=true
```

Use cert-manager to issue a self-signed certificate

Step 1: Create a self-signed certificate in your cluster

Create an issuer.yaml file that contains the following content:

Show the issuer.yaml file

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istio-ingressgateway-certs
spec:
  isCA: true
  duration: 2160h # 90d
  secretName: istio-ingressgateway-certs
  commonName: istio-ingressgateway-certs
  subject:
    organizations:
    - cluster.local
    - cert-manager
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io

Run the following command to create a self-signed CA and issue a certificate for workloads:
```
kubectl apply -f issuer.yaml -n istio-system
```

Run the following command to view the certificate:

kubectl get secret -n istio-system

Expected output:

NAME                                        TYPE                             DATA         AGE
istio-ingressgateway-certs                  kubernetes.io/tls                3            68m

Step 2: Verify that you can access a service over HTTPS

Deploy an HTTPBin application. For more information, see Deploy the httpbin application.

Modify the Istio gateway for the HTTPBin application.

You can use the kubeconfig file of the ASM instance and run commands, or log on to the ASM console and modify the YAML file on the Gateway page. For more information, see Manage Istio gateways.

The following code block shows the modified YAML file. An HTTPS listener is added to port 443 and the certificate created by cert-manager is used.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: test
        number: 80
        protocol: HTTP
    - hosts:
        - '*'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: istio-ingressgateway-certs
        mode: SIMPLE

Run the following command to obtain the IP address of the ingress gateway in the cluster:
```
kubectl get svc -n istio-system -l istio=ingressgateway
```
Run the following command to access the HTTPBin application over HTTPS:
```
curl -k --resolve istio-ingressgateway-certs:443:${IP address of the ingress gateway} https://istio-ingressgateway-certs/status/418 -I
```
After the access is successful, the status code 418 is returned. The domain name used to access the ingress gateway is istio-ingressgateway-certs. This is because commonName is set to istio-ingressgateway-certs when you create the certificate.