Create an HTTPS listener for an ingress gateway's CLB by binding a certificate - Alibaba Cloud Service Mesh

An ASM ingress gateway supports HTTPS and dynamic certificate loading. When services behind the gateway must accept HTTPS traffic, you can terminate TLS at the Classic Load Balancer (CLB) layer. Bind an SSL certificate to the CLB instance so that it decrypts incoming HTTPS requests on port 443 and forwards them as HTTP to the ingress gateway pod on port 80. This approach offloads TLS processing from the mesh while keeping certificate management centralized in Alibaba Cloud Certificate Management Service.

With this configuration, traffic between the CLB instance and the ingress gateway pod travels as unencrypted HTTP within your cluster network.

How it works

Client --HTTPS:443--> CLB (TLS termination) --HTTP:80--> Ingress gateway pod --> Backend services

A client sends an HTTPS request to the CLB instance on port 443.
The CLB instance decrypts the request using the bound certificate.
The decrypted HTTP request is forwarded to port 80 of the ingress gateway pod.
The ingress gateway routes the request to backend services in the mesh.

Prerequisites

Step 1: Prepare a certificate

You need an SSL certificate bound to the CLB instance. If you already have a certificate and a private key that are available for your domain, name the private key aliyun.com.key and the certificate aliyun.com.crt, then skip to Upload the certificate.

Generate a self-signed certificate

Run the following openssl command to create a root certificate and a private key. This example uses aliyun.com as the domain.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
  -subj '/O=myexample Inc./CN=aliyun.com' \
  -keyout aliyun.root.key \
  -out aliyun.root.crt

This command generates two files:

File	Description
`aliyun.root.key`	Private key
`aliyun.root.crt`	Root certificate

Upload the certificate

Upload the certificate to Alibaba Cloud Certificate Management Service so the CLB instance can reference it.

In the Server Load Balancer CLB console, choose Server Load Balancer CLB > Certificate Management from the left-side navigation pane.
On the Certificate Management page, click Create Certificate.
In the Create Certificate panel, select Alibaba Cloud Issued Certificate, and click Create SSL Certificate at the bottom of the certificate list.
On the Digital Certificate Management Service page, choose Certificate Management > SSL Certificate Management from the left-side navigation pane.
Click Upload Certificate on the Upload Certificate tab. Set the following fields and click OK.
Ignore the certificate chain prompt.
Field Value
Certificate Name A descriptive name, for example aliyun.com
Certificate File Paste the contents of aliyun.root.crt
Certificate Private Key Paste the contents of aliyun.root.key
Create a certificate in the Server Load Balancer CLB console. For more information, see Select Alibaba Cloud Issued Certificate.
After the upload completes, find the certificate in the certificate list and copy the certificate ID. You need this ID in the next step.

Field	Value
Certificate Name	A descriptive name, for example `aliyun.com`
Certificate File	Paste the contents of `aliyun.root.crt`
Certificate Private Key	Paste the contents of `aliyun.root.key`

Step 2: Create an HTTPS listener

Configure the ingress gateway to expose port 443 with HTTPS and bind the uploaded certificate through Kubernetes service annotations.

Add the following port and annotation configuration to your ingressgateway.yaml file. Replace the following placeholder: These annotations configure the CLB instance to: For more information about ingress gateway configuration, see Use KubeAPI to manage ingress gateways.
- Accept HTTPS traffic on port 443.
- Decrypt requests with the specified certificate.
- Forward decrypted HTTP traffic to targetPort: 80 on the ingress gateway pod.
Placeholder Description Where to find it
<your-cert-id> The certificate ID from Certificate Management Service Copied from the certificate list in Step 1, substep 7
```
   spec:
     ....
     ports:
       - name: http-0
         port: 80
         protocol: HTTP
         targetPort: 80
       - name: https-1
         port: 443
         protocol: HTTPS
         targetPort: 80
     ....
     serviceAnnotations:
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "<your-cert-id>"
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
       ....
     serviceType: LoadBalancer
```
Deploy the ingress gateway:
```
   kubectl apply -f ingressgateway.yaml
```

Placeholder	Description	Where to find it
`<your-cert-id>`	The certificate ID from Certificate Management Service	Copied from the certificate list in Step 1, substep 7

Step 3: Verify the HTTPS listener

After deploying the ingress gateway, confirm that HTTPS traffic reaches your application.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance.
In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, find the target gateway and copy its Endpoint IP address.

Run the following curl command. Replace <gateway-ip> with the endpoint IP address from the previous step. Expected output: An HTTP/2 200 response confirms that the CLB instance is correctly terminating TLS and forwarding decrypted traffic to the ingress gateway.

   curl -k -H Host:a.aliyun.com \
     --resolve a.aliyun.com:443:<gateway-ip> \
     https://a.aliyun.com/productpage -I

   HTTP/2 200
   date: Fri, 13 Jan 2023 07:11:45 GMT
   content-type: text/html; charset=utf-8
   content-length: 5294
   vary: Accept-Encoding
   x-envoy-upstream-service-time: 23

What's next

Use KubeAPI to manage ingress gateways -- Configure routing rules and traffic policies for the gateway.