All Products
Search

This Product

    Container Service for Kubernetes:Configure an HTTPS certificate

    Document Center

    Container Service for Kubernetes:Configure an HTTPS certificate

    Last Updated:Dec 24, 2024

    After you configure HTTPS certificates, you can implement Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption for services that are deployed on Microservices Engine (MSE) Ingress gateways. This is one of the key measures that you can take to protect the data security of modern web applications and API services. You can use HTTPS certificates to encrypt data transmission between a client and a server over your gateway. This prevents unauthorized third parties from stealing or tampering with sensitive information, and protects against man-in-the-middle attacks.

    Prerequisites

    Configuration methods

    MSE Ingress gateways allow you to configure an HTTPS certificate by using a Kubernetes Secret or in the MSE console.

    Item

    Kubernetes Secret

    MSE console

    Scenarios

    • Certificates are managed based on annotation configurations.

    • Certificates are automatically managed by using CI/CD pipelines or the cert-manager tool.

    • Certificates are managed in the Alibaba Cloud Certificate Management Service console.

    • Certificates are applied to multiple Alibaba Cloud services such as Web Application Firewall (WAF) and Server Load Balancer (SLB).

    • Multiple certificates are deployed or replaced at the same time.

    Priority

    Low.

    High.

    Cross-namespace support

    Not supported.

    Supported.

    Certificate update

    Replace Kubernetes Secret content.

    Replace the certificate in the MSE console, or deploy a new certificate to replace the existing certificate in the Alibaba Cloud Certificate Management Service console.

    Deploy a backend service

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Workloads > Deployments.

    3. On the Deployments page, click Create from YAML. Use the following YAML code to deploy a deployment named httpbin and a service named httpbin. 

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/mse-ingress/go-httpbin
          args:
            - "--version=v1"
          imagePullPolicy: Always
          name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: default
spec:
  ports:
    - port: 8080
      protocol: TCP
  selector:
    app: httpbin

    Configure an HTTPS certificate

    Configure an HTTPS certificate by using a Kubernetes Secret

    You can configure an HTTPS certificate for a domain name by using the native Ingress semantics to reference a Kubernetes Secret.

    1. Prepare a domain name certificate. In this example, a self-signed certificate is prepared.

      Note

      In the production scenario, you must replace the sample key and certificate with the actual key and certificate. You can download the key and certificate of the domain name from the Alibaba Cloud Certificate Management Service console.

      1. Run the following command to generate a certificate file named tls.crt and a private key file named tls.key: 

        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"

      2. Create a Secret to store the TLS certificate.

        1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

        2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Configurations > Secrets.

        3. Click Create. In the Create panel, set Name to tls-test, set Type to TLS Certificate, copy the tls.crt and tls.key files to the associated fields, and then click OK.

        image.png

    2. Create an MSE Ingress rule and configure an HTTPS certificate for the domain name foo.bar.com.

      1. In the left-side navigation pane, choose Network > Ingresses.

      2. On the Ingresses page, click Create Ingress.

      3. In the Create Ingress dialog box, select MSE Cloud-native Gateway for Gateway Type, specify information such as the services, annotations, and certificates associated with the backend service, and then click OK.

        Set Ingress Class to mse. In the rule that you want to add, select Prefix (Prefix-based Match) from the Rule drop-down list, enter / in the Path field, select httpbin from the Service drop-down list, and then configure the domain name certificate by referencing a Kubernetes Secret.

        16621a99be546fbf7a3f98d7013cfeda

    3. Test HTTPS traffic. Run the following command to test the traffic. Replace x.x.x.x with the actual IP address of your gateway. You can view the gateway IP address on the Ingresses page.

      Note

      In this example, a self-signed certificate is used and the domain name is not filed with the DNS service provider. In this case, you must manually resolve the domain name to the IP address of the gateway by using --resolve and skip the certificate validity check by using -k. 

      curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"

      Expected output:

      * Connected to foo.bar.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=foo.bar.com; O=foo.bar.com
*  start date: Jan 17 06:47:23 2024 GMT
*  expire date: Jan 16 06:47:23 2025 GMT
*  issuer: CN=foo.bar.com; O=foo.bar.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /version HTTP/1.1
> Host: foo.bar.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 17 Jan 2024 07:49:39 GMT
< content-length: 53
< content-type: text/plain; charset=utf-8
< req-cost-time: 3
< req-arrive-time: 1705477779046
< resp-start-time: 1705477779049
< x-envoy-upstream-service-time: 2
< server: istio-envoy
<
version: v1
hostname: httpbin-xxxxxx

    Configure an HTTPS certificate in the MSE console

    You can configure a certificate for the domain name in the MSE console. This way, you do not need to reference a Kubernetes Secret on the Ingress. You only need to configure routing rules.

    Important

    For the same domain name, the method of using the MSE console takes precedence over the method of using a Kubernetes Secret. If you configure a certificate for the same domain name in both the MSE console and the Kubernetes Ingress, the certificate configured in the MSE console takes precedence.

    1. Prepare a domain name certificate. In this example, a self-signed certificate is prepared.

      Note

      In the production scenario, you must replace the sample key and certificate with the actual key and certificate. You can download the key and certificate of the domain name from the Alibaba Cloud Certificate Management Service console.

      1. Run the following command to generate a certificate file named tls.crt and a private key file named tls.key: 

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"

      1. Upload the self-signed certificate to the Alibaba Cloud Certificate Management Service console. For more information, see Upload and share an SSL certificate. If your certificate is managed by the Alibaba Cloud Certificate Management Service console, proceed to the next step.

    2. Create a domain name and configure a certificate.

      1. Log on to the MSE console. In the top navigation bar, select a region.

      2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of the gateway.

      3. In the left-side navigation pane, click Domain Names.

      4. Click Add Domain Name. In the Add Domain Name panel, enter foo.bar.com in the Domain Name field, select HTTPS from the Protocol drop-down list, and then select a certificate from the Certificate drop-down list.

        image.png

    3. Create an MSE Ingress.

      1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

      2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Network > Ingresses.

      3. On the Ingresses page, click Create Ingress.

      4. In the Create Ingress dialog box, select MSE Ingress for Gateway Type, specify parameters that are related to the backed service such as the service name and annotations, and then click OK.

        Set Ingress Class to mse. In the rule that you want to add, select Prefix (Prefix-based Match) from the Rule drop-down list, enter / in the Path field, and then select httpbin from the Service drop-down list.

        Note

        You do not need to configure a TLS certificate.

        image.png

    4. Test HTTPS traffic. Run the following command to test the traffic. Replace x.x.x.x with the actual IP address of your gateway. You can view the gateway IP address on the Ingresses page.

      Note

      In this example, a self-signed certificate is used and the domain name is not filed with the DNS service provider. In this case, you must manually resolve the domain name to the IP address of the gateway by using --resolve and skip the certificate validity check by using -k. 

      curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"

      Expected output:

      * Connected to foo.bar.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=foo.bar.com; O=foo.bar.com
*  start date: Jan 17 06:47:23 2024 GMT
*  expire date: Jan 16 06:47:23 2025 GMT
*  issuer: CN=foo.bar.com; O=foo.bar.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /version HTTP/1.1
> Host: foo.bar.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 17 Jan 2024 08:16:27 GMT
< content-length: 46
< content-type: text/plain; charset=utf-8
< req-cost-time: 5
< req-arrive-time: 1705479387567
< resp-start-time: 1705479387573
< x-envoy-upstream-service-time: 4
< server: istio-envoy
<
version: v1
hostname: httpbin-xxxxxx