Configure an HTTPS certificate

Updated at:
Copy as MD

By configuring an HTTPS certificate, you can enable Transport Layer Security (TLS)/Secure Sockets Layer (SSL) encryption for services deployed on an MSE Ingress gateway. This is a crucial step to secure data for modern web applications and API services. An HTTPS certificate ensures that data transmitted between clients and the gateway is encrypted, preventing unauthorized parties from stealing or tampering with sensitive information. It also provides a strong defense against a man-in-the-middle attack.

Prerequisites

Configuration methods

An MSE Ingress gateway supports two methods for configuring an HTTPS certificate: using a Kubernetes Secret or using the MSE console.

Item

Kubernetes Secret

MSE console

Use cases

  • Manage certificates declaratively.

  • Automate certificate management with CI/CD pipelines or tools like cert-manager.

  • Manage certificates centrally on the Certificate Management Service console.

  • Apply a single certificate to multiple cloud products, such as Web Application Firewall (WAF) and Server Load Balancer (SLB).

  • Deploy or replace certificates in batches.

Priority

Low

High

Cross-namespace

Not supported.

Supported.

Certificate update

Replace the content of the Kubernetes Secret.

Replace the certificate on the MSE console or deploy a new certificate on the Certificate Management Service console.

Deploy the backend service

  1. Log on to the Container Service for Kubernetes (ACK) console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of your target cluster. In the left-side navigation pane, choose Workloads > Deployments.

  3. On the Deployments page, click Create from YAML. Use the following YAML to deploy a httpbin Deployment and a httpbin Service.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: httpbin
      namespace: default
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: httpbin
      template:
        metadata:
          labels:
            app: httpbin
            version: v1
        spec:
          containers:
            - image: registry.cn-hangzhou.aliyuncs.com/mse-ingress/go-httpbin
              args:
                - "--version=v1"
              imagePullPolicy: Always
              name: httpbin
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: httpbin
      namespace: default
    spec:
      ports:
        - port: 8080
          protocol: TCP
      selector:
        app: httpbin

Configure the HTTPS certificate

Kubernetes Secret

You can configure an HTTPS certificate for a domain by referencing a Kubernetes Secret using native Ingress semantics.

  1. Prepare a domain certificate. This example uses a self-signed certificate.

    Note

    For production environments, you must use a real private key and certificate for your business. You can download the key and certificate for your domain from the Certificate Management Service console.

    1. Run the following command to generate a certificate file tls.crt and a private key file tls.key.

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"
    2. Create a Secret to store the TLS certificate.

      1. Log on to the Container Service for Kubernetes (ACK) console. In the left-side navigation pane, click Clusters.

      2. On the Clusters page, click the name of your target cluster. In the left-side navigation pane, choose Configurations > Secrets.

      3. Click Create. In the Create panel, set Name to tls-test, select Type as TLS Certificate, copy the created tls.crt and tls.key content into the corresponding input boxes, and then click Create.

  2. Create an MSE Ingress and configure the HTTPS certificate for the domain foo.bar.com.

    1. In the left-side navigation pane, choose Network > Ingresses.

    2. On the Ingresses page, click Create Ingress. In the Create Ingress dialog box, configure the route.

      Parameter

      Description

      Example

      Gateway type

      Select MSE Ingress. For a comparison of different gateway types, see Comparison of Nginx Ingress, ALB Ingress, APIG Ingress, and MSE Ingress.

      MSE Ingress

      Name

      Enter a custom name for the Ingress.

      test

      IngressClass

      Select the relevant resource class.

      mse

      Rule

      Click + Add Rule to add routing rules.

      • Domain name: A custom domain name.

      • Path mapping: Configure the following parameters.

        • Path: The URL path for accessing the service.

        • Match rule:

          • Prefix (prefix-based match): Matches the prefix of the request URL path.

          • Exact (exact match): Exactly matches the request URL path.

          • Default (implementation-specific): The behavior is determined by the specific logic of the Ingress controller.

          For more information, see Advanced features of ALB Ingresses.

        • Service: The target Kubernetes Service.

        • Port: The port to expose for the service.

      • Ingress supports multiple paths under the same domain name. Click + Add Path to add more paths.

      • Domain name: foo.bar.com

      • Path mapping:

        • Path: /

        • Match rule: Prefix (prefix-based match)

        • Service: httpbin

        • Port: 8080

      TLS configuration

      Enable TLS to configure a secure routing service.

      • Domain name: A custom domain name.

      • Secret: Select the appropriate Secret.

        Note

        Leaving this empty enables certificate auto-discovery.

        To create a new Secret:

        1. To the right of the Secret field, click Create.

        2. In the Create Secret dialog box, specify a Name, Cert, and Key for the Secret, and then click OK.

        3. From the Secret drop-down list, select the Secret you created.

      Click + Add TLS Configuration to configure multiple TLS settings.

      • Domain name: foo.bar.com

      • Secret: tls-test

    3. Keep the default values for other settings and click OK on the Create Ingress page.

  3. Test the HTTPS traffic. Run the following command, replacing x.x.x.x with your actual gateway IP address. You can find the gateway IP address on the Ingresses list page.

    Note

    This example uses a self-signed certificate and a domain that is not registered with a DNS provider. Therefore, you must use the --resolve flag to manually resolve the domain name to the gateway IP address and the -k flag to skip certificate validation.

    curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"

    The expected output is as follows:

    * Connected to foo.bar.com (X.X.X.X) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=foo.bar.com; O=foo.bar.com
    *  start date: Jan 17 06:47:23 2024 GMT
    *  expire date: Jan 16 06:47:23 2025 GMT
    *  issuer: CN=foo.bar.com; O=foo.bar.com
    *  SSL certificate verify result: self signed certificate (18), continuing anyway.
    > GET /version HTTP/1.1
    > Host: foo.bar.com
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < date: Wed, 17 Jan 2024 07:49:39 GMT
    < content-length: 53
    < content-type: text/plain; charset=utf-8
    < req-cost-time: 3
    < req-arrive-time: 1705477779046
    < resp-start-time: 1705477779049
    < x-envoy-upstream-service-time: 2
    < server: istio-envoy
    <
    version: v1
    hostname: httpbin-xxxxxx

MSE console

You can configure a certificate for a domain directly on the MSE console. This method does not require you to reference a Kubernetes Secret in the Ingress object; you only need to configure the routing rules.

Important

For the same domain name, the MSE console method takes precedence over the Kubernetes Secret method. If you configure certificates for the same domain in both the MSE console and on a Kubernetes Ingress resource, the certificate from the console is used.

  1. Prepare a domain certificate and upload it to the Alibaba Cloud Certificate Management Service. For more information, see Upload, sync, and share SSL certificates. If your certificate is already hosted in Certificate Management Service, you can skip this step.

  2. Create a domain and configure its certificate.

    1. Log on to the MSE Gateway Management console and select a region in the top navigation bar.

    2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways, and click the ID of the target gateway instance.

    3. In the left-side navigation pane, click Routes, and then select the Domain tab.

    4. Click Add domain name. Add a Domain name, set the Protocol to HTTPS, and select the corresponding certificate.

  3. Create a service.

    1. On the Route Management page of the MSE instance, select the Service tab and click Create service.

    2. Set Service Sources to Container service, select the appropriate Namespaces, check the httpbin service you created earlier in the Service list, and click OK.

  4. Create a route.

    1. On the Route Management page of the MSE instance, select the Route tab and click Create route.

    2. For Domain name, select the domain you added in Step 2. For Backend service, select the service you created in Step 3, and then click Save and publish.

  5. Test the HTTPS traffic. Run the following command, replacing x.x.x.x with your actual gateway IP address. You can find the gateway IP address on the .

    Note

    If you are using a self-signed certificate and the domain is not registered with a DNS provider, you must use the --resolve flag to manually resolve the domain name to the gateway IP address and the -k flag to skip certificate validation.

    Replace <Your-DomainName> with your actual domain name.

    curl -v -k https://<Your-DomainName>/version --resolve "<Your-DomainName>:443:x.x.x.x"

    The expected output is as follows:

    * Connected to ********** (X.X.X.X) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=*********; O=**********
    *  start date: Jan 17 06:47:23 2024 GMT
    *  expire date: Jan 16 06:47:23 2025 GMT
    *  issuer: CN=**********; O=**********
    *  SSL certificate verify result: self signed certificate (18), continuing anyway.
    > GET /version HTTP/1.1
    > Host: **********
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    < date: Wed, 17 Jan 2024 08:16:27 GMT
    < content-length: 46
    < content-type: text/plain; charset=utf-8
    < req-cost-time: 5
    < req-arrive-time: 1705479387567
    < resp-start-time: 1705479387573
    < x-envoy-upstream-service-time: 4
    < server: istio-envoy
    <
    version: v1
    hostname: httpbin-xxxxxx