Service Mesh (ASM) allows you to bind a certificate to a domain name in a visual manner. After you bind a certificate to a domain name, you can use an ingress gateway to access the domain name over a protocol such as HTTPS. This improves the security of the ingress gateway. This topic describes how to create and bind a certificate to a domain name. This topic also describes how to bind an existing certificate to a domain name.
Prerequisites
An ASM instance of Enterprise Edition or Ultimate Edition is created. An application is deployed in the Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance.
An ingress gateway is deployed. For more information, see Create an ingress gateway.
Sidecar injection is enabled for the namespace of the service that you want to access. For more information, see Enable automatic sidecar proxy injection.
The IP address of the ingress gateway is obtained. For more information, see the "Step 3: Access the Bookinfo application" section of the Use Istio resources to route traffic to different versions of a service topic.
Background information
In this example, the myexampleapp service whose domain name is aliyun.com is used. After you bind a certificate to the aliyun.com domain name, you can use the ingress gateway to access the myexampleapp service over HTTPS.
Create and bind a certificate to a domain name
Create a sample service named myexampleapp.
Create a myexample-nginx.conf file that contains the following content.
In this example, the myexampleapp service whose domain name is aliyun.com is implemented based on NGINX. You need to create a configuration file for the NGINX server. The following content specifies that the message
Welcome to aliyun.com!and the status code200are returned for requests to the root path of the service.events { } http { log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; server { listen 80; location / { return 200 'Welcome to aliyun.com!'; add_header Content-Type text/plain; } } }Run the following command to create a ConfigMap for the NGINX server:
kubectl create configmap myexample-nginx-configmap --from-file=nginx.conf=./myexample-nginx.confCreate a myexampleapp.yaml file that contains the following content:
apiVersion: v1 kind: Service metadata: name: myexampleapp labels: app: myexampleapp spec: ports: - port: 80 protocol: TCP selector: app: myexampleapp --- apiVersion: apps/v1 kind: Deployment metadata: name: myexampleapp spec: selector: matchLabels: app: myexampleapp replicas: 1 template: metadata: labels: app: myexampleapp spec: containers: - name: nginx image: nginx ports: - containerPort: 80 volumeMounts: - name: nginx-config mountPath: /etc/nginx readOnly: true volumes: - name: nginx-config configMap: name: myexample-nginx-configmapRun the following command to create the myexampleapp service whose domain name is aliyun.com:
kubectl apply -f myexampleapp.yaml
Import the myexampleapp service to the ingress gateway.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the ingress gateway.
On the details page of the ingress gateway, click Upstream Service in the left-side navigation pane.
On the Upstream Service page, click Import service.
On the Import service page, select the namespace of the myexampleapp service from the Namespace drop-down list. In the select service box, select the myexampleapp service and click the
icon to move the service to the selected box. Then, click OK.
Create a certificate and a private key for the server of aliyun.com.
Run the following openssl command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtRun the following commands to generate a certificate and a private key for the server of aliyun.com:
Run the following command to create the aliyun.com.crt certificate:
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtRun the following command to create the aliyun.com.key private key:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
Mount the certificate and private key in a volume and add the volume to the ingress gateway.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the ingress gateway.
On the details page of the ingress gateway, click Domain/Certificate in the left-side navigation pane.
On the Domain/Certificate page, click the Certificate tab and click Create.
On the New Certificate page, enter a certificate name in the Name field, copy the content of the aliyun.com.crt certificate to the Certificate field, copy the content of the aliyun.com.key private key to the key field, and then click Create.
Bind the certificate to the domain name.
On the Domain/Certificate page, click the Domain tab and then click Create.
On the Add domain page, set the Domain Name parameter to *.aliyun.com and the Protocol parameter to HTTPS, enter a port name and port number based on your business requirements, select the certificate that you imported to the ingress gateway, select Secure connections with standard TLS semantics, and then click Create.
If you select Secure connections with standard TLS semantics, only TLS requests can access the domain name.
Run the following command to access the aliyun.com domain name over HTTPS.
curl -k -H Host:www.aliyun.com --resolve www.aliyun.com:443:{IP address of the ingress gateway} https://www.aliyun.comExpected output:
Welcome to aliyun.com!If the aliyun.com domain name can be accessed over HTTPS, it indicates that the certificate is bound to the domain name.
Bind an existing certificate to a domain name
Create a sample service named myexampleapp.
Create a myexample-nginx.conf file that contains the following content.
In this example, the myexampleapp service whose domain name is aliyun.com is implemented based on NGINX. You need to create a configuration file for the NGINX server. The following content specifies that the message
Welcome to aliyun.com!and the status code200are returned for requests to the root path of the service.events { } http { log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; server { listen 80; location / { return 200 'Welcome to aliyun.com!'; add_header Content-Type text/plain; } } }Run the following command to create a ConfigMap for the NGINX server:
kubectl create configmap myexample-nginx-configmap --from-file=nginx.conf=./myexample-nginx.confCreate a myexampleapp.yaml file that contains the following content:
apiVersion: v1 kind: Service metadata: name: myexampleapp labels: app: myexampleapp spec: ports: - port: 80 protocol: TCP selector: app: myexampleapp --- apiVersion: apps/v1 kind: Deployment metadata: name: myexampleapp spec: selector: matchLabels: app: myexampleapp replicas: 1 template: metadata: labels: app: myexampleapp spec: containers: - name: nginx image: nginx ports: - containerPort: 80 volumeMounts: - name: nginx-config mountPath: /etc/nginx readOnly: true volumes: - name: nginx-config configMap: name: myexample-nginx-configmapRun the following command to create the myexampleapp service whose domain name is aliyun.com:
kubectl apply -f myexampleapp.yaml
Import the myexampleapp service to the ingress gateway.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the ingress gateway.
On the details page of the ingress gateway, click Upstream Service in the left-side navigation pane.
On the Upstream Service page, click Import service.
On the Import service page, select the namespace of the myexampleapp service from the Namespace drop-down list. In the select service box, select the myexampleapp service and click the
icon to move the service to the selected box. Then, click OK.
Import an existing certificate to the ingress gateway.
Add the
istioGateway:<Name of the ingress gateway>andprovider:asmlabels to the certificate. After the labels are added to the certificate, the certificate automatically appears on the Certificate tab in the ASM console.
Bind the certificate to the domain name.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the ingress gateway.
On the details page of the ingress gateway, click Domain/Certificate in the left-side navigation pane.
On the Domain/Certificate page, click the Domain tab and then click Create.
On the Add domain page, set the Domain Name parameter to *.aliyun.com and the Protocol parameter to HTTPS, enter a port name and port number based on your business requirements, select the certificate that you imported to the ingress gateway, select Secure connections with standard TLS semantics, and then click Create.
If you select Secure connections with standard TLS semantics, only TLS requests can access the domain name.
Run the following command to access the aliyun.com domain name over HTTPS:
curl -k -H Host:www.aliyun.com --resolve www.aliyun.com:443:{IP address of the ingress gateway} https://www.aliyun.comExpected output:
Welcome to aliyun.com!If the aliyun.com domain name can be accessed over HTTPS, it indicates that the certificate is bound to the domain name.