Bind a certificate to a domain name - Alibaba Cloud Service Mesh

Services exposed through a Service Mesh (ASM) ingress gateway require TLS certificates to accept HTTPS traffic. ASM allows you to visually bind a certificate to a domain name through the console. Binding a certificate to a domain name enables the ingress gateway to terminate TLS and accept traffic over a protocol such as HTTPS, which improves the security of the ingress gateway.

How it works

When you bind a certificate to a domain name, the ingress gateway terminates TLS for incoming requests. External clients connect over HTTPS to the gateway, and the gateway forwards traffic to backend services inside the mesh.

Client --(HTTPS)--> Ingress Gateway --> Backend Service

Prerequisites

Before you begin, make sure that you have:

An ASM instance of Enterprise Edition or Ultimate Edition with an application deployed in the associated Container Service for Kubernetes (ACK) cluster. For more information, see Deploy an application in an ACK cluster that is added to an ASM instance
An ingress gateway. For more information, see Create an ingress gateway
Sidecar proxy injection enabled for the namespace of the target service. For more information, see Configure sidecar proxy injection policies
The IP address of the ingress gateway. For more information, see Obtain the IP address of the ASM ingress gateway

Step 1: Create a sample service

This example uses a service named myexampleapp backed by NGINX, bound to the domain aliyun.com. After you complete all steps, the ingress gateway accepts HTTPS requests for this domain and routes them to myexampleapp.

Create a file named myexample-nginx.conf with the following content. This NGINX configuration returns Welcome to aliyun.com! with a 200 status code for requests to the root path:

   events {
   }
   http {
     log_format main '$remote_addr - $remote_user [$time_local]  $status '
     '"$request" $body_bytes_sent "$http_referer" '
     '"$http_user_agent" "$http_x_forwarded_for"';
     access_log /var/log/nginx/access.log main;
     error_log  /var/log/nginx/error.log;
     server {
       listen 80;
       location / {
           return 200 'Welcome to aliyun.com!';
           add_header Content-Type text/plain;
       }
     }
   }

Create a ConfigMap from the configuration file:

   kubectl create configmap myexample-nginx-configmap --from-file=nginx.conf=./myexample-nginx.conf

Create a file named myexampleapp.yaml with the following content:

Show the content of myexampleapp.yaml

   apiVersion: v1
   kind: Service
   metadata:
     name: myexampleapp
     labels:
       app: myexampleapp
   spec:
     ports:
     - port: 80
       protocol: TCP
     selector:
       app: myexampleapp
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: myexampleapp
   spec:
     selector:
       matchLabels:
         app: myexampleapp
     replicas: 1
     template:
       metadata:
         labels:
           app: myexampleapp
       spec:
         containers:
         - name: nginx
           image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
           ports:
           - containerPort: 80
           volumeMounts:
           - name: nginx-config
             mountPath: /etc/nginx
             readOnly: true
         volumes:
         - name: nginx-config
           configMap:
             name: myexample-nginx-configmap

Deploy the service:
```
   kubectl apply -f myexampleapp.yaml
```

Step 2: Import the service to the ingress gateway

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the ingress gateway.
In the left-side navigation pane of the Gateway overview page, click Upstream Service.
On the Gateway upstream services page, click Import service.
On the Import service page, select the namespace of the myexampleapp service from the Namespace drop-down list. In the service list, select myexampleapp and click the icon to move it to the selected box. Click Submit.

Step 3: Generate TLS certificates

Use openssl to create a root certificate, a server certificate, and a private key for aliyun.com.

Generate a root certificate and private key:

   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
     -subj '/O=myexample Inc./CN=aliyun.com' \
     -keyout aliyun.root.key -out aliyun.root.crt

Generate a Certificate Signing Request (CSR) and private key for the server:

   openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes \
     -keyout aliyun.com.key \
     -subj "/CN=aliyun.com/O=myexample organization"

Sign the server certificate with the root certificate:

   openssl x509 -req -days 365 \
     -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 \
     -in aliyun.com.csr -out aliyun.com.crt

Step 4: Add the certificate to the ingress gateway

The steps differ depending on your ASM instance version.

Note

For ASM version 1.17 or later, use the Certificate Management page. To migrate an existing certificate, create a new certificate with the same name on the Certificate Management page. The new certificate overwrites the existing one. For more information, see Update an ASM instance.
When you add a certificate through Certificate Management, the system automatically creates a Secret with the same name on the data plane. If a Secret with that name already exists, its content is overwritten.

ASM versions earlier than 1.17

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the gateway. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.
Click the Certificate tab, and then click Create.
On the New Certificate page, configure the following fields, and then click Create:
Parameter Description
Name Enter a certificate name
Certificate Paste the content of aliyun.com.crt
key Paste the content of aliyun.com.key

Parameter	Description
Name	Enter a certificate name
Certificate	Paste the content of `aliyun.com.crt`
key	Paste the content of `aliyun.com.key`

ASM version 1.17 or later

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Certificate Management.

On the Certificate Management page, click Create. In the Certificate Information panel, configure the following parameters, and then click OK:

Parameter	Description
Name	Enter the certificate name. For this example, enter `myexample-credential`
Public Key Certificate	Paste the content of `aliyun.com.crt` generated in Step 3
Private Key	Paste the content of `aliyun.com.key` generated in Step 3

Step 5: Bind the certificate to the domain name

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the gateway. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.
Click the Domain tab, and then click Create.
On the Add domain page, configure the following settings: Click Create.
- Set Domain Name to *.aliyun.com.
- Set Protocol to HTTPS.
- Enter a port name and port number based on your requirements.
- Select the certificate that you added to the ingress gateway.
- Select Secure connections with standard TLS semantics.
Note
Selecting Secure connections with standard TLS semantics restricts the domain to TLS-encrypted requests only.

Step 6: Verify the configuration

Run the following curl command to verify that the certificate is bound to the domain name. Replace <ingress-gateway-ip> with the IP address of your ingress gateway.

curl -k -H Host:www.aliyun.com \
  --resolve www.aliyun.com:443:<ingress-gateway-ip> \
  https://www.aliyun.com

Expected output:

Welcome to aliyun.com!

If the response matches, HTTPS access through the ingress gateway is working correctly.

To verify that the correct certificate is being served, use --cacert with the root certificate instead of -k:

curl --cacert aliyun.root.crt -H Host:www.aliyun.com \
  --resolve www.aliyun.com:443:<ingress-gateway-ip> \
  https://www.aliyun.com

If this command succeeds, the ingress gateway is serving the certificate you created, not just any TLS certificate.