Service Mesh (ASM) allows you to enable HTTPS and dynamic certificate loading by using an ingress gateway. This enhances the gateway security. You can create an HTTPS listener by binding a certificate to the Server Load Balancer (SLB) instance of an ingress gateway. The HTTPS listener decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod. This topic describes how to create an HTTPS listener by binding a certificate to the SLB instance of an ingress gateway.
Prerequisites
Step 1: Prepare the certificate that you want to bind to the SLB instance
A certificate and a private key are created
If you have created a certificate and a private key for the aliyun.com domain name, rename the certificate aliyun.com.crt and the private key aliyun.com.key.
No certificate and private key are created
If you do not have a certificate and a private key for the aliyun.com domain name, perform the following steps to create a certificate or a private key by using OpenSSL.
Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtRun the following commands to generate a certificate and a private key for the aliyun.com domain name:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtCreate a certificate in the
- Log on to the CLB console.
.
When you configure an HTTPS listener, you can use a certificate from SSL Certificates Service or upload a third-party server certificate and certification authority (CA) certificate. For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
Step 2: Create an HTTPS listener
ASM allows you to create custom ingress gateways. You can configure parameters in the YAML file. For more information, see Create and manage an ingress gateway by using the Kubernetes API.
Create an ingressgateway.yaml file that contains the following content:
Configure the
serviceAnnotationsfield to create an HTTPS SLB instance. The SLB instance decrypts HTTPS requests that are received on port 443 into HTTP requests and forwards the HTTP requests to port 80 in the ingress gateway pod.${YOUR_CERT_ID}specifies the ID of the certificate that you prepared in Step 1.apiVersion: istio.alibabacloud.com/v1beta1 kind: IstioGateway metadata: name: ingressgateway namespace: istio-system spec: .... ports: - name: http-0 port: 80 protocol: HTTP targetPort: 80 - name: https-1 port: 443 protocol: HTTPS targetPort: 80 .... serviceAnnotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}" service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443' .... serviceType: LoadBalancerRun the following command to deploy the ingress gateway:
kubectl apply -f ingressgateway.yaml
Step 3: Verify that the HTTPS listener takes effect
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, obtain the IP address of the ingress gateway in the Kubernetes Service column.
Run the following command to access the productpage service over HTTPS:
Use the IP address of the ingress gateway that you obtained in the previous step.
curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:${IP address of the ingress gateway} https://a.aliyun.com/productpage -ISample output:
HTTP/2 200 date: Fri, 13 Jan 2023 07:11:45 GMT content-type: text/html; charset=utf-8 content-length: 5294 vary: Accept-Encoding x-envoy-upstream-service-time: 23Encrypted traffic is decrypted into plaintext when it passes through the SLB instance, and then goes into the cluster. This result indicates that the HTTPS listener takes effect.