All Products
Search
Document Center

Alibaba Cloud Service Mesh:Bind a certificate to a domain name

Last Updated:Sep 02, 2024

Service Mesh (ASM) allows you to bind a certificate to a domain name in a visual manner. After you bind a certificate to a domain name, you can use an ingress gateway to access the domain name over a protocol such as HTTPS. This improves the security of the ingress gateway. This topic describes how to bind a certificate to a domain name.

Prerequisites

Background information

In this example, the myexampleapp service whose domain name is aliyun.com is used. After you bind a certificate to the aliyun.com domain name, you can use the ingress gateway to access the myexampleapp service over HTTPS.

Procedure

  1. Create a sample service named myexampleapp.

    1. Create a myexample-nginx.conf file that contains the following content.

      In this example, the myexampleapp service whose domain name is aliyun.com is implemented based on NGINX. You need to create a configuration file for the NGINX server. The following code block specifies that the message Welcome to aliyun.com! and a 200 status code are returned for requests to the root path of the service:

      events {
      }
      http {
        log_format main '$remote_addr - $remote_user [$time_local]  $status '
        '"$request" $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';
        access_log /var/log/nginx/access.log main;
        error_log  /var/log/nginx/error.log;
        server {
          listen 80;
          location / {
              return 200 'Welcome to aliyun.com!';
              add_header Content-Type text/plain;
          }
        }
      }
    2. Run the following command to create a ConfigMap for the NGINX server:

      kubectl create configmap myexample-nginx-configmap --from-file=nginx.conf=./myexample-nginx.conf
    3. Create a myexampleapp.yaml file that contains the following content:

      Show the content of myexampleapp.yaml

      apiVersion: v1
      kind: Service
      metadata:
        name: myexampleapp
        labels:
          app: myexampleapp
      spec:
        ports:
        - port: 80
          protocol: TCP
        selector:
          app: myexampleapp
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: myexampleapp
      spec:
        selector:
          matchLabels:
            app: myexampleapp
        replicas: 1
        template:
          metadata:
            labels:
              app: myexampleapp
          spec:
            containers:
            - name: nginx
              image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
              ports:
              - containerPort: 80
              volumeMounts:
              - name: nginx-config
                mountPath: /etc/nginx
                readOnly: true
            volumes:
            - name: nginx-config
              configMap:
                name: myexample-nginx-configmap
    4. Run the following command to create the myexampleapp service whose domain name is aliyun.com:

      kubectl apply -f myexampleapp.yaml
  2. Import the myexampleapp service to the ingress gateway.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click the name of the desired ingress gateway.

    4. In the left-side navigation pane of the Gateway overview page, click Upstream Service.

    5. On the Gateway upstream services page, click Import service.

    6. On the Import service page, select the namespace of the myexampleapp service from the Namespace drop-down list. In the select service box, select the myexampleapp service and click the 上游服务 icon to move the service to the selected box. Then, click Submit.

  3. Create a certificate and a private key for the server of aliyun.com.

    1. Run the following openssl command to create a root certificate and a private key:

      openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
    2. Run the following commands to create a certificate and a private key for the server of aliyun.com.

      • Run the following command to create the aliyun.com.crt certificate:

        openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
      • Run the following command to create the aliyun.com.key private key:

        openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
  4. Mount the certificate and private key in a volume and add the volume to the ingress gateway.

    Note
    • For ASM instances of version 1.17 or later, you can use the certificates that are added to the Certificate Management page. We recommend that you migrate certificates to Certificate Management at the earliest opportunity. To migrate a certificate, you can create a new certificate with the same name as an existing certificate on the Certificate Management page. Then, the existing certificate is overwritten and you do not need to delete it. For more information about how to update an ASM instance, see Update an ASM instance.

    • For a certificate that is added to the Certificate Management page, the system automatically generates a secret whose name is the same as that of the certificate on the data plane. If a secret with the same name already exists, the new content of the secret overwrites the original content.

    An ASM instance of a version earlier than 1.17

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click the name of the gateway that you want to configure. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.

    4. On the page that appears, click the Certificate tab and click Create.

    5. On the New Certificate page, enter a certificate name in the Name field, copy the content of the aliyun.com.crt certificate to the Certificate box, copy the content of the aliyun.com.key private key to the key box, and then click Create.

    An ASM instance of version 1.17 or later

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Certificate Management.

    3. On the Certificate Management page, click Create. In the Certificate Information panel, configure the required parameters and click OK.

      Parameter

      Description

      Name

      Enter the name of the certificate. For this example, enter myexample-credential.

      Public Key Certificate

      Enter the content of the aliyun.com.crt certificate that is generated in Step 3.

      Private Key

      Enter the content of the aliyun.com.key private key that is generated in Step 3.

  5. Bind the certificate to the domain name.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click the name of the gateway that you want to configure. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.

    4. On the page that appears, click the Domain tab and click Create.

    5. On the Add domain page, set the Domain Name parameter to *.aliyun.com and the Protocol parameter to HTTPS, and enter a port name and port number based on your business requirements. Moreover, select the certificate that you imported to the ingress gateway, select Secure connections with standard TLS semantics, and then click Create.

      Note

      If you select Secure connections with standard TLS semantics, only TLS requests can access the domain name.

  6. Run the following command to access the aliyun.com domain name over HTTPS to check whether the domain name and certificate are bound:

    curl -k -H Host:www.aliyun.com --resolve www.aliyun.com:443:{IP address of the ingress gateway} https://www.aliyun.com

    Expected output:

    Welcome to aliyun.com!

    The aliyun.com domain name can be accessed over HTTPS. This indicates that the certificate is bound to the domain name.