Service Mesh (ASM) allows you to bind a certificate to a domain name in a visual manner. After you bind a certificate to a domain name, you can use an ingress gateway to access the domain name over a protocol such as HTTPS. This improves the security of the ingress gateway. This topic describes how to bind a certificate to a domain name.
Prerequisites
An ASM instance of Enterprise Edition or Ultimate Edition is created. An application is deployed in the Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in an ACK cluster that is added to an ASM instance.
An ingress gateway is deployed. For more information, see Create an ingress gateway.
Sidecar proxy injection is enabled for the namespace of the service that you want to access. For more information, see Configure sidecar proxy injection policies.
The IP address of the ingress gateway is obtained. For more information, see Step 2: Obtain the IP address of the ASM ingress gateway.
Background information
In this example, the myexampleapp service whose domain name is aliyun.com is used. After you bind a certificate to the aliyun.com domain name, you can use the ingress gateway to access the myexampleapp service over HTTPS.
Procedure
Create a sample service named myexampleapp.
Create a myexample-nginx.conf file that contains the following content.
In this example, the myexampleapp service whose domain name is aliyun.com is implemented based on NGINX. You need to create a configuration file for the NGINX server. The following code block specifies that the message
Welcome to aliyun.com!
and a200
status code are returned for requests to the root path of the service:events { } http { log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; server { listen 80; location / { return 200 'Welcome to aliyun.com!'; add_header Content-Type text/plain; } } }
Run the following command to create a ConfigMap for the NGINX server:
kubectl create configmap myexample-nginx-configmap --from-file=nginx.conf=./myexample-nginx.conf
Create a myexampleapp.yaml file that contains the following content:
Run the following command to create the myexampleapp service whose domain name is aliyun.com:
kubectl apply -f myexampleapp.yaml
Import the myexampleapp service to the ingress gateway.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the desired ingress gateway.
In the left-side navigation pane of the Gateway overview page, click Upstream Service.
On the Gateway upstream services page, click Import service.
On the Import service page, select the namespace of the myexampleapp service from the Namespace drop-down list. In the select service box, select the myexampleapp service and click the icon to move the service to the selected box. Then, click Submit.
Create a certificate and a private key for the server of aliyun.com.
Run the following openssl command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
Run the following commands to create a certificate and a private key for the server of aliyun.com.
Run the following command to create the aliyun.com.crt certificate:
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
Run the following command to create the aliyun.com.key private key:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
Mount the certificate and private key in a volume and add the volume to the ingress gateway.
NoteFor ASM instances of version 1.17 or later, you can use the certificates that are added to the Certificate Management page. We recommend that you migrate certificates to Certificate Management at the earliest opportunity. To migrate a certificate, you can create a new certificate with the same name as an existing certificate on the Certificate Management page. Then, the existing certificate is overwritten and you do not need to delete it. For more information about how to update an ASM instance, see Update an ASM instance.
For a certificate that is added to the Certificate Management page, the system automatically generates a secret whose name is the same as that of the certificate on the data plane. If a secret with the same name already exists, the new content of the secret overwrites the original content.
An ASM instance of a version earlier than 1.17
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the gateway that you want to configure. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.
On the page that appears, click the Certificate tab and click Create.
On the New Certificate page, enter a certificate name in the Name field, copy the content of the
aliyun.com.crt
certificate to the Certificate box, copy the content of thealiyun.com.key
private key to the key box, and then click Create.
An ASM instance of version 1.17 or later
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Certificate Management page, click Create. In the Certificate Information panel, configure the required parameters and click OK.
Parameter
Description
Name
Enter the name of the certificate. For this example, enter myexample-credential.
Public Key Certificate
Enter the content of the
aliyun.com.crt
certificate that is generated in Step 3.Private Key
Enter the content of the
aliyun.com.key
private key that is generated in Step 3.
Bind the certificate to the domain name.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the gateway that you want to configure. In the left-side navigation pane of the Gateway overview page, click Domain/Certificate.
On the page that appears, click the Domain tab and click Create.
On the Add domain page, set the Domain Name parameter to *.aliyun.com and the Protocol parameter to HTTPS, and enter a port name and port number based on your business requirements. Moreover, select the certificate that you imported to the ingress gateway, select Secure connections with standard TLS semantics, and then click Create.
NoteIf you select Secure connections with standard TLS semantics, only TLS requests can access the domain name.
Run the following command to access the aliyun.com domain name over HTTPS to check whether the domain name and certificate are bound:
curl -k -H Host:www.aliyun.com --resolve www.aliyun.com:443:{IP address of the ingress gateway} https://www.aliyun.com
Expected output:
Welcome to aliyun.com!
The aliyun.com domain name can be accessed over HTTPS. This indicates that the certificate is bound to the domain name.