Service Mesh (ASM) allows you to enable HTTPS and dynamic certificate loading by using an ingress gateway. This enhances gateway security. You can create an HTTPS listener by binding a certificate to the Classic Load Balancer (CLB) instance of an ingress gateway. The HTTPS listener decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod. This topic describes how to create an HTTPS listener by binding a certificate to the CLB instance of an ingress gateway.
Prerequisites
Step 1: Prepare the certificate that you want to bind to the CLB instance
A certificate and a private key are created
If you have created a certificate and a private key for the aliyun.com domain name, rename the certificate aliyun.com.crt and the private key aliyun.com.key.
No certificate and private key are created
If you do not have a certificate and a private key for the aliyun.com domain name, perform the following steps to create a certificate or a private key by using OpenSSL:
Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
Run the following commands to create a certificate and a private key for the server of aliyun.com:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
Create a certificate in the CLB console. For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
When you configure an HTTPS listener, you can use a certificate from Certificate Management Service or upload a third-party server certificate and certificate authority (CA) certificate.
Step 2: Create an HTTPS listener
ASM allows you to create custom ingress gateways. You can configure parameters in the YAML file. For more information, see Create and manage an ingress gateway by using the Kubernetes API.
Use the following content to create an ingressgateway.yaml file.
Configure the
serviceAnnotations
field to create an HTTPS CLB instance. The CLB instance decrypts HTTPS requests that are received on port 443 into HTTP requests and forwards the HTTP requests to port 80 of the ingress gateway pod.${YOUR_CERT_ID}
specifies the ID of the certificate that you prepared in Step 1.apiVersion: istio.alibabacloud.com/v1beta1 kind: IstioGateway metadata: name: ingressgateway namespace: istio-system spec: .... ports: - name: http-0 port: 80 protocol: HTTP targetPort: 80 - name: https-1 port: 443 protocol: HTTPS targetPort: 80 .... serviceAnnotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}" service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443' .... serviceType: LoadBalancer
Run the following command to deploy the ingress gateway:
kubectl apply -f ingressgateway.yaml
Step 3: Check whether the HTTPS listener takes effect
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, obtain the value of Service address.
The value of Service address is the IP address of the ingress gateway.
Run the following command to access the productpage service over HTTPS.
Use the
IP address of the ingress gateway
that you obtained in the previous step.curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:${IP address of the ingress gateway} https://a.aliyun.com/productpage -I
Sample output:
HTTP/2 200 date: Fri, 13 Jan 2023 07:11:45 GMT content-type: text/html; charset=utf-8 content-length: 5294 vary: Accept-Encoding x-envoy-upstream-service-time: 23
Encrypted traffic is decrypted into plaintext when it passes through the CLB instance, and then goes into the cluster. This result indicates that the HTTPS listener takes effect.