All Products
Search
Document Center

Alibaba Cloud Service Mesh:Create an HTTPS listener for the CLB instance of an ingress gateway

Last Updated:Feb 28, 2024

Service Mesh (ASM) allows you to enable HTTPS and dynamic certificate loading by using an ingress gateway. This enhances gateway security. You can create an HTTPS listener by binding a certificate to the Classic Load Balancer (CLB) instance of an ingress gateway. The HTTPS listener decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod. This topic describes how to create an HTTPS listener by binding a certificate to the CLB instance of an ingress gateway.

Prerequisites

Step 1: Prepare the certificate that you want to bind to the CLB instance

A certificate and a private key are created

If you have created a certificate and a private key for the aliyun.com domain name, rename the certificate aliyun.com.crt and the private key aliyun.com.key.

No certificate and private key are created

If you do not have a certificate and a private key for the aliyun.com domain name, perform the following steps to create a certificate or a private key by using OpenSSL:

  1. Run the following command to create a root certificate and a private key:

    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
  2. Run the following commands to create a certificate and a private key for the server of aliyun.com:

    openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
    openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
  3. Create a certificate in the CLB console. For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.

    When you configure an HTTPS listener, you can use a certificate from Certificate Management Service or upload a third-party server certificate and certificate authority (CA) certificate.

Step 2: Create an HTTPS listener

ASM allows you to create custom ingress gateways. You can configure parameters in the YAML file. For more information, see Create and manage an ingress gateway by using the Kubernetes API.

  1. Use the following content to create an ingressgateway.yaml file.

    Configure the serviceAnnotations field to create an HTTPS CLB instance. The CLB instance decrypts HTTPS requests that are received on port 443 into HTTP requests and forwards the HTTP requests to port 80 of the ingress gateway pod. ${YOUR_CERT_ID} specifies the ID of the certificate that you prepared in Step 1.

    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:
      name: ingressgateway
      namespace: istio-system
    spec:
     ....
      ports:
        - name: http-0
          port: 80
          protocol: HTTP
          targetPort: 80
        - name: https-1
          port: 443
          protocol: HTTPS
          targetPort: 80
      ....
      serviceAnnotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
        ....
      serviceType: LoadBalancer
  2. Run the following command to deploy the ingress gateway:

    kubectl apply -f ingressgateway.yaml

Step 3: Check whether the HTTPS listener takes effect

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. On the Ingress Gateway page, obtain the value of Service address.

    The value of Service address is the IP address of the ingress gateway.

  4. Run the following command to access the productpage service over HTTPS.

    Use the IP address of the ingress gateway that you obtained in the previous step.

    curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:${IP address of the ingress gateway} https://a.aliyun.com/productpage -I

    Sample output:

    HTTP/2 200
    date: Fri, 13 Jan 2023 07:11:45 GMT
    content-type: text/html; charset=utf-8
    content-length: 5294
    vary: Accept-Encoding
    x-envoy-upstream-service-time: 23

    Encrypted traffic is decrypted into plaintext when it passes through the CLB instance, and then goes into the cluster. This result indicates that the HTTPS listener takes effect.