You can access applications in a Container Service for Kubernetes (ACK) cluster by
using multiple methods. For example, you can use <SLB-Instance-IP>:<Port>
, <NodeIP>:<NodePort>
, or the domain name of an application to access the application. By default, you
cannot access a Kubernetes cluster over HTTPS. If you want to access a cluster over
HTTPS for data security, you can use Ingresses provided by ACK or Server Load Balancer
(SLB). This topic describes how to configure a certificate that is used to access
an ACK cluster over HTTPS.
Prerequisites
- Create an ACK managed cluster.
- A server certificate is created for the cluster. The server certificate consists of
a public key certificate and a private key.
- You can run the following command and specify the certificate information to create
a server certificate for an ACK cluster:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt
The following result is returned:
Generating a 2048 bit RSA private key
.......+++
.......+++
writing new private key to 'tls.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) []:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, fully qualified host name) []:foo.bar.com # The domain name must be valid.
Email Address []:test@alibaba.com
The certificate file tls.crt and private key file tls.key are saved in the current directory.
- You can also purchase a server certificate that is provided by Alibaba Cloud. For
more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
Background information
You can use the following methods to configure the certificate based on how you want
to access the cluster.
- Specify the certificate information in an SLB instance.
- Specify the certificate information in an Ingress.
Specify the certificate information in an SLB instance
If you use this method, take note of the following items:
- Advantage: After you specify the certificate information in an SLB instance, you can
use the SLB instance to receive external requests over HTTPS. Requests from within
the cluster are still forwarded over HTTP.
- Disadvantage: You must maintain a large number of mappings between domain names and
IP addresses.
- Scenario: Your application is accessed over LoadBalancer Services instead of Ingresses.
Preparations:
An NGINX application is deployed in the cluster and a LoadBalancer Service is used
to expose the application. For more information, see Create a stateless application by using a Deployment.
Example:
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose
- Select the namespace where the related Service is deployed and click the external
endpoint to access the application. The endpoint is in the
<SLB IP>:<Port>
format.
- Log on to the SLB console.
- Configure an SSL Certificate.
- If you have created a server certificate by running the command as described in the
prerequisites, you must upload the created certificate, including the public key certificate
and private key, to Alibaba Cloud. For more information, see Upload a third-party certificate.
- If you have purchased a server certificate that is provided by Alibaba Cloud, skip
this step. For more information about how to purchase a server certificate that is
provided by Alibaba Cloud, see Use a certificate from Alibaba Cloud SSL Certificates Service.
Find the certificate that you want to use from the certificate list.
- On the Services page of the ACK console, find the created Service and click Update in the Actions column.
- In the Update Service dialog box, enter the annotations as shown in the following figure.

Annotation |
Name |
Value |
Annotation 1 |
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port |
https:443 |
Annotation 2 |
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id |
${YOUR_CERT_ID} |
Note Replace ${YOUR_CERT_ID} with the ID of the certificate that is configured in
Step 7.
You can also add the annotations by using a YAML file. The following YAML file is
an example:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
name: nginx
namespace: default
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: 80
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
run: nginx
type: LoadBalancer
Note Set targetPort to 80. This way, requests to HTTPS port 443 are redirected to HTTP port 80.
- Enter
https://<slb-instance-ip>
in the address bar of your browser to access the NGINX application over HTTPS.
Specify the certificate information in an Ingress
If you use this method, take note of the following items:
- Advantage: You do not need to modify the SLB configurations. You can separately manage
the certificates of different applications by using Ingresses.
- Scenario: Each application in your cluster requires a separate certificate, or an
application in the cluster can be accessed only by using a certificate.
Preparations:
A Tomcat application is created in your cluster. You can access the application through
a ClusterIP Service. In this example, an Ingress is used to enable external access
over HTTPS. For more information, see Create a stateless application by using a Deployment.
Example:
- Run the following command to create a Secret by using the certificate that is created
in the prerequisites:
Note You must specify a valid domain name. Otherwise, an error occurs when you access the
application over HTTPS.
kubectl create secret tls secret-https --key tls.key --cert tls.crt
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name of the cluster
or click Details in the Actions column. The details page of the cluster appears.
- In the left-side navigation pane of the details page, choose .
- In the upper-right corner of the Ingresses page, click Create.
- In the Create dialog box, configure an Ingress that can be accessed over HTTPS and click Create.
For more information, see
Create an Ingress. In this example, set the following parameters:
- Name: Enter a name for the Ingress.
- Domain: Enter the domain name that is specified in the preceding step. This domain name
must be the same as the domain name that is specified in the SSL certificate.
- Service: Select the Service that is associated with the Tomcat application. The port number
is 8080.
- EnableTLS: After you select EnableTLS, select the created Secret.
You can also create an Ingress by using a YAML file. The following YAML template is
an example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-https
spec:
tls:
- hosts:
- foo.bar.com
secretName: secret-https
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: tomcat-svc
servicePort: 8080
- Return to the Ingresses page and check the newly created Ingress. The endpoint and
domain name of the Ingress also appear on the page. In this example, the domain name
is
foo.bar.com
. You can also view these details on the details page of the Ingress.
Note In this example,
foo.bar.com
is used as a test domain name. You must add a mapping to the hosts file.
47.110.119.203 foo.bar.com # The IP address is the endpoint of the Ingress.
- Enter
https://foo.bar.com
to the address bar of your browser to access the Tomcat application.
Note A TLS certificate is created and configured for the Ingress. Therefore, you must access
the domain name over HTTPS. In this example, foo.bar.com
is resolved on a local DNS server. You must use a domain name that has an Internet
Content Provider (ICP) number.
