You can access applications in a Container Service for Kubernetes (ACK) cluster by using multiple methods. For example, you can use <SLB-Instance-IP>:<Port>, <NodeIP>:<NodePort>, or the domain name of an application to access the application. By default, you cannot access a Kubernetes cluster over HTTPS. If you want to access a cluster over HTTPS for data security, you can use Ingresses provided by ACK or Server Load Balancer (SLB). This topic describes how to configure a certificate that is used to access an ACK cluster over HTTPS.

Prerequisites

  • Create an ACK managed cluster.
  • A server certificate is created for the cluster. The server certificate consists of a public key certificate and a private key.
    • You can run the following command and specify the certificate information to create a server certificate for an ACK cluster:
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

      The following result is returned:

      Generating a 2048 bit RSA private key
      .......+++
      .......+++
      writing new private key to 'tls.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) []:CN
      State or Province Name (full name) []:zhejiang
      Locality Name (eg, city) []:hangzhou
      Organization Name (eg, company) []:alibaba
      Organizational Unit Name (eg, section) []:test
      Common Name (eg, fully qualified host name) []:foo.bar.com # The domain name must be valid.
      Email Address []:test@alibaba.com

      The certificate file tls.crt and private key file tls.key are saved in the current directory.

    • You can also purchase a server certificate that is provided by Alibaba Cloud. For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.

Background information

You can use the following methods to configure the certificate based on how you want to access the cluster.
  • Specify the certificate information in an SLB instance.
  • Specify the certificate information in an Ingress.

Specify the certificate information in an SLB instance

If you use this method, take note of the following items:
  • Advantage: After you specify the certificate information in an SLB instance, you can use the SLB instance to receive external requests over HTTPS. Requests from within the cluster are still forwarded over HTTP.
  • Disadvantage: You must maintain a large number of mappings between domain names and IP addresses.
  • Scenario: Your application is accessed over LoadBalancer Services instead of Ingresses.

Preparations:

An NGINX application is deployed in the cluster and a LoadBalancer Service is used to expose the application. For more information, see Create a stateless application by using a Deployment.

Example:

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Network > Services
  5. Select the namespace where the related Service is deployed and click the external endpoint to access the application. The endpoint is in the <SLB IP>:<Port> format.
    nginx
  6. Log on to the SLB console.
  7. Configure an SSL Certificate.
    • If you have created a server certificate by running the command as described in the prerequisites, you must upload the created certificate, including the public key certificate and private key, to Alibaba Cloud. For more information, see Upload a third-party certificate.
    • If you have purchased a server certificate that is provided by Alibaba Cloud, skip this step. For more information about how to purchase a server certificate that is provided by Alibaba Cloud, see Use a certificate from Alibaba Cloud SSL Certificates Service.
    Find the certificate that you want to use from the certificate list.
  8. On the Services page of the ACK console, find the created Service and click Update in the Actions column.
  9. In the Update Service dialog box, enter the annotations as shown in the following figure.
    Annotation
    Annotation Name Value
    Annotation 1 service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port https:443
    Annotation 2 service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id ${YOUR_CERT_ID}
    Note Replace ${YOUR_CERT_ID} with the ID of the certificate that is configured in Step 7.
    You can also add the annotations by using a YAML file. The following YAML file is an example:
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
      name: nginx
      namespace: default
    spec:
      ports:
      - name: https
        port: 443
        protocol: TCP
        targetPort: 80
      - name: http
        port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
    Note Set targetPort to 80. This way, requests to HTTPS port 443 are redirected to HTTP port 80.
  10. Enter https://<slb-instance-ip> in the address bar of your browser to access the NGINX application over HTTPS.
    https

Specify the certificate information in an Ingress

If you use this method, take note of the following items:
  • Advantage: You do not need to modify the SLB configurations. You can separately manage the certificates of different applications by using Ingresses.
  • Scenario: Each application in your cluster requires a separate certificate, or an application in the cluster can be accessed only by using a certificate.

Preparations:

A Tomcat application is created in your cluster. You can access the application through a ClusterIP Service. In this example, an Ingress is used to enable external access over HTTPS. For more information, see Create a stateless application by using a Deployment.

Example:

  1. Run the following command to create a Secret by using the certificate that is created in the prerequisites:
    Note You must specify a valid domain name. Otherwise, an error occurs when you access the application over HTTPS.
    kubectl create secret tls secret-https --key tls.key --cert tls.crt      
  2. Log on to the ACK console.
  3. In the left-side navigation pane of the ACK console, click Clusters.
  4. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  5. In the left-side navigation pane of the details page, choose Network > Ingresses.
  6. In the upper-right corner of the Ingresses page, click Create.
  7. In the Create dialog box, configure an Ingress that can be accessed over HTTPS and click Create.
    For more information, see Create an Ingress. In this example, set the following parameters:
    • Name: Enter a name for the Ingress.
    • Domain: Enter the domain name that is specified in the preceding step. This domain name must be the same as the domain name that is specified in the SSL certificate.
    • Service: Select the Service that is associated with the Tomcat application. The port number is 8080.
    • EnableTLS: After you select EnableTLS, select the created Secret.
    You can also create an Ingress by using a YAML file. The following YAML template is an example:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
       name: tomcat-https
    spec:
      tls:
      - hosts:
        - foo.bar.com
        secretName: secret-https
      rules:
      - host: foo.bar.com
        http:
          paths:
          - path: /
            backend:
              serviceName: tomcat-svc
              servicePort: 8080
  8. Return to the Ingresses page and check the newly created Ingress. The endpoint and domain name of the Ingress also appear on the page. In this example, the domain name is foo.bar.com. You can also view these details on the details page of the Ingress.
    Note In this example, foo.bar.com is used as a test domain name. You must add a mapping to the hosts file.
    47.110.119.203  foo.bar.com                   # The IP address is the endpoint of the Ingress. 
  9. Enter https://foo.bar.com to the address bar of your browser to access the Tomcat application.
    Note A TLS certificate is created and configured for the Ingress. Therefore, you must access the domain name over HTTPS. In this example, foo.bar.com is resolved on a local DNS server. You must use a domain name that has an Internet Content Provider (ICP) number.
    Use the Ingress to access the application