Configure an HTTPS certificate
By configuring an HTTPS certificate, you can enable Transport Layer Security (TLS)/Secure Sockets Layer (SSL) encryption for services deployed on an MSE Ingress gateway. This is a crucial step to secure data for modern web applications and API services. An HTTPS certificate ensures that data transmitted between clients and the gateway is encrypted, preventing unauthorized parties from stealing or tampering with sensitive information. It also provides a strong defense against a man-in-the-middle attack.
Prerequisites
-
You have a trusted digital certificate. You can obtain one in the following ways:
-
Purchase a certificate from Alibaba Cloud Certificate Management Service. For more information, see Purchase an SSL certificate.
-
Use a certificate purchased from another Certificate Authority (CA).
-
Generate a self-signed certificate locally.
-
Configuration methods
An MSE Ingress gateway supports two methods for configuring an HTTPS certificate: using a Kubernetes Secret or using the MSE console.
|
Item |
Kubernetes Secret |
MSE console |
|
Use cases |
|
|
|
Priority |
Low |
High |
|
Cross-namespace |
Not supported. |
Supported. |
|
Certificate update |
Replace the content of the Kubernetes Secret. |
Replace the certificate on the MSE console or deploy a new certificate on the Certificate Management Service console. |
Install the MSE Ingress controller
Prerequisites
The MSE Ingress Controller can be installed in ACK managed clusters, ACK Serverless clusters, and ACS clusters.
-
Authorize the MSE Ingress Controller by clicking this authorization link for ACK managed clusters or ACK Serverless clusters, or this authorization link for ACS clusters.
-
You have created a node pool.
-
You have created a container cluster of version 1.18 or later. For more information, see Create an ACK managed cluster, Create an ACK Serverless cluster, or Create an ACS cluster.
NoteIf your cluster version is earlier than 1.18, upgrade your cluster. For more information, see Manually upgrade a cluster.
Procedure
-
Log on to the Container Service for Kubernetes (ACK) console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left-side navigation pane, click Add-ons.
-
On the Component management page, enter
msein the search box. On the MSE Ingress Controller card, click Install. -
In the Install Component MSE Ingress Controller dialog box, configure the parameters and click OK.
NoteYou can choose to Create a new MSE cloud-native gateway instance or Use Existing.
If a prerequisite check fails during installation, you can grant permissions to the MSE Ingress Controller.
-
After the component is successfully installed, an MseIngressConfig resource named
mse-ingress-premium-{clusterid}and a gateway instance namedmse-ingress-premium-{clusterid}are created by default.Navigate to Workloads > Custom resources and select the Resource object browser tab. In the API group, search for
mse. In the Actions column for MseIngressConfig, click Edit YAML to check the status of theMseIngressConfigresource. Wait 3 to 5 minutes and ensure thephaseis Listening. This indicates that the cloud-native gateway is created, running, and automatically listening for Ingress resources withIngressClassset tomse. If you cannot see thestatusof the MSE instance in the YAML editor, verify that a node pool has been correctly created for the cluster.The MseIngressConfig status changes in the following order: Pending > Running > Listening.
-
Pending: The cloud-native gateway is being created. This takes about 3 minutes.
-
Running: The cloud-native gateway is created and running.
-
Listening: The cloud-native gateway is running and listening for Ingress resources in the cluster.
-
Failed: The cloud-native gateway is in an invalid state. Check the Message in the Status field for more details.
Important-
When you create a new gateway instance, installing the MSE Ingress Controller creates an MseIngressConfig resource by default. The lifecycle of this resource is bound to the MSE cloud-native gateway instance. Only delete the MseIngressConfig resource if you also intend to delete the corresponding gateway instance.
-
If an IngressClass resource named mse already exists in the cluster before you install the MSE Ingress Controller, the installation process will not automatically create an MseIngressConfig resource or an MSE cloud-native gateway instance.
-
Deploy the backend service
-
Log on to the Container Service for Kubernetes (ACK) console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of your target cluster. In the left-side navigation pane, choose .
-
On the Deployments page, click Create from YAML. Use the following YAML to deploy a httpbin Deployment and a httpbin Service.
apiVersion: apps/v1 kind: Deployment metadata: name: httpbin namespace: default spec: replicas: 1 selector: matchLabels: app: httpbin template: metadata: labels: app: httpbin version: v1 spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/mse-ingress/go-httpbin args: - "--version=v1" imagePullPolicy: Always name: httpbin --- apiVersion: v1 kind: Service metadata: name: httpbin namespace: default spec: ports: - port: 8080 protocol: TCP selector: app: httpbin
Configure the HTTPS certificate
Kubernetes Secret
You can configure an HTTPS certificate for a domain by referencing a Kubernetes Secret using native Ingress semantics.
-
Prepare a domain certificate. This example uses a self-signed certificate.
NoteFor production environments, you must use a real private key and certificate for your business. You can download the key and certificate for your domain from the Certificate Management Service console.
-
Run the following command to generate a certificate file tls.crt and a private key file tls.key.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com" -
Create a Secret to store the TLS certificate.
-
Log on to the Container Service for Kubernetes (ACK) console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of your target cluster. In the left-side navigation pane, choose .
-
Click Create. In the Create panel, set Name to tls-test, select Type as TLS Certificate, copy the created tls.crt and tls.key content into the corresponding input boxes, and then click Create.
-
-
-
Create an MSE Ingress and configure the HTTPS certificate for the domain
foo.bar.com.-
In the left-side navigation pane, choose Network > Ingresses.
-
On the Ingresses page, click Create Ingress. In the Create Ingress dialog box, configure the route.
Parameter
Description
Example
Gateway type
Select MSE Ingress. For a comparison of different gateway types, see Comparison of Nginx Ingress, ALB Ingress, APIG Ingress, and MSE Ingress.
MSE Ingress
Name
Enter a custom name for the Ingress.
test
IngressClass
Select the relevant resource class.
mse
Rule
Click + Add Rule to add routing rules.
-
Domain name: A custom domain name.
-
Path mapping: Configure the following parameters.
-
Path: The URL path for accessing the service.
-
Match rule:
-
Prefix (prefix-based match): Matches the prefix of the request URL path.
-
Exact (exact match): Exactly matches the request URL path.
-
Default (implementation-specific): The behavior is determined by the specific logic of the Ingress controller.
For more information, see Advanced features of ALB Ingresses.
-
-
Service: The target Kubernetes Service.
-
Port: The port to expose for the service.
-
-
Ingress supports multiple paths under the same domain name. Click + Add Path to add more paths.
-
Domain name: foo.bar.com
-
Path mapping:
-
Path: /
-
Match rule: Prefix (prefix-based match)
-
Service: httpbin
-
Port: 8080
-
TLS configuration
Enable TLS to configure a secure routing service.
-
Domain name: A custom domain name.
-
Secret: Select the appropriate Secret.
Note
Leaving this empty enables certificate auto-discovery.
To create a new Secret:
-
To the right of the Secret field, click Create.
-
In the Create Secret dialog box, specify a Name, Cert, and Key for the Secret, and then click OK.
-
From the Secret drop-down list, select the Secret you created.
-
Click + Add TLS Configuration to configure multiple TLS settings.
-
Domain name: foo.bar.com
-
Secret: tls-test
-
-
Keep the default values for other settings and click OK on the Create Ingress page.
-
-
Test the HTTPS traffic. Run the following command, replacing
x.x.x.xwith your actual gateway IP address. You can find the gateway IP address on the Ingresses list page.NoteThis example uses a self-signed certificate and a domain that is not registered with a DNS provider. Therefore, you must use the
--resolveflag to manually resolve the domain name to the gateway IP address and the-kflag to skip certificate validation.curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"The expected output is as follows:
* Connected to foo.bar.com (X.X.X.X) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=foo.bar.com; O=foo.bar.com * start date: Jan 17 06:47:23 2024 GMT * expire date: Jan 16 06:47:23 2025 GMT * issuer: CN=foo.bar.com; O=foo.bar.com * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET /version HTTP/1.1 > Host: foo.bar.com > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 200 OK < date: Wed, 17 Jan 2024 07:49:39 GMT < content-length: 53 < content-type: text/plain; charset=utf-8 < req-cost-time: 3 < req-arrive-time: 1705477779046 < resp-start-time: 1705477779049 < x-envoy-upstream-service-time: 2 < server: istio-envoy < version: v1 hostname: httpbin-xxxxxx
MSE console
You can configure a certificate for a domain directly on the MSE console. This method does not require you to reference a Kubernetes Secret in the Ingress object; you only need to configure the routing rules.
For the same domain name, the MSE console method takes precedence over the Kubernetes Secret method. If you configure certificates for the same domain in both the MSE console and on a Kubernetes Ingress resource, the certificate from the console is used.
-
Prepare a domain certificate and upload it to the Alibaba Cloud Certificate Management Service. For more information, see Upload, sync, and share SSL certificates. If your certificate is already hosted in Certificate Management Service, you can skip this step.
-
Create a domain and configure its certificate.
-
Log on to the MSE Gateway Management console and select a region in the top navigation bar.
-
In the left-side navigation pane, choose Cloud-native Gateway > Gateways, and click the ID of the target gateway instance.
-
In the left-side navigation pane, click Routes, and then select the Domain tab.
-
Click Add domain name. Add a Domain name, set the Protocol to HTTPS, and select the corresponding certificate.
-
-
Create a service.
-
On the Route Management page of the MSE instance, select the Service tab and click Create service.
-
Set Service Sources to Container service, select the appropriate Namespaces, check the
httpbinservice you created earlier in the Service list, and click OK.
-
-
Create a route.
-
On the Route Management page of the MSE instance, select the Route tab and click Create route.
-
For Domain name, select the domain you added in Step 2. For Backend service, select the service you created in Step 3, and then click Save and publish.
-
-
Test the HTTPS traffic. Run the following command, replacing
x.x.x.xwith your actual gateway IP address. You can find the gateway IP address on the .NoteIf you are using a self-signed certificate and the domain is not registered with a DNS provider, you must use the
--resolveflag to manually resolve the domain name to the gateway IP address and the-kflag to skip certificate validation.Replace
<Your-DomainName>with your actual domain name.curl -v -k https://<Your-DomainName>/version --resolve "<Your-DomainName>:443:x.x.x.x"The expected output is as follows:
* Connected to ********** (X.X.X.X) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=*********; O=********** * start date: Jan 17 06:47:23 2024 GMT * expire date: Jan 16 06:47:23 2025 GMT * issuer: CN=**********; O=********** * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET /version HTTP/1.1 > Host: ********** > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 200 OK < date: Wed, 17 Jan 2024 08:16:27 GMT < content-length: 46 < content-type: text/plain; charset=utf-8 < req-cost-time: 5 < req-arrive-time: 1705479387567 < resp-start-time: 1705479387573 < x-envoy-upstream-service-time: 4 < server: istio-envoy < version: v1 hostname: httpbin-xxxxxx