By Xining Wang
Alibaba Cloud Service Mesh FAQ (1): How to Use the WebSocket over HTTP/2 Protocol
Alibaba Cloud Service Mesh FAQ (5): ASM Gateway Supports Creating HTTPS Listeners on the SLB Side
ASM gateways support HTTPS security and dynamically load certificates to improve the security of ASM gateways. In addition to binding certificates on the ASM gateway, you can manage certificates on the SLB side.
This article describes how to support ASM gateway service to bind certificates on the SLB side and create an HTTPS listener.
Create a certificate in the Alibaba Cloud console and record the cert-id. Then, use the following annotation to create an HTTPS-type SLB.
Description: HTTPS requests are decrypted at the SLB layer and then sent as HTTP requests to backend pods.
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
name: sample
namespace: default
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: sample
type: LoadBalancerSpecific Reference Document: https://www.alibabacloud.com/help/en/container-service-for-kubernetes/latest/use-annotations-to-configure-load-balancing-1
In this example, a certificate and private key are generated for aliyun.com.
If you already have a certificate and private key available for aliyun.com, you need to name the key aliyun.com.key and the certificate aliyun.com.crt. If not, you can generate the certificate and key by performing the following steps through OpenSSL.
1. Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt2. Run the following command to generate a certificate and private key for the aliyun.com server:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt3. Create a certificate in the SLB console:
In order to configure an HTTPS listener, you can directly use the certificate in the SSL Certificates Service or upload the required server certificate and CA certificate issued by a third party to the traditional SLB.
Specific Reference Document: https://www.alibabacloud.com/help/en/server-load-balancer/latest/use-a-certificate-from-alibaba-cloud-ssl-certificates-service
ASM allows you to customize ingress gateway services. You can configure specific function parameters in YAML.
Specific Reference Document:
In the following configuration, an HTTPS SLB will be created through serviceAnnotation. HTTPS requests with port 443 will be decrypted at the SLB layer and then sent to port 80 of the backend Pod in the form of HTTP requests.
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
....
ports:
- name: http-0
port: 80
protocol: HTTP
targetPort: 80
- name: https-1
port: 443
protocol: HTTPS
targetPort: 80
....
serviceAnnotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
....
serviceType: LoadBalancerLog on to the ASM console. Select the target service mesh instance in the console. Click ASM Gateways on the left-side navigation pane. View the information on the right side of the page.
Run the following command to access the httpbin service over HTTPS:
curl -k https://{replace with real ingress gateway IP address}:443/headers
{
"headers": {
"Accept": "*/*",
"Host": "xxxx",
"Remoteip": "xxxx",
"User-Agent": "curl/7.79.1",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "xxxx",
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=9dd4266bc514d03aae50e174ace52eff7e577d79a14795b532be876139e8922f;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
56 posts | 8 followers
FollowXi Ning Wang(王夕宁) - May 26, 2023
Xi Ning Wang(王夕宁) - May 26, 2023
Xi Ning Wang(王夕宁) - May 26, 2023
Xi Ning Wang(王夕宁) - June 16, 2020
Alibaba Developer - September 22, 2020
feuyeux - May 8, 2021
56 posts | 8 followers
Follow
Server Load Balancer
Respond to sudden traffic spikes and minimize response time with Server Load Balancer
Learn More
HTTPDNS
HTTPDNS is a domain name resolution service for mobile clients. It features anti-hijacking, high accuracy, and low latency.
Learn More
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
EMAS HTTPDNS
EMAS HTTPDNS is a domain name resolution service for mobile clients. It features anti-hijacking, high accuracy, and low latency.
Learn MoreMore Posts by Xi Ning Wang(王夕宁)