You must configure Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates to ensure encrypted connections between the listener and the client when you add an HTTPS listener. This topic describes how to use an Application Load Balancer (ALB) Ingress to configure certificates.
Comparison of certificate configuration methods
ALB Ingresses allow you to configure automatic certificate discovery, certificates stored as Secrets, and specify certificates in AlbConfigs. The following table compares the three configuration methods.
Item | Use automatic certificate discovery | Specify certificates in AlbConfigs | Manage certificates as Kubernetes Secrets |
Certificate storage location | Uploaded to Certificate Management Service. | Stored as Secrets in the cluster. | |
Certificate discovery method | ALB instances automatically discover certificates based on the domain name. | ALB instances discover certificates based on the certificate ID generated by Certificate Management Service. | ALB instances discover certificates by specifying the Secret in the cluster. |
Scenarios | This feature is suitable for certificates that are purchased in or uploaded to the Certificate Management Service console. | This feature is suitable for certificates managed in the cluster, for example, when you use management tools such as cert-manager. | |
Use certificates across namespaces | Supported | Not supported. Restricted to the namespace of the Secret. | |
How to renew certificates | You must upload a new certificate or renew a certificate in the Certificate Management Service console. Then, you need to manually modify Ingress configurations. | You must update the Secret that is associated with the Ingress. |
An ALB instance supports a maximum of 25 additional certificates. The number of certificates managed by an ALB instance typically equals the total number of certificates that are added to all listeners of the ALB instance, which includes certificates associated with ALB Ingresses. For more information about how to calculate the ALB quotas, see Methods to calculate ALB quotas.
Compatibility of certificates configured by using different methods
The following table describes the compatibility of different certificate configuration methods.
How certificates are configured | Description |
A certificate is configured by using automatic certificate discovery and a certificate is configured by using a Kubernetes Secret. |
|
A certificate is configured by using automatic certificate discovery and a certificate is specified in an AlbConfig. Both certificates are associated with the same listener. | The listener uses only the certificate specified in the AlbConfig. |
A certificate is configured by using a Kubernetes Secret and a certificate is specified in an AlbConfig. | Both certificates are used. |
Prerequisites
An AlbConfig is created with an HTTPS listener configured in it. For more information, see Get started with ALB Ingresses.
A kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
A trusted certificate is obtained. You can obtain one by using one of the following methods:
Purchase a certificate in the Certificate Management Service console. For more information, see Purchase SSL certificates.
Purchase a certificate that is issued by another certificate authority (CA).
(Optional) Create a self-signed certificate by following the steps in Step 1: Create a self-signed certificate.
(Optional) Step 1: Create a self-signed certificate
You can run the following OpenSSL commands to create a self-signed certificate:
The lack of reliable CA authentication causes self-signed certificates not trusted in browsers and clients by default, often leading to security warnings for users during access. The self-signed certificates generated in this topic are for reference only and should not be used in the production environment.
openssl genrsa -out albtop-key.pem 4096
openssl req -subj "/CN=demo.alb.ingress.top" -sha256 -new -key albtop-key.pem -out albtop.csr # demo.alb.ingress.top can be replaced with your domain name
echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf # demo.alb.ingress.top can be replaced with your domain name
openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf
The demo.alb.ingress.top
in the command is the domain name associated with the created self-signed certificate. Replace it with your domain name.
Step 2: Create required resources
ALB Ingresses require Deployments, Services, IngressClasses, and Ingresses to work as expected. Create these four resources using the following YAML template.
Create a file named https-quickstart.yaml, copy the following content to the file, and save it.
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: https-ingressclass spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb # Change to the name of the AlbConfig resource --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: https-ingress spec: ingressClassName: https-ingressclass rules: - host: demo.alb.ingress.top # Replace demo.alb.ingress.top with the domain name associated with the certificate http: paths: - backend: service: name: https-svc port: number: 443 path: / pathType: Prefix --- apiVersion: apps/v1 kind: Deployment metadata: name: https-deploy spec: replicas: 1 selector: matchLabels: app: https-deploy template: metadata: labels: app: https-deploy spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest imagePullPolicy: IfNotPresent name: https-deploy ports: - containerPort: 80 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: https-svc spec: ports: - name: port1 port: 443 protocol: TCP targetPort: 80 selector: app: https-deploy sessionAffinity: None type: ClusterIP
(Optional) If both HTTP and HTTPS listeners are configured in the AlbConfig, add the
annotations
field to the Ingress to ensure that the Ingress is associated with multiple listeners. The following code shows the configurations:Run the following command to create resources:
kubectl apply -f https-quickstart.yaml
Step 3: Configure certificates
Use automatic certificate discovery
After you upload the certificate to the Certificate Management Service console, fill in the domain name associated with the certificate in the tls
field in the Ingress to enable the ALB Ingress to automatically discover and use the uploaded certificate.
Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and share SSL certificates.
Modify Ingress configurations.
Run the following command to edit the Ingress:
kubectl edit ingress https-ingress
Add the
tls
field and fill in the domain name associated with the certificate.apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: https-ingress namespace: default spec: ingressClassName: alb rules: - host: demo.alb.ingress.top http: #... tls: - hosts: - demo.alb.ingress.top # Must be consistent with the domain name in the "rules: host" field and the domain name associated with the certificate
Manage certificates as Kubernetes Secrets
You can store the certificate as a Secret in the cluster and use it in the Ingress.
Run the following command to encode the certificate and private key using Base64:
echo -n `cat albtop-key.pem` | base64 # Replace albtop-key.pem with the private key file
echo -n `cat albtop-cert.pem` | base64 # Replace albtop-cert.pem with the certificate file
Create a Secret.
Create a file named https-secret.yaml and copy the following content to the file:
apiVersion: v1 kind: Secret metadata: name: https-secret type: kubernetes.io/tls data: tls.key: | {base64 albtop-key.pem} # Base64 encoded albtop-cert.pem. tls.crt: | {base64 albtop-cert.pem} # Base64 encoded albtop-key.pem.
Run the following command to create a Secret:
kubectl apply -f https-secret.yaml
Modify the Ingress configuration.
Run the following command to edit the Ingress:
kubectl edit ingress https-ingress
Add the
tls
field, fill in the domain name associated with the certificate and the name of the Secret.apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: https-ingress namespace: default spec: ingressClassName: alb rules: - host: demo.alb.ingress.top http: #... tls: - hosts: - demo.alb.ingress.top # Must be consistent with the domain name in the "rules: host" field and the domain name associated with the certificate secretName: https-secret
Specify certificates in AlbConfigs
After you upload the certificate to the Certificate Management Service console, fill in the certificate ID in the CertificateId
field of the listener in AlbConfig to associate the uploaded certificate with the listener.
If a listener is configured with a certificate, it no longer uses the automatic certificate discovery feature.
Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and Share SSL Certificates.
Obtain the certificate ID.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, click the Manage Uploaded Certificates tab. Find the certificate that you want to view and choose
in the Actions column.In the Certificate Details panel, you can view the CertIdentifier.
Specify the certificate in an AlbConfig.
Run the following command to modify the AlbConfig:
kubectl edit albconfig alb # Replace alb with the name of your AlbConfig.
Add the
certificates
field in the listener, and fill in the CertIdentifier obtained in the previous step.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: #... listeners: - port: 443 protocol: HTTPS certificates: - CertificateId: 756****-cn-hangzhou # CertIdentifier of the certificate IsDefault: true # Whether it is the default certificate - port: #... protocol: #...
Step 4: Verify the result
You can access a service over HTTPS to check whether the certificate is configured.
Run the following command to view Ingress information.
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Copy the values under
HOSTS
andADDRESS
for later use.Run the following command to access the backend service using HTTPS through the ALB Ingress. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the previous step.curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
If the following output is returned, the certificate is configured:
old
References
For more information about how to enable client access using HTTP/3, see Configure a QUIC listener by using an AlbConfig.
For more information about how to configure mutual authentication on an HTTPS listener, see Use HTTPS mutual authentication to enhance service security.