All Products
Search
Document Center

Container Service for Kubernetes:Configure HTTPS certificates for encrypted communication

Last Updated:Jul 19, 2024

You must configure Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates to ensure encrypted connections between the listener and the client when you add an HTTPS listener. This topic describes how to use an Application Load Balancer (ALB) Ingress to configure certificates.

Comparison of certificate configuration methods

ALB Ingresses allow you to configure automatic certificate discovery, certificates stored as Secrets, and specify certificates in AlbConfigs. The following table compares the three configuration methods.

Item

Use automatic certificate discovery

Specify certificates in AlbConfigs

Manage certificates as Kubernetes Secrets

Certificate storage location

Uploaded to Certificate Management Service.

Stored as Secrets in the cluster.

Certificate discovery method

ALB instances automatically discover certificates based on the domain name.

ALB instances discover certificates based on the certificate ID generated by Certificate Management Service.

ALB instances discover certificates by specifying the Secret in the cluster.

Scenarios

This feature is suitable for certificates that are purchased in or uploaded to the Certificate Management Service console.

This feature is suitable for certificates managed in the cluster, for example, when you use management tools such as cert-manager.

Use certificates across namespaces

Supported

Not supported. Restricted to the namespace of the Secret.

How to renew certificates

You must upload a new certificate or renew a certificate in the Certificate Management Service console. Then, you need to manually modify Ingress configurations.

You must update the Secret that is associated with the Ingress.

Important

An ALB instance supports a maximum of 25 additional certificates. The number of certificates managed by an ALB instance typically equals the total number of certificates that are added to all listeners of the ALB instance, which includes certificates associated with ALB Ingresses. For more information about how to calculate the ALB quotas, see Methods to calculate ALB quotas.

Compatibility of certificates configured by using different methods

The following table describes the compatibility of different certificate configuration methods.

How certificates are configured

Description

A certificate is configured by using automatic certificate discovery and a certificate is configured by using a Kubernetes Secret.

  • If both certificates are associated with the same domain name, the certificate that is configured by using a Secret is preferably used.

  • If the certificates are associated with different domain names, the ALB Ingress controller uses the respective certificate for each domain name.

A certificate is configured by using automatic certificate discovery and a certificate is specified in an AlbConfig. Both certificates are associated with the same listener.

The listener uses only the certificate specified in the AlbConfig.

A certificate is configured by using a Kubernetes Secret and a certificate is specified in an AlbConfig.

Both certificates are used.

Prerequisites

(Optional) Step 1: Create a self-signed certificate

You can run the following OpenSSL commands to create a self-signed certificate:

Important

The lack of reliable CA authentication causes self-signed certificates not trusted in browsers and clients by default, often leading to security warnings for users during access. The self-signed certificates generated in this topic are for reference only and should not be used in the production environment.

openssl genrsa -out albtop-key.pem 4096
openssl req -subj "/CN=demo.alb.ingress.top" -sha256  -new -key albtop-key.pem -out albtop.csr  # demo.alb.ingress.top can be replaced with your domain name
echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf  # demo.alb.ingress.top can be replaced with your domain name
openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf
Note

The demo.alb.ingress.top in the command is the domain name associated with the created self-signed certificate. Replace it with your domain name.

Step 2: Create required resources

ALB Ingresses require Deployments, Services, IngressClasses, and Ingresses to work as expected. Create these four resources using the following YAML template.

  1. Create a file named https-quickstart.yaml, copy the following content to the file, and save it.

    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: https-ingressclass
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb # Change to the name of the AlbConfig resource
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: https-ingress
    spec:
      ingressClassName: https-ingressclass
      rules:
      - host: demo.alb.ingress.top # Replace demo.alb.ingress.top with the domain name associated with the certificate
        http:
          paths:
          - backend:
              service:
                name: https-svc
                port:
                  number: 443
            path: /
            pathType: Prefix
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: https-deploy
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: https-deploy
      template:
        metadata:
          labels:
            app: https-deploy
        spec:
          containers:
            - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest
              imagePullPolicy: IfNotPresent
              name: https-deploy
              ports:
                - containerPort: 80
                  protocol: TCP
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: https-svc
    spec:
      ports:
        - name: port1
          port: 443
          protocol: TCP
          targetPort: 80
      selector:
        app: https-deploy
      sessionAffinity: None
      type: ClusterIP
  2. (Optional) If both HTTP and HTTPS listeners are configured in the AlbConfig, add the annotations field to the Ingress to ensure that the Ingress is associated with multiple listeners. The following code shows the configurations:

    Add annotations when you use multiple listeners

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: https-ingress
      annotations:
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]' # Add annotations when you use multiple listeners for ALB Ingress to work properly 
    spec:
      #...
  3. Run the following command to create resources:

    kubectl apply -f https-quickstart.yaml

Step 3: Configure certificates

Use automatic certificate discovery

After you upload the certificate to the Certificate Management Service console, fill in the domain name associated with the certificate in the tls field in the Ingress to enable the ALB Ingress to automatically discover and use the uploaded certificate.

  1. Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and share SSL certificates.

  2. Modify Ingress configurations.

    1. Run the following command to edit the Ingress:

      kubectl edit ingress https-ingress
    2. Add the tls field and fill in the domain name associated with the certificate.

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: https-ingress
        namespace: default
      spec:
        ingressClassName: alb
        rules:
        - host: demo.alb.ingress.top
          http:
            #...
        tls:
        - hosts:
          - demo.alb.ingress.top # Must be consistent with the domain name in the "rules: host" field and the domain name associated with the certificate

Manage certificates as Kubernetes Secrets

You can store the certificate as a Secret in the cluster and use it in the Ingress.

  1. Run the following command to encode the certificate and private key using Base64:

    echo -n `cat albtop-key.pem` | base64 # Replace albtop-key.pem with the private key file
    echo -n `cat albtop-cert.pem` | base64 # Replace albtop-cert.pem with the certificate file
  2. Create a Secret.

    1. Create a file named https-secret.yaml and copy the following content to the file:

      apiVersion: v1
      kind: Secret
      metadata:
        name: https-secret
      type: kubernetes.io/tls
      data:
        tls.key: |
          {base64 albtop-key.pem} # Base64 encoded albtop-cert.pem.
        tls.crt: |
          {base64 albtop-cert.pem}  # Base64 encoded albtop-key.pem.
    2. Run the following command to create a Secret:

      kubectl apply -f https-secret.yaml
  3. Modify the Ingress configuration.

    1. Run the following command to edit the Ingress:

      kubectl edit ingress https-ingress
    2. Add the tls field, fill in the domain name associated with the certificate and the name of the Secret.

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: https-ingress
        namespace: default
      spec:
        ingressClassName: alb
        rules:
        - host: demo.alb.ingress.top
          http:
            #...
        tls:
        - hosts:
          - demo.alb.ingress.top # Must be consistent with the domain name in the "rules: host" field and the domain name associated with the certificate
          secretName: https-secret

Specify certificates in AlbConfigs

After you upload the certificate to the Certificate Management Service console, fill in the certificate ID in the CertificateId field of the listener in AlbConfig to associate the uploaded certificate with the listener.

Note

If a listener is configured with a certificate, it no longer uses the automatic certificate discovery feature.

  1. Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and Share SSL Certificates.

  2. Obtain the certificate ID.

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

    3. On the SSL Certificate Management page, click the Manage Uploaded Certificates tab. Find the certificate that you want to view and choose 图标 > Details in the Actions column.

      In the Certificate Details panel, you can view the CertIdentifier.

  3. Specify the certificate in an AlbConfig.

    1. Run the following command to modify the AlbConfig:

      kubectl edit albconfig alb # Replace alb with the name of your AlbConfig.
    2. Add the certificates field in the listener, and fill in the CertIdentifier obtained in the previous step.

      apiVersion: alibabacloud.com/v1
      kind: AlbConfig
      metadata:
        name: alb
      spec:
        config: #...
        listeners:
          - port: 443
            protocol: HTTPS
            certificates:
            - CertificateId: 756****-cn-hangzhou # CertIdentifier of the certificate
              IsDefault: true # Whether it is the default certificate
          - port: #...
            protocol: #...

Step 4: Verify the result

You can access a service over HTTPS to check whether the certificate is configured.

  1. Run the following command to view Ingress information.

    kubectl get ingress

    Expected output:

    NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
    https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

    Copy the values under HOSTS and ADDRESS for later use.

  2. Run the following command to access the backend service using HTTPS through the ALB Ingress. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the previous step.

    curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

    If the following output is returned, the certificate is configured:

    old

References