All Products
Search
Document Center

Container Service for Kubernetes:Use an ALB Ingress to configure certificates for an HTTPS listener

Last Updated:Aug 02, 2023

When an HTTPS listener forwards HTTPS requests, the listener needs to create a TLS connection by using a certificate. Application Load Balancer (ALB) Ingresses support automatic certificate discovery, certificates stored as Secrets, and HTTPS listener certificate configuration by using an AlbConfig. This topic describes how to use an ALB Ingress to configure certificates for an HTTPS listener.

Table of contents

Prerequisites

Certificate configuration method comparison

Compatibility of certificates configured by using different methods

Configure automatic certificate discovery

Manage certificates by using Kubernetes Secrets

Specify certificates in AlbConfigs

Prerequisites

  • ALB Ingress controller 2.5.0 or later is installed. For more information, see Manage components.

  • A trusted certificate is obtained. You can obtain a trusted certificate by using one of the following methods:

    • Purchase a certificate in the Certificate Management Service console. For more information, see Purchase an SSL certificate.

    • Purchase a certificate that is issued by another certificate authority (CA) or create a self-signed certificate.

    • Create a certificate that is stored as a Kubernetes Secret.

Certificate configuration method comparison

ALB Ingresses allow you to configure automatic certificate discovery, manage certificates as Kubernetes Secrets, and specify certificates in AlbConfigs. The following table compares the preceding methods.

Note

ALB Ingresses do not affect persistent connections.

Item

Use automatic certificate discovery

Manage certificates as Kubernetes Secrets

Specify certificates in AlbConfigs

Scenarios

This feature is suitable for certificates that are purchased in the Certificate Management Service console or certificates that are uploaded to the Certificate Management Service console.

This feature is suitable for certificates managed in the cluster. For example, if you use cert-manager to manage certificates, the certificates for ALB instances are automatically updated together with the corresponding Secrets.

To use this feature, you must upload the certificate that you want to use to the Certificate Management Service console. This feature is suitable for scenarios where the certificate that you want to use shares the same domain name with other certificates.

Automatically renew certificates for relevant ALB instances

Not supported. You must manually renew certificates for ALB instances.

Supported

Not supported. You must manually renew certificates for ALB instances.

Priority

Low

Medium

High

Use certificates across namespaces

Supported

Not supported. A certificate stored as a Secret can be used only within the namespace of the Secret.

Supported. AlbConfigs are cluster-scoped resources and take effect within all namespaces in a cluster.

How to renew certificates

You must upload a new certificate to the Certificate Management Service console or renew the original certificate in the Certificate Management Service console. Then, you need to manually modify Ingress configurations, such as the Ingress name and annotations, so that the new certificate can be automatically discovered.

You must update the Secret that is associated with the Ingress.

You must upload a new certificate to the Certificate Management Service console or renew the original certificate in the Certificate Management Service console. Then, you need to manually update the AlbConfig to specify the new certificate ID.

References

Configure automatic certificate discovery

Manage certificates by using Kubernetes Secrets

Specify certificates in AlbConfigs

Compatibility of certificates configured by using different methods

The following table describes the compatibility of different certificate configuration methods.

How certificates are configured

Description

A certificate is configured by using automatic certificate discovery and a certificate is configured by using a Kubernetes Secret.

  • If both certificates are associated with the same domain name, the certificate that is configured by using a Secret is preferably used.

  • If the certificates are associated with different domain names, the ALB Ingress controller use the certificates for the corresponding domain names.

A certificate is configured by using automatic certificate discovery and a certificate is specified in an AlbConfig. Both certificates are associated with the same listener.

  • The listener uses only the certificate specified in the AlbConfig.

  • If no certificate is specified in the AlbConfig, the listener uses the certificate configured by using automatic certificate discovery.

A certificate is configured by using a Kubernetes Secret and a certificate is specified in an AlbConfig.

Both certificates are used.

Configure automatic certificate discovery

This section describes how to configure automatic certificate discovery for self-signed certificates.

Note

An ALB instance supports a maximum of 25 additional certificates, including certificates that share the same domain name.

  1. Run the following OpenSSL commands to create a self-signed certificate:

    openssl genrsa -out albtop-key.pem 4096
    openssl req -subj "/CN=demo.alb.ingress.top" -sha256  -new -key albtop-key.pem -out albtop.csr
    echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf
  2. Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and share SSL certificates.

  3. Create an Ingress, a Service, and an application.

    1. Create a file named demo.yaml and copy the following content to the file.

      Add the following setting to the YAML template of the Ingress to specify the domain name in the created certificate:

      tls:
        - hosts:
          - demo.alb.ingress.top

      Show sample code

      apiVersion: v1
      kind: Service
      metadata:
        name: demo-service-https
        namespace: default
      spec:
        ports:
          - name: port1
            port: 443
            protocol: TCP
            targetPort: 8080
        selector:
          app: demo-cafe
        sessionAffinity: None
        type: ClusterIP
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: demo-cafe
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: demo-cafe
        template:
          metadata:
            labels:
              app: demo-cafe
          spec:
            containers:
              - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
                imagePullPolicy: IfNotPresent
                name: demo-cafe
                ports:
                  - containerPort: 8080
                    protocol: TCP
      ---
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-https
        namespace: default
      spec:
        ingressClassName: alb
        rules:
        - host: demo.alb.ingress.top
          http:
            paths:
            - backend:
                service:
                  name: demo-service-https
                  port:
                    number: 443
              path: /
              pathType: Prefix
        tls:
        - hosts:
          - demo.alb.ingress.top
    2. Run the following command to create an Ingress, a Service, and an application:

      kubectl apply -f demo.yaml
  4. Run the following command to check whether the certificate is configured:

    curl https://demo.alb.ingress.top/tea

    Expected output:

    {"hello":"tee"}

    If the preceding output is returned, the certificate is configured.

Manage certificates by using Kubernetes Secrets

This section describes how to manage a self-signed certificate by using a Kubernetes Secret.

Note

You can store a certificate in multiple Secrets. You can associate multiple certificates with an ALB instance. However, an ALB instance supports a maximum of 25 additional certificates.

  1. Run the following OpenSSL commands to create a self-signed certificate:

    openssl genrsa -out albtop-key.pem 4096
    openssl req -subj "/CN=demo.alb.ingress.top" -sha256  -new -key albtop-key.pem -out albtop.csr
    echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf
  2. Encode the content in the albtop-key.pem and albtop-cert.pem files that are generated in Step 1 by using Base64.

    echo -n <albtop-key.pem> | base64
    echo -n <albtop-cert.pem> | base64
  3. Create a Secret.

    1. Create a file named secret.yaml and copy the following content to the file:

      apiVersion: v1
      kind: Secret
      metadata:
        name: secret-tls
      type: kubernetes.io/tls
      data:
        # the data is abbreviated in this example
        tls.crt: |
          {base64 albtop-cert.pem} # Base64-encoded content of the albtop-cert.pem file. 
        tls.key: |
          {base64 albtop-key.pem}  # Base64-encoded content of the albtop-key.pem file.

    2. Run the following command to create a Secret:

      kubectl apply -f secret.yaml
  4. Create an Ingress, a Service, and an application.

    1. Create a file named demo.yaml and copy the following content to the file.

      Add the following setting to the YAML template of the Ingress to specify the domain name in the created certificate:

      tls:
        - hosts:
          - demo.alb.ingress.top
          secretName: secret-tls

      Show sample code

      apiVersion: v1
      kind: Service
      metadata:
        name: demo-service-https
        namespace: default
      spec:
        ports:
          - name: port1
            port: 443
            protocol: TCP
            targetPort: 8080
        selector:
          app: demo-cafe
        sessionAffinity: None
        type: ClusterIP
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: demo-cafe
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: demo-cafe
        template:
          metadata:
            labels:
              app: demo-cafe
          spec:
            containers:
              - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
                imagePullPolicy: IfNotPresent
                name: demo-cafe
                ports:
                  - containerPort: 8080
                    protocol: TCP
      ---
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-https
        namespace: default
      spec:
        ingressClassName: alb
        rules:
        - host: demo.alb.ingress.top
          http:
            paths:
            - backend:
                service:
                  name: demo-service-https
                  port:
                    number: 443
              path: /
              pathType: Prefix
        tls:
        - hosts:
          - demo.alb.ingress.top
          secretName: secret-tls
    2. Run the following command to create an Ingress, a Service, and an application:

      kubectl apply -f demo.yaml
  5. Run the following command to check whether the certificate is configured:

    curl https://demo.alb.ingress.top/tea

    Expected output:

    {"hello":"tee"}

    If the preceding output is returned, the certificate is configured.

Specify certificates in AlbConfigs

This section describes how to specify a self-signed certificate in an AlbConfig.

Note

If a listener is configured with a certificate ID, the domain names associated with the listener no longer use certificates stored as Secrets or the automatic certificate discovery feature.

  1. Run the following OpenSSL commands to create a self-signed certificate:

    openssl genrsa -out albtop-key.pem 4096
    openssl req -subj "/CN=demo.alb.ingress.top" -sha256  -new -key albtop-key.pem -out albtop.csr
    echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf
  2. Upload the self-signed certificate to the Certificate Management Service console. For more information, see Upload and share SSL certificates.

  3. Obtain the certificate ID.

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, click SSL Certificates.

    3. On the SSL Certificates page, click the Manage Uploaded Certificates tab. Find the certificate that you want to view and choose 图标 > Details in the Actions column.

      In the Certificate Details panel, you can view the certificate ID.

  4. Specify the certificate in an AlbConfig.

    Create an AlbConfig and specify the certificate

    1. Create a file named albconfig.yaml and copy the following content to the file:

      apiVersion: alibabacloud.com/v1
      kind: AlbConfig
      metadata:
        name: alb-demo
      spec:
        config:
          #...
        listeners:
        - caEnabled: false
          certificates:
          - CertificateId: 756****-cn-hangzhou # Set the value to the certificate ID that you obtained.
            IsDefault: true
          port: 443
          protocol: HTTPS
        #...

      Parameter

      Description

      CertificateId

      The certificate ID. In this example, 756****-cn-hangzhou is specified. Specify the value of CertificateId based on the following description:

      • If the certificate is created in a region in China, set the value to 756****-cn-hangzhou. -cn-hangzhou is fixed content. You need to only replace 756****.

      • If the certificate is created in a region outside China, set the value to 756****-ap-southeast-1. -ap-southeast-1 is fixed content. You need to only replace 756****.

      IsDefault

      Specifies whether to set the certificate as the default certificate. In this example, true is specified. The certificate is set as the default certificate.

      protocol

      The protocol used by listeners. In this example, HTTPS is specified. The HTTPS protocol is used by listeners.

    2. Run the following command to create an AlbConfig:

      kubectl apply -f albconfig.yaml

    Specify the certificate in an existing AlbConfig

    You can run the kubectl edit command to perform an incremental update on an existing AlbConfig.

    1. Run the following command to query the AlbConfig that you want to use:

      kubectl -n kube-system get AlbConfig

      Expected output:

      NAME AGE
      alb-demo 87m
    2. Run the following command to update the AlbConfig:

      kubectl -n kube-system edit AlbConfig alb-demo
        #...
        spec:
          config:
            #...
          listeners:
          - caEnabled: false
            certificates:
            - CertificateId: 756****-cn-hangzhou # Set the value to the certificate ID that you obtained.
              IsDefault: true
            port: 443
            protocol: HTTPS
            #...

    For more information about how to update an AlbConfig, see Update an AlbConfig.

  5. Create an Ingress, a Service, and an application.

    1. Create a file named demo.yaml and copy the following content to the file.

      Note

      In this example, the tls parameter is used only as the identifier for associating with listening port 443. The parameter is not used to configure automatic certificate discovery.

      Show sample code

      apiVersion: v1
      kind: Service
      metadata:
        name: demo-service-https
        namespace: default
      spec:
        ports:
          - name: port1
            port: 443
            protocol: TCP
            targetPort: 8080
        selector:
          app: demo-cafe
        sessionAffinity: None
        type: ClusterIP
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: demo-cafe
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: demo-cafe
        template:
          metadata:
            labels:
              app: demo-cafe
          spec:
            containers:
              - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
                imagePullPolicy: IfNotPresent
                name: demo-cafe
                ports:
                  - containerPort: 8080
                    protocol: TCP
      ---
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-https
        namespace: default
      spec:
        ingressClassName: alb
        rules:
        - host: demo.alb.ingress.top
          http:
            paths:
            - backend:
                service:
                  name: demo-service-https
                  port:
                    number: 443
              path: /
              pathType: Prefix
        tls:
        - hosts:
          - demo.alb.ingress.top
    2. Run the following command to create an Ingress, a Service, and an application:

      kubectl apply -f demo.yaml
  6. Run the following command to check whether the certificate is configured:

    curl https://demo.alb.ingress.top/tea

    Expected output:

    {"hello":"tee"}