You can use an ingress gateway to enable HTTPS and dynamic certificate loading. This ensures gateway security. You can create an HTTPS listener by binding a certificate to the Classic Load Balancer (CLB) instance of an ingress gateway. The CLB instance decrypts HTTPS requests into HTTP requests and forwards the HTTP requests to the ingress gateway pod. This topic describes how to create an HTTPS listener by binding a certificate to the CLB instance of an ingress gateway.
Prerequisites
Step 1: Prepare the certificate that you want to bind to the CLB instance
A certificate and a private key are created
If you already have a certificate and a private key that are available for aliyun.com, you need to name the private key aliyun.com.key and the certificate aliyun.com.crt.
No certificate and private key are created
If you have not created a certificate and a private key, you can use openssl to generate a certificate and a private key for aliyun.com by following these steps.
Run the following command to create a root certificate and a private key.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtCreate an SSL certificate.
In the Server Load Balancer CLB console, select from the left-side navigation pane.
On the Certificate Management page, click Create Certificate.
In the Create Certificate panel, select Alibaba Cloud Issued Certificate, and click Create SSL Certificate at the bottom of the certificate list.
In the Digital Certificate Management Service page, select Certificate Management > SSL Certificate Management from the left-side navigation pane.
Click Upload Certificate on the Upload Certificate tab, enter Certificate Name as aliyun.com, and upload the generated root certificate and private key to the Certificate File and Certificate Private Key fields. Click OK and ignore the certificate chain prompt.
Create a certificate in the Server Load Balancer CLB console. For more information, see Select Alibaba Cloud Issued Certificate.
Step 2: Create an HTTPS listener
ASM allows you to create custom ingress gateways. You can configure parameters in the YAML file. For more information, see Use KubeAPI to manage ingress gateways.
Add the following content to the ingressgateway.yaml file.
spec: .... ports: - name: http-0 port: 80 protocol: HTTP targetPort: 80 - name: https-1 port: 443 protocol: HTTPS targetPort: 80 .... serviceAnnotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}" service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443' .... serviceType: LoadBalancerCreate a CLB instance by using
serviceAnnotations. The CLB instance decrypts HTTPS requests that are received on port 443 into HTTP requests and forwards the HTTP requests to port 80 of the ingress gateway pod. The${YOUR_CERT_ID}in the YAML file is obtained from Step 1.Run the following command to deploy the ingress gateway.
kubectl apply -f ingressgateway.yaml
Step 3: Check whether the HTTPS listener takes effect
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, check the Endpoint of the target gateway.
The Endpoint is the IP address of the target gateway.
Run the following command to access the productpage service over HTTPS.
Use the
${IP address of the ingress gateway}that you obtained in the previous step.curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:${IP address of the ingress gateway} https://a.aliyun.com/productpage -ISample output:
HTTP/2 200 date: Fri, 13 Jan 2023 07:11:45 GMT content-type: text/html; charset=utf-8 content-length: 5294 vary: Accept-Encoding x-envoy-upstream-service-time: 23Encrypted traffic is decrypted into plaintext when it passes through the CLB instance, and then goes into the cluster. This result indicates that the HTTPS listener takes effect.