Use an ASM gateway to securely access a Knative Service over HTTPS - Alibaba Cloud Service Mesh

A Service Mesh (ASM) gateway supports HTTPS and allows you to dynamically load certificates. When you need to securely access and manage microservices that are built by using Knative, you can use an ASM gateway to allow access to a Knative Service only over HTTPS. In addition, you can configure encrypted transmission for service endpoints to protect communications between the services, improving the security and reliability of the overall architecture.

Prerequisites

A Knative Service is created by using Knative on ASM. For more information, see Use Knative on ASM to deploy a serverless application.
The custom domain name aliyun.com is already used in Knative on ASM. For more information, see Set a custom domain name in Knative on ASM.

Create a certificate and a private key

Before you use the domain name aliyun.com, you need to apply for an Internet Content Provider (ICP) filing for the domain name. In this example, the domain name aliyun.com is used to generate a certificate and a private key. Save the certificate and the private key as a secret.

Note

If you have an available certificate and private key for the domain name aliyun.com, rename the certificate to aliyun.com.crt and the private key to aliyun.com.key.

If you do not have a certificate and a private key available for the domain name aliyun.com, you can use OpenSSL and perform the following steps to generate a certificate and a private key.

Run the following command to create a root certificate and a private key:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt

Run the following commands to generate a certificate and a private key for the server of aliyun.com:

openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt

After the certificate and private key are generated, run the following command in the KubeConfig file of the cluster to which the ingress gateway pod belongs to create a secret that contains the certificate and private key in the istio-system namespace and save the secret name.

kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt

Enable HTTPS

Save the following content as the default.yaml file:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMKnativeConfig
metadata:
  name: default
spec:
  enabled: true
  useExisting: true
  tag: 1.4.0
  domainConfig:
    domainName: aliyun.com # Replace aliyun.com with the domain name you used. 
    credentialName: myexample-credential # Replace myexample-credential with your secret name.

Use kubectl to connect to Service Mesh and run the following command:
```
kubectl apply -f default.yaml
```

Access the Knative Service over HTTPS

Add the information about the new domain name that you want to visit to the hosts file.
The following sample code shows the content that you want to add to the hosts file.
Note
Replace xx.xx.xxx.xx with the gateway address that you actually access. For more information about how to obtain the gateway address, see Step 3: Query the gateway address in Use Knative on ASM to deploy a serverless application.
```
xx.xx.xxx.xx helloworld-go.default.aliyun.com
```
Access the Knative Service over HTTPS.
- Access the Knative Service by running the following command
  Run the following command to access the Knative Service over HTTPS:
```
curl -k --cert aliyun.com.crt --key aliyun.com.key https://helloworld-go.default.aliyun.com

# Expected output:
Hello Knative!
```
- Access the Knative Service by visiting the following website
  Enter https://helloworld-go.default.aliyun.com in the browser to directly access the Knative Service.
  Note
  When you access the Knative Service by using a browser, the system may prompt that the URL you entered in the browser is risky because a self-signed certificate is used. Do not worry.

Related operations

Knative on ASM allows you to perform a canary release based on traffic splitting for a Knative Service. When you create a Knative Service, Knative automatically creates the first Revision for the Service. Whenever the configuration of the Knative Service changes, Knative creates a new Revision and modifies the percentage of traffic that is distributed to different Revisions to implement a canary release. For more information, see Perform a canary release based on traffic splitting for a Knative Service by using Knative on ASM.
Knative Serving adds the Queue Proxy container to each pod. The Queue Proxy container sends the concurrency metrics of the application containers to Knative Pod Autoscaler (KPA). After KPA receives the metrics, KPA automatically adjusts the number of pods provisioned for a Deployment based on the number of concurrent requests and related autoscaling algorithms. For more information, see Enable autoscaling of pods based on the number of requests.