Alibaba Cloud Service Mesh - ASM Gateway Supports Creating HTTPS Listeners on the SLB Side ๐
ASM gateway service to bind certificates on the SLB side and create an HTTPS listener ๐
ASM gateways provide support for HTTPS security, dynamically loading certificates to enhance the security of ASM gateways. Along with binding certificates on the ASM gateway, you can now manage certificates on the SLB side. This guide will walk you through the process of using the ASM gateway service to bind certificates on the SLB side and create an HTTPS listener.
Prerequisites ๐
An ASM instance is created. See Create an ASM Instance for more details. ๐
An ACK cluster is created. See Create a Managed Kubernetes Cluster for more details. ๐
A cluster is added to the ASM instance. See Add a Cluster to the ASM Instance for more details. ๐
Background: How to Create an HTTPS Listener for a Kubernetes Service
To create an HTTPS-type SLB, start by creating a certificate in the Alibaba Cloud console and record the cert-id. Then, apply the following annotation:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
name: sample
namespace: default
spec:
ports:
- port: 443
protocol: TCP
targetPort: 80
selector:
app: sample
type: LoadBalancer
Read More ๐
Step 1: Prepare the Certificates Required by SLB ๐
In this instance, a certificate and private key are generated for aliyun.com. If you already have these for aliyun.com, name the key aliyun.com.key and the certificate aliyun.com.crt. If not, you can generate them using OpenSSL by following these steps:
Create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtGenerate a certificate and private key for the aliyun.com server:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtCreate a certificate in the SLB console:
To configure an HTTPS listener, you can use the certificate in the SSL Certificates Service directly or upload the required server certificate and CA certificate issued by a third party to the traditional SLB.
Read More ๐
Step 2: Create an HTTPS Listener
ASM allows you to customize ingress gateway services. You can configure specific function parameters in YAML.
[Read More](https://www.alibabacloud.com/help/en/al
ibaba-cloud-service-mesh/latest/define-a-custom-ingress-gateway-service) ๐
In the following configuration, an HTTPS SLB will be created through serviceAnnotation. HTTPS requests with port 443 will be decrypted at the SLB layer and then sent to port 80 of the backend Pod in the form of HTTP requests.
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
....
ports:
- name: http-0
port: 80
protocol: HTTP
targetPort: 80
- name: https-1
port: 443
protocol: HTTPS
targetPort: 80
....
serviceAnnotations:
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: 'https:443'
....
serviceType: LoadBalancer
Execution Result ๐
Log on to the ASM console. Select the target service mesh instance in the console. Click ASM Gateways on the left-side navigation pane. View the information on the right side of the page.
Run the following command to access the httpbin service over HTTPS:
curl -k https://{replace with real ingress gateway IP address}:443/headers
You'll receive a response similar to this:
{
"headers": {
"Accept": "*/*",
"Host": "xxxx",
"Remoteip": "xxxx",
"User-Agent": "curl/7.79.1",
"X-Envoy-Attempt-Count": "1",
"X-Envoy-External-Address": "xxxx",
"X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=9dd4266bc514d03aae50e174ace52eff7e577d79a14795b532be876139e8922f;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
๐ Congrats! You've successfully created an HTTPS listener on the SLB side.