Container Service for Kubernetes (ACK) clusters support multiple ways to access your applications, such as by using<SLB-Instance-IP>:<Port>,<NodeIP>:<NodePort>, or a domain name. By default, ACK clusters do not support HTTPS access. To secure your applications with HTTPS, you can use features from both ACK and Server Load Balancer (SLB). This topic shows how to configure a certificate in ACK to enable secure HTTPS access.
Prerequisites
-
Create a server certificate for the cluster, which includes a public key certificate and a private key.
-
Run the following command to create a self-signed server certificate.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crtOutput:
Generating a 2048 bit RSA private key .......+++ .......+++ writing new private key to 'tls.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:zhejiang Locality Name (eg, city) []:hangzhou Organization Name (eg, company) []:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, fully qualified host name) []:foo.bar.com # Note: You must configure a valid domain name. Email Address []:te**@alibaba.comThe generated certificate and private key files are saved astls.crt andtls.key in the current directory.
-
Alternatively, you can purchase a certificate issued by Alibaba Cloud. For more information, see Create a certificate.
-
Background information
You can configure a certificate in one of two ways, depending on how your application is accessed:
-
Configure the certificate on the front-end SLB instance.
-
Configure the certificate in an Ingress.
Configure an HTTPS certificate on an SLB
This method has the following characteristics:
-
Pros: The certificate is configured on the SLB instance, which acts as the entry point for external traffic. Communication within the cluster remains over HTTP.
-
Cons: You need to maintain multiple mappings between domain names and IP addresses.
-
Use cases: Your application is exposed by using a Service of type LoadBalancer instead of an Ingress.
Preparations:
You have an NGINX application deployed in the ACK cluster. The application is exposed by a Service of type LoadBalancer. For more information, see Create a stateless Deployment.
Procedure:
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
Select the namespace and the Service. On the Services page, find the External IP of the Service. You can access the application at
<SLB IP>:<Port>.After you access the application, the NGINX welcome page appears with the title Welcome to nginx!, indicating that the application is running correctly.
-
Log on to the SLB console.
-
Configure an SSL certificate.
-
If you created the server certificate by using the command line, upload the public key and private key that you created as a non-Alibaba Cloud certificate. For more information, see Create a certificate.
-
If you purchased a certificate issued by Alibaba Cloud, skip this step. For more information, see Create a certificate.
From the certificate list, find and copy the ID of your certificate.
-
-
Return to the Services page in the ACK console. Find the Service that you created and click Actions in the Update column.
-
In the Update Service dialog box, add the following two annotations in the Annotation section.
Do not reuse the SLB instance of the cluster API server. Otherwise, the cluster may become inaccessible.
Annotation
Parameter
Value
Annotation 1
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port
https:443
Annotation 2
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id
${YOUR_CERT_ID}
NoteReplace ${YOUR_CERT_ID} with the certificate ID that you obtained in Step 5.
You can also add the annotations by using a YAML file. The following code provides a full example:
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443" service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}" name: nginx namespace: default spec: ports: - name: https port: 443 protocol: TCP targetPort: 80 - name: http port: 80 protocol: TCP targetPort: 80 selector: run: nginx type: LoadBalancerNoteThetargetPort for the HTTPS port 443 must be set to the HTTP port 80.
-
Access the NGINX application over HTTPS. In your browser's address bar, enter
https://<slb-instance-ip>.The NGINX welcome page appears with the title Welcome to nginx!. This indicates that the NGINX application is running and the HTTPS configuration is working.
Configure a certificate in an Ingress
This method has the following characteristics:
-
Pros: You do not need to modify the SLB configuration. Each application can manage its own certificate through an Ingress without affecting other applications.
-
Use cases: Each application requires a separate certificate for access, or some applications in the cluster require certificate-based access.
Preparations:
You have a Tomcat application deployed in the Kubernetes cluster. The application is backed by a Service of type ClusterIP. This example uses an Ingress to provide external HTTPS access. For more information, see Create a stateless Deployment.
Procedure:
-
Run the following command to create a Secret from the certificate prepared in the prerequisites.
NoteYou must specify a valid domain name. Otherwise, errors occur when you try to access the application over HTTPS.
kubectl create secret tls secret-https --key tls.key --cert tls.crt Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
On the Ingresses page, click Create Ingress.
-
In the Create Ingress dialog box, configure the Ingress for HTTPS access, and then click OK.
For more information about Ingress configurations, see Create an Ingress. This example uses the following settings.
-
Name: Enter a name for the Ingress.
-
Domain Name: Enter the domain name from your SSL certificate.
-
Service: Select the Service that corresponds to the Tomcat application. Set the port to 8080.
-
TLS Settings: Enable TLS and select the Secrets you created.
You can also create the Ingress from a YAML file. The following code provides an example.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tomcat-https spec: tls: - hosts: - foo.bar.com secretName: secret-https rules: - host: foo.bar.com http: paths: - path: / pathType: Prefix backend: service: name: tomcat-svc port: number: 8080 -
-
Return to the Ingresses list and find the Ingress you created. Note the endpoint and the domain name, which is
foo.bar.comin this example. These details are also available on the Ingress details page.NoteIn this example,
foo.bar.comis used as the test domain name. You need to create a record in the hosts file.47.110.119.203 foo.bar.com # The IP address is the endpoint of the Ingress.In the Ingresses list, you will see the tomcat-https entry. The IP address in the Endpoint column is the external endpoint of the Ingress.
-
In your browser, go to
https://foo.bar.com.NoteYou must use HTTPS to access the domain name because it is secured by a TLS certificate. This example uses
foo.bar.comand resolves it locally. In a production environment, use a publicly registered domain name rather than resolving an example domain locally.When you visit
https://foo.bar.comin a browser, the default welcome page for Apache Tomcat/8.5.34 is displayed, indicating that the Tomcat service is deployed correctly and is accessible through the Ingress.