Secure HTTPS access in ACK clusters

更新时间:
复制 MD 格式

Applications in ACK clusters can be exposed in several ways, such as by using an <SLB-Instance-IP>:<Port> address, a <NodeIP>:<NodePort> address, or a domain name. By default, ACK clusters do not support HTTPS access. ACK and Alibaba Cloud Server Load Balancer (SLB) provide a way to enable secure HTTPS access for your applications. This topic demonstrates how to configure certificates in an ACK cluster.

Prerequisites

  • An ACK managed cluster is created.

  • You have a server certificate for the cluster that includes a public key and a private key.

    • To quickly create a server certificate, run the following command.

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

      Output:

      Generating a 2048 bit RSA private key
      .......+++
      .......+++
      writing new private key to 'tls.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) []:CN
      State or Province Name (full name) []:zhejiang
      Locality Name (eg, city) []:hangzhou
      Organization Name (eg, company) []:alibaba
      Organizational Unit Name (eg, section) []:test
      Common Name (eg, fully qualified host name) []:foo.bar.com # Note: You must configure a valid domain name.
      Email Address []:te**@alibaba.com

      The certificate file tls.crt and the private key file tls.key are saved in the current directory.

    • Alternatively, you can purchase a certificate from Alibaba Cloud. For more information, see Create a certificate.

Background

You can configure certificates in one of the following two ways, based on the access method:

  • Configure the certificate on the frontend SLB instance.

  • Configure the certificate in an Ingress.

Configure an HTTPS certificate on an SLB instance

This method has the following characteristics:

  • Pros: The certificate is configured on the SLB instance, which acts as the entry point for external traffic. Communication within the cluster continues over HTTP.

  • Cons: You must maintain a large number of mappings between domain names and IP addresses.

  • Use cases: This method is suitable when your application is exposed by a Service of type LoadBalancer instead of an Ingress.

Preparations:

You have an NGINX application deployed in the ACK cluster, which is exposed by a Service of type LoadBalancer. For more information, see Create a stateless workload (Deployment).

Procedure:

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Network > Services.

  3. Select the namespace and the Service. In the list of Services, find the External IP. You can access the application by using an address in the format of <SLB IP>:<Port>.

    After accessing the IP address, the Welcome to NGINX! page appears, indicating that the NGINX application is accessible.

  4. Log on to the SLB console.

  5. Configure an SSL certificate.

    • If you created the server certificate by using the openssl command, you must upload the public key and private key as a certificate not issued by Alibaba Cloud. For more information, see Create a certificate.

    • If you purchased a certificate from Alibaba Cloud, skip this step. For more information about how to create a certificate issued by Alibaba Cloud, see Create a certificate.

    In the certificate list, find and record the ID of the target certificate.

  6. Return to the Services page in the ACK console. Find the Service and click Update in the Actions column.

  7. In the Update Service dialog box, add the following two annotations.

    Important: Do not reuse the SLB instance that is associated with the cluster's API server. Otherwise, cluster access will become unavailable.

    Annotation

    Parameter

    Value

    Annotation 1

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port

    https:443

    Annotation 2

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id

    ${YOUR_CERT_ID}

    Note

    Replace ${YOUR_CERT_ID} with the certificate ID from Step 5.

    You can also add the annotations by using a YAML file. The following code provides an example:

    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
      name: nginx
      namespace: default
    spec:
      ports:
      - name: https
        port: 443
        protocol: TCP
        targetPort: 80
      - name: http
        port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
    Note

    The targetPort for HTTPS port 443 must be set to the HTTP port, 80.

  8. Access the NGINX application over HTTPS. In the address bar of your browser, enter https://<slb-instance-ip>.

    The browser displays the default Welcome to NGINX! page, indicating that the NGINX application is accessible at the SLB instance's IP address.

Configure a certificate in an Ingress

This method has the following characteristics:

  • Pros: You do not need to modify the SLB configuration. You can use an Ingress to manage the certificate for each application independently.

  • Use cases: This method is suitable when each application requires a separate certificate or when applications in the cluster require certificate-based access.

Preparations:

You have a Tomcat application deployed in the Kubernetes cluster. The application's Service is of type ClusterIP. In this example, you use an Ingress to expose the application over HTTPS. For more information, see Create a stateless workload (Deployment).

Procedure:

  1. Run the following command to create a Secret from the prepared certificate.

    Note

    Make sure that you use a valid domain name. Otherwise, you may fail to access the application over HTTPS.

    kubectl create secret tls secret-https --key tls.key --cert tls.crt      
  2. Log on to the ACK console. In the left navigation pane, click Clusters.

  3. On the Clusters page, click the name of your cluster. In the left navigation pane, click Network > Ingresses.

  4. On the Ingresses page, click Create Ingress.

  5. In the Create Ingress dialog box, configure an Ingress for HTTPS access and click OK.

    For more information about how to configure an Ingress, see Create an Ingress. In this example, the following parameters are configured.

    • Name: Enter a name for the Ingress.

    • Domain Name: Enter the valid domain name that you configured. This must be the same as the domain name in your SSL certificate.

    • Service: Select the Service that corresponds to the Tomcat application. Set the port to 8080.

    • TLS Settings: Enable TLS and select the Secrets that you created.

    You can also create an Ingress by using a YAML file. The following code provides an example:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
       name: tomcat-https
    spec:
      tls:
      - hosts:
        - foo.bar.com
        secretName: secret-https
      rules:
      - host: foo.bar.com
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: tomcat-svc
                port:
                  number: 8080
  6. Return to the Ingress list to find the endpoint for the Ingress that you created. In this example, the endpoint corresponds to the domain name foo.bar.com.

    Note

    This example uses foo.bar.com as a test domain name. You must add a record to your local hosts file.

    47.110.119.203  foo.bar.com                   # The IP address is the endpoint of the Ingress.

    On the Ingresses page of the ACK console, you can find the IP address in the Endpoint column for the Ingress named tomcat-https.

  7. In the address bar of your browser, enter https://foo.bar.com.

    Note

    Because a TLS certificate is used, you must access the domain name over HTTPS. This example uses foo.bar.com for local resolution. In a production environment, you must use a domain name that has an ICP filing.

    When you access foo.bar.com in your browser, the default Apache Tomcat/8.5.34 welcome page is displayed. This indicates that the Ingress correctly routes traffic to the backend Tomcat Service. The Not Secure warning in the address bar indicates that the certificate is not trusted by the browser, or the connection is still over HTTP.