Applications in ACK clusters can be exposed in several ways, such as by using an <SLB-Instance-IP>:<Port> address, a <NodeIP>:<NodePort> address, or a domain name. By default, ACK clusters do not support HTTPS access. ACK and Alibaba Cloud Server Load Balancer (SLB) provide a way to enable secure HTTPS access for your applications. This topic demonstrates how to configure certificates in an ACK cluster.
Prerequisites
An ACK managed cluster is created.
You have a server certificate for the cluster that includes a public key and a private key.
To quickly create a server certificate, run the following command.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crtOutput:
Generating a 2048 bit RSA private key .......+++ .......+++ writing new private key to 'tls.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:zhejiang Locality Name (eg, city) []:hangzhou Organization Name (eg, company) []:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, fully qualified host name) []:foo.bar.com # Note: You must configure a valid domain name. Email Address []:te**@alibaba.comThe certificate file tls.crt and the private key file tls.key are saved in the current directory.
Alternatively, you can purchase a certificate from Alibaba Cloud. For more information, see Create a certificate.
Background
You can configure certificates in one of the following two ways, based on the access method:
Configure the certificate on the frontend SLB instance.
Configure the certificate in an Ingress.
Configure an HTTPS certificate on an SLB instance
This method has the following characteristics:
Pros: The certificate is configured on the SLB instance, which acts as the entry point for external traffic. Communication within the cluster continues over HTTP.
Cons: You must maintain a large number of mappings between domain names and IP addresses.
Use cases: This method is suitable when your application is exposed by a Service of type LoadBalancer instead of an Ingress.
Preparations:
You have an NGINX application deployed in the ACK cluster, which is exposed by a Service of type LoadBalancer. For more information, see Create a stateless workload (Deployment).
Procedure:
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
Select the namespace and the Service. In the list of Services, find the External IP. You can access the application by using an address in the format of
<SLB IP>:<Port>.After accessing the IP address, the Welcome to NGINX! page appears, indicating that the NGINX application is accessible.
Log on to the SLB console.
Configure an SSL certificate.
If you created the server certificate by using the
opensslcommand, you must upload the public key and private key as a certificate not issued by Alibaba Cloud. For more information, see Create a certificate.If you purchased a certificate from Alibaba Cloud, skip this step. For more information about how to create a certificate issued by Alibaba Cloud, see Create a certificate.
In the certificate list, find and record the ID of the target certificate.
Return to the Services page in the ACK console. Find the Service and click Update in the Actions column.
In the Update Service dialog box, add the following two annotations.
Important: Do not reuse the SLB instance that is associated with the cluster's API server. Otherwise, cluster access will become unavailable.
Annotation
Parameter
Value
Annotation 1
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port
https:443
Annotation 2
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id
${YOUR_CERT_ID}
NoteReplace ${YOUR_CERT_ID} with the certificate ID from Step 5.
You can also add the annotations by using a YAML file. The following code provides an example:
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443" service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}" name: nginx namespace: default spec: ports: - name: https port: 443 protocol: TCP targetPort: 80 - name: http port: 80 protocol: TCP targetPort: 80 selector: run: nginx type: LoadBalancerNoteThe targetPort for HTTPS port 443 must be set to the HTTP port, 80.
Access the NGINX application over HTTPS. In the address bar of your browser, enter
https://<slb-instance-ip>.The browser displays the default Welcome to NGINX! page, indicating that the NGINX application is accessible at the SLB instance's IP address.
Configure a certificate in an Ingress
This method has the following characteristics:
Pros: You do not need to modify the SLB configuration. You can use an Ingress to manage the certificate for each application independently.
Use cases: This method is suitable when each application requires a separate certificate or when applications in the cluster require certificate-based access.
Preparations:
You have a Tomcat application deployed in the Kubernetes cluster. The application's Service is of type ClusterIP. In this example, you use an Ingress to expose the application over HTTPS. For more information, see Create a stateless workload (Deployment).
Procedure:
Run the following command to create a Secret from the prepared certificate.
NoteMake sure that you use a valid domain name. Otherwise, you may fail to access the application over HTTPS.
kubectl create secret tls secret-https --key tls.key --cert tls.crtLog on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
On the Ingresses page, click Create Ingress.
In the Create Ingress dialog box, configure an Ingress for HTTPS access and click OK.
For more information about how to configure an Ingress, see Create an Ingress. In this example, the following parameters are configured.
Name: Enter a name for the Ingress.
Domain Name: Enter the valid domain name that you configured. This must be the same as the domain name in your SSL certificate.
Service: Select the Service that corresponds to the Tomcat application. Set the port to 8080.
TLS Settings: Enable TLS and select the Secrets that you created.
You can also create an Ingress by using a YAML file. The following code provides an example:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tomcat-https spec: tls: - hosts: - foo.bar.com secretName: secret-https rules: - host: foo.bar.com http: paths: - path: / pathType: Prefix backend: service: name: tomcat-svc port: number: 8080Return to the Ingress list to find the endpoint for the Ingress that you created. In this example, the endpoint corresponds to the domain name
foo.bar.com.NoteThis example uses
foo.bar.comas a test domain name. You must add a record to your local hosts file.47.110.119.203 foo.bar.com # The IP address is the endpoint of the Ingress.On the Ingresses page of the ACK console, you can find the IP address in the Endpoint column for the Ingress named tomcat-https.
In the address bar of your browser, enter
https://foo.bar.com.NoteBecause a TLS certificate is used, you must access the domain name over HTTPS. This example uses
foo.bar.comfor local resolution. In a production environment, you must use a domain name that has an ICP filing.When you access foo.bar.com in your browser, the default Apache Tomcat/8.5.34 welcome page is displayed. This indicates that the Ingress correctly routes traffic to the backend Tomcat Service. The Not Secure warning in the address bar indicates that the certificate is not trusted by the browser, or the connection is still over HTTP.