TLS encryption is one of the basic requirements of having a secure system.
While this automatic certificate management in
The following will walk you through the process of enabling TLS with a
self-signed certificate created with the openssl
utility.
Note these instructions also work if you would like to provide your own
certificate to
This guide requires you have the following installed:
Install $productName$ in Kubernetes.
We first need to create a listener to tell Emissary which port will be using the HTTPS protocol
---
apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
name: emissary-ingress-listener-8443
spec:
port: 8443
protocol: HTTPS
securityModel: XFP
hostBinding:
namespace:
from: ALL
OpenSSL is a tool that allows us to create self-signed certificates for opening
a TLS encrypted connection. The openssl
command below will create a
create a certificate and private key pair that
-
Create a private key and certificate.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj '/CN=ambassador-cert' -nodes
The above command will create a certificate and private key with the common name
ambassador
. Since this certificate is self-signed and only used for testing, the other information requested can be left blank. -
Verify the
key.pem
andcert.pem
files were createdls *.pem cert.pem key.pem
kubectl
to create a tls
secret to hold the pem
files we created above.
kubectl create secret tls tls-cert --cert=cert.pem --key=key.pem
Now that we have stored our certificate and private key in a Kubernetes secret
named tls-cert
, we need to tell Host
is used to tell
Create the following Host
to have Secret
we created
above for terminating TLS on all domains.
---
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
name: wildcard-host
spec:
hostname: "*"
acmeProvider:
authority: none
tlsSecret:
name: tls-cert
selector:
matchLabels:
hostname: wildcard-host
Note: If running multiple instances of ambassador_id
property in the spec
, e.g.:
---
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
name: wildcard-host
spec:
ambassador_id: [ "my_id" ]
...
Apply the Host
configured above with kubectl
:
kubectl apply -f wildcard-host.yaml
8443
and
terminate TLS using the self-signed certificate we created.
We can now send encrypted traffic over HTTPS.
First, make sure the 443
and forwarding
to port 8443
. Verify this with kubectl
:
kubectl get service ambassador -o yaml
apiVersion: v1
kind: Service
...
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
...
If the output to the kubectl
command is not similar to the example above,
edit the https
port.
After verifying
curl -Lk https://{{AMBASSADOR_IP}}/backend/
{
"server": "trim-kumquat-fccjxh8x",
"quote": "Abstraction is ever present.",
"time": "2019-07-24T16:36:56.7983516Z"
}
Note: Since we are using a self-signed certificate, you must set the -k
flag in curl to disable hostname validation.
This guide walked you through how to enable basic TLS termination in
While a self-signed certificate is a simple and quick way to get
Jetstack's cert-manager
provides a simple
way to manage certificates from Let's Encrypt. See our documentation for more
information on how to use cert-manager
with $productName$
.