DocsEdge Stack
3.10
Configuring Ambassador Edge Stack Communications
Configuring Ambassador Edge Stack Communications
For Ambassador Edge Stack to do its job of managing network communications for your services, it first needs to know how its own communications should be set up. This is handled by a combination of resources: the Listener, the Host, and the TLSContext.
- Listener: defines where, and how, Ambassador Edge Stack should listen for requests from the network.
- Host: defines which hostnames Ambassador Edge Stack should care about, and how to handle different kinds of requests for those hosts.- Hosts can be associated with one or more- Listeners.
- TLSContext: defines whether, and how, Ambassador Edge Stack will manage TLS certificates and options.- TLSContexts can be associated with one or more- Hosts.
Once the basic communications setup is in place, Ambassador Edge Stack Mappings and TCPMappings can be associated with Hosts to actually do routing.
A Note on TLS
TLS can appear intractable if you haven't set up certificates correctly. If you're having trouble with TLS, always check the logs of your Ambassador Edge Stack Pods and look for certificate errors.
Examples / Cookbook
Basic HTTP and HTTPS
A useful configuration is to support either HTTP or HTTPS, in this case on either port 8080 or port 8443. This
tends to make it as easy as possible to communicate with the services behind the Ambassador Edge Stack instance. It uses
two Listeners and at least one Host.
Listeners:
- Both - Listeners use- protocol: HTTPSto allow Envoy to inspect incoming connections, determine whether or not TLS is in play, and set- X-Forwarded-Protoappropriately. The- securityModelthen specifies that- X-Forwarded-Protowill determine whether requests will be considered secure or insecure.
- The - hostBindingshown here will allow any- Hostin the same namespace as the- Listeners to be associated with both- Listeners; in turn, that will allow access to that- Host's- Mappings from either port. For greater control, use a- selectorinstead.
- Note that the - Listeners do not specify anything about TLS certificates. The- Hosthandles that; see below.
Host
This example will assume that we expect to be reachable as foo.example.com, and that the foo.example.com
certificate is stored in the Kubernetes Secret named foo-secret:
- The tlsSecretspecifies the certificate in use for TLS termination.
- The requestPolicyspecifies routing HTTPS and redirecting HTTP to HTTPS.
- Since the Hostdoes not specify aselector, onlyMappings with ahostnamethat matchesfoo.example.comwill be associated with thisHost.
- Note well that simply defining a TLSContextis not sufficient to terminate TLS: you must define either aHostor anIngress.
- Note that if no Hostis present, but a TLS secret namedfallback-secretis available, the system will currently define aHostusingfallback-secret. This behavior is subject to change.
HTTP-Only
Another straightforward configuration is to support only HTTP, in this case on port 8080. This uses a single
Listener and a single Host:
- Here, we listen only on port 8080, and only for HTTP. HTTPS will be rejected.
- Since requests are only allowed using HTTP, we declare all requests INSECUREby definition.
- The Hostspecifies routing HTTP, rather than redirecting it.
TLS using ACME (Ambassador Edge Stack only)
This scenario uses ACME to get certificates for foo.example.com and bar.example.com. HTTPS traffic to either
host is routed; HTTP traffic to foo.example.com will be redirected to HTTPS, but HTTP traffic to bar.example.com
will be rejected outright.
Since this example uses ACME, it is only supported in Ambassador Edge Stack.
For demonstration purposes, we show this example listening for HTTPS on port 9999, using X-Forwarded-Proto.
(Mappings are not shown.)
- Our Listeners will accept HTTPS and HTTP on port 9999, and the protocol used will dictate whether the requests are secure (HTTPS) or insecure (HTTP).
- foo-hostdefaults to ACME with Let's Encrypt, since- acmeProvider.authorityis not provided.
- foo-hostdefaults to redirecting insecure requests, since the default for- requestPolicy.insecure.actionis- Redirect.
- bar-hostuses Let's Encrypt as well, but it will reject insecure requests.
If you use ACME for multiple Hosts, add a wildcard Host too. This is required to manage a known issue. This issue will be resolved in a future Ambassador Edge Stack release.
Multiple TLS Certificates
This scenario uses TLS without ACME. Each of our two Hosts uses a distinct TLS certificate. HTTPS
traffic to eitherfoo.example.com or bar.example.com is routed, but this time foo.example.com will redirect
HTTP requests, while bar.example.com will route them.
Since this example does not use ACME, it is supported in Ambassador Edge Stack as well as Ambassador Edge Stack.
For demonstration purposes, we show this example listening for HTTPS on port 4848, using X-Forwarded-Proto.
- foo-hostand- bar-hostsimply reference the- tlsSecretto use for termination.- If the secret involved contains a wildcard cert, or a cert with multiple SAN, both Hosts could reference the sametlsSecret.
 
- If the secret involved contains a wildcard cert, or a cert with multiple SAN, both 
- foo-hostrelies on the default insecure routing action of- Redirect.
- bar-hostmust explicitly specify routing HTTP.
Using a TLSContext
If you need to share other TLS settings between two Hosts, you can reference a TLSContext as well as
the tlsSecret. This is the same as the previous example, but we use a TLSContext to set ALPN information,
and we assume that the Secret contains a wildcard cert.
- Note that specifying the tlsSecretis still necessary, even whentlsContextis specified.
ACME With a TLSContext (Ambassador Edge Stack Only)
In Ambassador Edge Stack, you can use a TLSContext with ACME as well. This example is the same as "TLS using ACME",
but we use a TLSContext to set ALPN information. Again, ACME is only supported in Ambassador Edge Stack.
- Note that we don't provide the Secret: the ACME client will create it for us.
Using an L7 Load Balancer to Terminate TLS
In this scenario, a layer 7 load balancer ahead of Ambassador Edge Stack will terminate TLS, so Ambassador Edge Stack will always see HTTP with a known good X-Forwarded-Protocol. We'll use that to route HTTPS and redirect HTTP.
- We set l7Depthto 1 to indicate that there's a single trusted L7 load balancer ahead of us.
- We specifically set this Listener to HTTP-only, but we stick with port 8443 just because we expect people setting up TLS at all to expect to use port 8443. (There's nothing special about the port number, pick whatever you like.)
- Our Hostdoes not specify atlsSecret, so Ambassador Edge Stack will not try to terminate TLS.
- Since the Listenerstill pays attention toX-Forwarded-Proto, both secure and insecure requests are possible, and we use theHostto route HTTPS and redirect HTTP.
Using a Split L4 Load Balancer to Terminate TLS
Here, we assume that Ambassador Edge Stack is behind a load balancer setup that handles TLS at layer 4:
- Incoming cleartext traffic is forwarded to Ambassador Edge Stack on port 8080.
- Incoming TLS traffic is terminated at the load balancer, then forwarded to Ambassador Edge Stack as cleartext on port 8443.
- This might involve multiple L4 load balancers, but the actual number doesn't matter.
- The actual port numbers we use don't matter either, as long as Ambassador Edge Stack and the load balancer(s) agree on which port is for which traffic.
We're going to route HTTPS for both foo.example.com and bar.example.com, redirect HTTP for foo.example.com, and reject HTTP for bar.example.com.
- Since L4 load balancers cannot set X-Forwarded-Protocol, we don't use it at all here: instead, we dictate that 8080 and 8443 both speak cleartext HTTP, but everything arriving at port 8080 is insecure and everything at port 8443 is secure.
Listening on Multiple Ports
There's no reason you need to use ports 8080 and 8443, or that you're limited to two ports. Here we'll use ports 9001 and 9002 for HTTP, and port 4001 for HTTPS. We'll route traffic irrespective of protocol.
- We can use X-Forwarded-Protofor all ourListeners: the HTTP-onlyListeners will set it correctly.
- Each Listenercan specify only one port, but there's no hardcoded limit on the number ofListeners you can have.
Using Labels to Associate Hosts and Listeners
In the examples above, the Listeners all associate with any Host in their namespace. In this
example, we will use Kubernetes labels to control the association instead.
Here, we'll listen for HTTP to foo.example.com on port 8888, and for either HTTP or HTTPS to bar.example.com on
port 9999 (where we'll redirect HTTP to HTTPS). Traffic to baz.example.com will work on both ports, and we'll route
HTTP for it rather than redirecting.
- Note the labelson eachHost, which thehostBindingon theListenercan reference.- Note also that only label selectors are supported at the moment.
 
Wildcard Hosts and Mappings
In a Mapping, the host is now treated as a glob rather than an exact match, with the goal of vastly reducing the need for host_regex. (The hostname in a Host has always been treated as a glob).
- Note that only prefix and suffix matches are supported, so *.example.comandfoo.*are both fine, butfoo.*.comwill not work -- you'll need to usehost_regexif you really need that. (This is an Envoy limitation.)
In this example, we'll accept both HTTP and HTTPS, but:
- Cleartext traffic to any host in lowsec.example.comwill be routed.
- Cleartext traffic to any host in normal.example.comwill be redirected.
- Any other cleartext traffic will be rejected.
- We'll listen for HTTP or HTTPS on port 8443.
- The three Hosts apply different insecure routing actions depending on the hostname.
- You could also do this with host_regex, but usinghostwith globs will give better performance.- Being able to not associate a given Mappingwith a givenHostwhen theMapping'shostdoesn't match helps a lot when you have manyHosts.
- Reliably determining if a regex (for the Mapping) matches a glob (for theHost) isn't really possible, so we can't prunehost_regexMappings at all.
 
- Being able to not associate a given 
ON THIS PAGE