TLS encryption is one of the basic requirements of having a secure system. Ambassador Edge Stack automatically enables TLS termination/HTTPs , making TLS encryption easy and centralizing TLS termination for all of your services in Kubernetes.
While this automatic certificate management in Ambassador Edge Stack helps simply TLS configuration in your cluster, the Open-Source Emissary-ingress still requires you provide your own certificate to enable TLS.
The following will walk you through the process of enabling TLS with a
self-signed certificate created with the
Note these instructions also work if you would like to provide your own certificate to Ambassador Edge Stack.
This guide requires you have the following installed:
We first need to create a listener to tell Emissary which port will be using the HTTPS protocol
OpenSSL is a tool that allows us to create self-signed certificates for opening
a TLS encrypted connection. The
openssl command below will create a
create a certificate and private key pair that Ambassador Edge Stack can use for TLS
Create a private key and certificate.
The above command will create a certificate and private key with the common name
ambassador. Since this certificate is self-signed and only used for testing, the other information requested can be left blank.
cert.pemfiles were created
Ambassador Edge Stack dynamically loads TLS certificates by reading them from
Kubernetes secrets. Use
kubectl to create a
tls secret to hold the pem
files we created above.
Now that we have stored our certificate and private key in a Kubernetes secret
tls-cert, we need to tell Ambassador Edge Stack to use this certificate
for terminating TLS on a domain. A
Host is used to tell Ambassador Edge Stack which
certificate to use for TLS termination on a domain.
Create the following
Host to have Ambassador Edge Stack use the
Secret we created
above for terminating TLS on all domains.
Note: If running multiple instances of Ambassador Edge Stack in one cluster remember to include the
ambassador_id property in the
Host configured above with
Ambassador Edge Stack is now configured to listen for TLS traffic on port
terminate TLS using the self-signed certificate we created.
We can now send encrypted traffic over HTTPS.
First, make sure the Ambassador Edge Stack service is listening on
443 and forwarding
8443. Verify this with
If the output to the
kubectl command is not similar to the example above,
edit the Ambassador Edge Stack service to add the
After verifying Ambassador Edge Stack is listening on port 443, send a request to your backend service with curl:
Note: Since we are using a self-signed certificate, you must set the
flag in curl to disable hostname validation.
This guide walked you through how to enable basic TLS termination in Ambassador Edge Stack using a self-signed certificate for simplicity.
While a self-signed certificate is a simple and quick way to get Ambassador Edge Stack to terminate TLS, it should not be used by production systems. In order to serve HTTPS traffic without being returned a security warning, you will need to get a certificate from an official Certificate Authority like Let's Encrypt.
cert-manager provides a simple
way to manage certificates from Let's Encrypt. See our documentation for more
information on how to use
cert-manager with Ambassador Edge Stack
Ambassador Edge Stack exposes configuration for many more advanced options around TLS termination, origination, client certificate validation, and SNI support. See the full TLS reference for more information.