Sometimes you may want traffic from Ambassador Edge Stack to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Ambassador Edge Stack can be configured to originate TLS connections to your upstream services.
Telling Ambassador Edge Stack to talk to your services over HTTPS is easily configured in the
Mapping definition by setting
https:// in the
---apiVersion: getambassador.io/v3alpha1kind: Mappingmetadata:name: basic-tlsspec:hostname: "*"prefix: /service: https://example-service
If your upstream services require more than basic HTTPS support (for example, providing a client certificate or
setting the minimum TLS version support) you must create a
TLSContext for Ambassador Edge Stack to use when
originating TLS. For example:
---apiVersion: getambassador.io/v3alpha1kind: TLSContextmetadata:name: tls-contextspec:secret: self-signed-certmin_tls_version: v1.3sni: some-sni-hostname
Configure Ambassador Edge Stack to use this
TLSContext for connections to upstream services by setting the
tls attribute of a
---apiVersion: getambassador.io/v3alpha1kind: Mappingmetadata:name: mapping-with-tls-contextspec:hostname: "*"prefix: /service: https://example-servicetls: tls-context
example-service service must now support TLS v1.3 for Ambassador Edge Stack to connect.