2 min • read

TLS origination

Sometimes you may want traffic from Emissary-ingress to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary-ingress can be configured to originate TLS connections to your upstream services.

Basic configuration

Telling Emissary-ingress to talk to your services over HTTPS is easily configured in the Mapping definition by setting https:// in the service field.

yaml
---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: basic-tls
spec:
hostname: "*"
prefix: /
service: https://example-service

Advanced configuration using a TLSContext

If your upstream services require more than basic HTTPS support (for example, providing a client certificate or setting the minimum TLS version support) you must create a TLSContext for Emissary-ingress to use when originating TLS. For example:

yaml
---
apiVersion: getambassador.io/v3alpha1
kind: TLSContext
metadata:
name: tls-context
spec:
secret: self-signed-cert
min_tls_version: v1.3
sni: some-sni-hostname

Configure Emissary-ingress to use this TLSContext for connections to upstream services by setting the tls attribute of a Mapping:

yaml
---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: mapping-with-tls-context
spec:
hostname: "*"
prefix: /
service: https://example-service
tls: tls-context

The example-service service must now support TLS v1.3 for Emissary-ingress to connect.