Sometimes you may want traffic from Emissary-ingress to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary-ingress can be configured to originate TLS connections to your upstream services.
Telling Emissary-ingress to talk to your services over HTTPS is easily configured in the
Mapping definition by setting
https:// in the
---apiVersion: getambassador.io/v3alpha1kind: Mappingmetadata:name: basic-tlsspec:hostname: "*"prefix: /service: https://example-service
If your upstream services require more than basic HTTPS support (for example, providing a client certificate or
setting the minimum TLS version support) you must create a
TLSContext for Emissary-ingress to use when
originating TLS. For example:
---apiVersion: getambassador.io/v3alpha1kind: TLSContextmetadata:name: tls-contextspec:secret: self-signed-certmin_tls_version: v1.3sni: some-sni-hostname
Configure Emissary-ingress to use this
TLSContext for connections to upstream services by setting the
tls attribute of a
---apiVersion: getambassador.io/v3alpha1kind: Mappingmetadata:name: mapping-with-tls-contextspec:hostname: "*"prefix: /service: https://example-servicetls: tls-context
example-service service must now support TLS v1.3 for Emissary-ingress to connect.