- Connecting Services
- Service Mesh
- Best Practices
- IDP Support
- Custom Resource Definitions
- Upgrading Ambassador
- Statistics and Monitoring
- Need Help?
Ambassador can be configured to use a provided CA certificate to validate certificates sent from your clients. This allows for client-side mTLS where both Ambassador and the client but provide and validate each other's certificates.
To configure client certificate by creating a secret to hold your client's CA certificate and setting
ca_secret to the value of that secret.
Create a secret to hold the client CA certificate
kubectl create secret generic client-cacert --from-file=tls.crt=$CACERT_PATH
Configure Ambassador to use this certificate for client certificate validation
--- apiVersion: ambassador/v1 kind: TLSContext name: tls hosts: ["*"] secret: ambassador-cert ca_secret: client-cacert
Note: Client certificate validation requires Ambassador be configured to terminate TLS as well by providing a
secretwith TLS certificates for termination
Ambassador will now be configured to validate certificates that the client provides.
By default, Ambassador will allow requests through that do not provide client certificates. To tell Ambassador to reject requests that fail to provide a certificate, set
cert_required: true in the
apiVersion: ambassador/v1 kind: TLSContext name: tls name: tls hosts: ["*"] secret: ambassador-cert ca_secret: client-cacert cert_required: true