I need to apply certificate in the solution after the solution has been deployed.As ambassador listen to the change in tls secret I took this approach.After my application has been deployed my ambassador uses a default self signed certificate.I updated that certificate with this command
kubectl create secret tls ambassador-tls-secret \
--cert=/root/tls.crt --key=/root/tls.key --dry-run -o yaml |
kubectl apply -f -
My secret has now been updated but my Ambassador still doesnt listen to the new secret. Is there something wrong with the way I have updated my secret ?
You can configure Ambassador to terminate TLS with either a TLSContext
or tls Module
resource. To get either to simply terminate TLS using the secret you created, you can configure them like
tls Module
:
---
apiVersion: ambassador/v1
kind: Module
name: tls
config:
server:
enabled: true
secret: ambassador-tls-secret
TLSContext
:
---
apiVersion: ambassador/v1
kind: TLSContext
name: ambassador
secret: ambassador-tls-secret
hosts: ["*"]
After configuring either of these, Ambassador should notice the ambassador-tls-secret
you created and use the certificates for tls termination.
You can verify Ambassador has been configured correctly by checking the envoy.json
configuration file in the Ambassador container
kubectl exec -it {AMBASSADOR_POD_NAME} -- cat envoy/envoy.json
If Ambassador has been correctly configured, you should see an Envoy tls_context
configured and the listener named ambassador-listener-8443
like below:
"tls_context": {
"common_tls_context": {
"tls_certificates": [
{
"certificate_chain": {
"filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.crt"
},
"private_key": {
"filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.key"
}
}
]
}
},
"use_proxy_proto": false
}
],
"name": "ambassador-listener-8443"
If you do not, then Ambassador has rejected your config for some reason. Check the logs of the Ambassador container, ensure you have only a tls Module
or TLSContext
configured, check to see if service_port
has been configured in an ambassador Module, and ensure you have the correct ambassador_id.