Update tls secret for Ambassador

6/20/2019

I need to apply certificate in the solution after the solution has been deployed.As ambassador listen to the change in tls secret I took this approach.After my application has been deployed my ambassador uses a default self signed certificate.I updated that certificate with this command

kubectl create secret tls ambassador-tls-secret \
     --cert=/root/tls.crt --key=/root/tls.key  --dry-run -o yaml | 
  kubectl apply -f -

My secret has now been updated but my Ambassador still doesnt listen to the new secret. Is there something wrong with the way I have updated my secret ?

-- Avinash Kumar
ambassador
kubectl
kubernetes

1 Answer

6/20/2019

You can configure Ambassador to terminate TLS with either a TLSContext or tls Module resource. To get either to simply terminate TLS using the secret you created, you can configure them like

tls Module:

---
apiVersion: ambassador/v1
kind: Module
name: tls
config:
  server:
    enabled: true
    secret: ambassador-tls-secret

TLSContext:

---
apiVersion: ambassador/v1
kind: TLSContext
name: ambassador
secret: ambassador-tls-secret
hosts: ["*"]

After configuring either of these, Ambassador should notice the ambassador-tls-secret you created and use the certificates for tls termination.

You can verify Ambassador has been configured correctly by checking the envoy.json configuration file in the Ambassador container

kubectl exec -it {AMBASSADOR_POD_NAME} -- cat envoy/envoy.json

If Ambassador has been correctly configured, you should see an Envoy tls_context configured and the listener named ambassador-listener-8443 like below:

                        "tls_context": {
                            "common_tls_context": {
                                "tls_certificates": [
                                    {
                                        "certificate_chain": {
                                            "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.crt"
                                        },
                                        "private_key": {
                                            "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.key"
                                        }
                                    }
                                ]
                            }
                        },
                        "use_proxy_proto": false
                    }
                ],
                "name": "ambassador-listener-8443"

If you do not, then Ambassador has rejected your config for some reason. Check the logs of the Ambassador container, ensure you have only a tls Module or TLSContext configured, check to see if service_port has been configured in an ambassador Module, and ensure you have the correct ambassador_id.

-- Noah Krause
Source: StackOverflow