K
Q

Update tls secret for Ambassador

6/20/2019

I need to apply certificate in the solution after the solution has been deployed.As ambassador listen to the change in tls secret I took this approach.After my application has been deployed my ambassador uses a default self signed certificate.I updated that certificate with this command

kubectl create secret tls ambassador-tls-secret \
     --cert=/root/tls.crt --key=/root/tls.key  --dry-run -o yaml | 
  kubectl apply -f -

My secret has now been updated but my Ambassador still doesnt listen to the new secret. Is there something wrong with the way I have updated my secret ?

-- Avinash Kumar
ambassador
kubectl
kubernetes

Similar Questions

How to use environment variable in kubernetes container command?
Ingress doesn't redirect to my service after AppID on IKS
How to detect which pod makes network request in k8s?
Write to Secret file in pod

1 Answer

6/20/2019

You can configure Ambassador to terminate TLS with either a TLSContext or tls Module resource. To get either to simply terminate TLS using the secret you created, you can configure them like

tls Module:

---
apiVersion: ambassador/v1
kind: Module
name: tls
config:
  server:
    enabled: true
    secret: ambassador-tls-secret

TLSContext:

---
apiVersion: ambassador/v1
kind: TLSContext
name: ambassador
secret: ambassador-tls-secret
hosts: ["*"]

After configuring either of these, Ambassador should notice the ambassador-tls-secret you created and use the certificates for tls termination.

You can verify Ambassador has been configured correctly by checking the envoy.json configuration file in the Ambassador container

kubectl exec -it {AMBASSADOR_POD_NAME} -- cat envoy/envoy.json

If Ambassador has been correctly configured, you should see an Envoy tls_context configured and the listener named ambassador-listener-8443 like below:

                        "tls_context": {
                            "common_tls_context": {
                                "tls_certificates": [
                                    {
                                        "certificate_chain": {
                                            "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.crt"
                                        },
                                        "private_key": {
                                            "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.key"
                                        }
                                    }
                                ]
                            }
                        },
                        "use_proxy_proto": false
                    }
                ],
                "name": "ambassador-listener-8443"

If you do not, then Ambassador has rejected your config for some reason. Check the logs of the Ambassador container, ensure you have only a tls Module or TLSContext configured, check to see if service_port has been configured in an ambassador Module, and ensure you have the correct ambassador_id.

-- Noah Krause
Source: StackOverflow