Update tls secret for Ambassador
You can configure Ambassador to terminate TLS with either a TLSContext or tls Module resource. To get either to simply terminate TLS using the secret you created, you can configure them like
tls Module:
---apiVersion: ambassador/v1kind: Modulename: tlsconfig: server: enabled: true secret: ambassador-tls-secretTLSContext:
---apiVersion: ambassador/v1kind: TLSContextname: ambassadorsecret: ambassador-tls-secrethosts: ["*"]After configuring either of these, Ambassador should notice the ambassador-tls-secret you created and use the certificates for tls termination.
You can verify Ambassador has been configured correctly by checking the envoy.json configuration file in the Ambassador container
kubectl exec -it {AMBASSADOR_POD_NAME} -- cat envoy/envoy.jsonIf Ambassador has been correctly configured, you should see an Envoy tls_context configured and the listener named ambassador-listener-8443 like below:
"tls_context": { "common_tls_context": { "tls_certificates": [ { "certificate_chain": { "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.crt" }, "private_key": { "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.key" } } ] } }, "use_proxy_proto": false } ], "name": "ambassador-listener-8443"If you do not, then Ambassador has rejected your config for some reason. Check the logs of the Ambassador container, ensure you have only a tls Module or TLSContext configured, check to see if service_port has been configured in an ambassador Module, and ensure you have the correct ambassador_id.