Update tls secret for Ambassador
You can configure Ambassador to terminate TLS with either a TLSContext
or tls Module
resource. To get either to simply terminate TLS using the secret you created, you can configure them like
tls Module
:
---apiVersion: ambassador/v1kind: Modulename: tlsconfig: server: enabled: true secret: ambassador-tls-secret
TLSContext
:
---apiVersion: ambassador/v1kind: TLSContextname: ambassadorsecret: ambassador-tls-secrethosts: ["*"]
After configuring either of these, Ambassador should notice the ambassador-tls-secret
you created and use the certificates for tls termination.
You can verify Ambassador has been configured correctly by checking the envoy.json
configuration file in the Ambassador container
kubectl exec -it {AMBASSADOR_POD_NAME} -- cat envoy/envoy.json
If Ambassador has been correctly configured, you should see an Envoy tls_context
configured and the listener named ambassador-listener-8443
like below:
"tls_context": { "common_tls_context": { "tls_certificates": [ { "certificate_chain": { "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.crt" }, "private_key": { "filename": "/ambassador/snapshots/default/secrets-decoded/ambassador-certs/66877DCC8C7B7AF190D3510AE5B4BFC71FADB308.key" } } ] } }, "use_proxy_proto": false } ], "name": "ambassador-listener-8443"
If you do not, then Ambassador has rejected your config for some reason. Check the logs of the Ambassador container, ensure you have only a tls Module
or TLSContext
configured, check to see if service_port
has been configured in an ambassador Module, and ensure you have the correct ambassador_id.