TLS Termination and Enabling HTTPS
TLS encryption is one of the basic requirements of having a secure system. Ambassador Edge Stack automatically enables TLS termination/HTTPs , making TLS encryption easy and centralizing TLS termination for all of your services in Kubernetes.
While this automatic certificate management in Ambassador Edge Stack helps simply TLS configuration in your cluster, the Open-Source Emissary still requires you provide your own certificate to enable TLS.
The following will walk you through the process of enabling TLS with a
self-signed certificate created with the openssl
utility.
Note these instructions also work if you would like to provide your own certificate to Ambassador Edge Stack.
Prerequisites
This guide requires you have the following installed:
Install Emissary
Install Emissary in Kubernetes.
Create a self-signed certificate
OpenSSL is a tool that allows us to create self-signed certificates for opening
a TLS encrypted connection. The openssl
command below will create a
create a certificate and private key pair that Emissary can use for TLS
termination.
-
Create a private key and certificate.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj '/CN=ambassador-cert' -nodes
The above command will create a certificate and private key with the common name
ambassador
. Since this certificate is self-signed and only used for testing, the other information requested can be left blank. -
Verify the
key.pem
andcert.pem
files were createdls *.pem cert.pem key.pem
Store the certificate and key in a Kubernetes Secret
Emissary dynamically loads TLS certificates by reading them from
Kubernetes secrets. Use kubectl
to create a tls
secret to hold the pem
files we created above.
kubectl create secret tls tls-cert --cert=cert.pem --key=key.pem
Tell Emissary to use this secret for TLS termination
Now that we have stored our certificate and private key in a Kubernetes secret
named tls-cert
, we need to tell Emissary to use this certificate
for terminating TLS on a domain. A Host
is used to tell Emissary which
certificate to use for TLS termination on a domain.
Create the following Host
to have Emissary use the Secret
we created
above for terminating TLS on all domains.
---
apiVersion: getambassador.io/v2
kind: Host
metadata:
name: wildcard-host
spec:
hostname: "*"
acmeProvider:
authority: none
tlsSecret:
name: tls-cert
selector:
matchLabels:
hostname: wildcard-host
Note: If running multiple instances of Emissary in one cluster remember to include ambassador_id property in the spec, must be an array of id(s).
Apply the Host
configured above with kubectl
:
kubectl apply -f wildcard-host.yaml
Emissary is now configured to listen for TLS traffic on port 8443
and
terminate TLS using the self-signed certificate we created.
Send a request Over HTTPS
We can now send encrypted traffic over HTTPS.
First, make sure the Emissary service is listening on 443
and forwarding
to port 8443
. Verify this with kubectl
:
kubectl get service ambassador -o yaml
apiVersion: v1
kind: Service
...
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8443
...
If the output to the kubectl
command is not similar to the example above,
edit the Emissary service to add the https
port.
After verifying Emissary is listening on port 443, send a request to your backend service with curl:
curl -Lk https://{{AMBASSADOR_IP}}/backend/
{
"server": "trim-kumquat-fccjxh8x",
"quote": "Abstraction is ever present.",
"time": "2019-07-24T16:36:56.7983516Z"
}
Note: Since we are using a self-signed certificate, you must set the -k
flag in curl to disable hostname validation.
Next steps
This guide walked you through how to enable basic TLS termination in Emissary using a self-signed certificate for simplicity.
Get a valid certificate from a certificate authority
While a self-signed certificate is a simple and quick way to get Emissary to terminate TLS, it should not be used by production systems. In order to serve HTTPS traffic without being returned a security warning, you will need to get a certificate from an official Certificate Authority like Let’s Encrypt.
With Emissary, this can be simply done by requesting a certificate using the built in ACME support
For the Open-Source API Gateway, Jetstack’s cert-manager
provides a simple
way to manage certificates from Let’s Encrypt. See our documentation for more
information on how to use cert-manager
with Emissary
.
Enable advanced TLS options
Emissary exposes configuration for many more advanced options around TLS termination, origination, client certificate validation, and SNI support. See the full TLS reference for more information.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.