TLS Origination

Sometimes you may want traffic from Emissary to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary can be configured to originate TLS connections to your upstream services.

Basic configuration

Telling Emissary to talk to your services over HTTPS is easily configured in the Mapping definition by setting https:// in the service field.

---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: basic-tls
spec:
  hostname: "*"
  prefix: /
  service: https://example-service

Advanced configuration using a TLSContext

If your upstream services require more than basic HTTPS support (for example, providing a client certificate or setting the minimum TLS version support) you must create a TLSContext for Emissary to use when originating TLS. For example:

---
apiVersion: getambassador.io/v3alpha1
kind: TLSContext
metadata:
  name: tls-context
spec:
  secret: self-signed-cert
  min_tls_version: v1.3
  sni: some-sni-hostname

Configure Emissary to use this TLSContext for connections to upstream services by setting the tls attribute of a Mapping:

---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: mapping-with-tls-context
spec:
  hostname: "*"
  prefix: /
  service: https://example-service
  tls: tls-context

The example-service service must now support TLS v1.3 for Emissary to connect.