Ambassador: SSL TLS Termination does not work

Created on 17 Feb 2019  路  6Comments  路  Source: datawire/ambassador

Describe the bug

The tls termination does not work. Using curl or opening the browser only returns a "Connection refused".

To Reproduce
Use any version above: 0.40.2.
0.40.2 is the last version which works for me.
Tested versions:
0.50.0
0.50.2
0.50.0-rc1
0.50.0-rc2 (as suggested here: https://github.com/datawire/ambassador/issues/1070)

Expected behavior
TLS termination should work.

Versions (please complete the following information):
Running kubernetes on 1.11.6-gke.2 in google cloud.

Additional context
Cert is successfully loaded, (debug) logs doesn't show any helpful information.

Most helpful comment

@MeanderingCode thanks for flagging the doc issue; I just pushed an update to the TLS docs.

All 6 comments

I suspect the issue is your configuration (which isn't shared here). We've had many users who have successfully used TLS in 0.50.x.

@richarddli It's almost the basic one.
Here you go:

apiVersion: v1
kind: Service
metadata:
  labels:
    service: ambassador-admin
  name: ambassador-admin
  namespace: development
spec:
  type: NodePort
  ports:
  - name: ambassador-admin
    port: 8877
    targetPort: 8877
  selector:
    service: ambassador
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ambassador
  namespace: development
rules:
- apiGroups: [""]
  resources:
  - services
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:
  - configmaps
  verbs: ["create", "update", "patch", "get", "list", "watch"]
- apiGroups: [""]
  resources:
  - secrets
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ambassador
  namespace: development
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ambassador
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ambassador
subjects:
- kind: ServiceAccount
  name: ambassador
  namespace: development
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: ambassador
  namespace: development
spec:
  replicas: 1
  template:
    metadata:
      namespace: development
      annotations:
        sidecar.istio.io/inject: "false"
        "consul.hashicorp.com/connect-inject": "false"
      labels:
        service: ambassador
    spec:
      serviceAccountName: ambassador
      containers:
      - name: ambassador
        image: quay.io/datawire/ambassador:0.50.1
        resources:
          limits:
            cpu: 1
            memory: 400Mi
          requests:
            cpu: 200m
            memory: 100Mi
        env:
        - name: AMBASSADOR_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        - name: admin
          containerPort: 8877
        livenessProbe:
          httpGet:
            path: /ambassador/v0/check_alive
            port: 8877
          initialDelaySeconds: 30
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /ambassador/v0/check_ready
            port: 8877
          initialDelaySeconds: 30
          periodSeconds: 3
      - name: statsd-sink
        image: datawire/prom-statsd-exporter:0.6.0
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    service: ambassador
  name: ambassador
  namespace: development
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind: Module
      name: tls
      config:
        server:
          enabled: True
          redirect_cleartext_from: 80
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: https
  selector:
    service: ambassador

@psychonetic well of course it doesn't work - you haven't told ambassador what secret to use!

The annotations for your LoadBalancer Service needs a secret key:

      apiVersion: ambassador/v0
      kind: Module
      name: tls
      config:
        server:
          enabled: True
          secret: MY_TLS_SECRET_NAME
          redirect_cleartext_from: 80

fwiw, tls works fine for me in a number of clusters!

@erulabs As mentioned in the documentation there is no need to specify the secret:
https://www.getambassador.io/user-guide/tls-termination/#tls-termination

I am using the default ambassador secret. I can also see that the secret is successfully loaded. But I already mentioned that above.

@psychonetic The changelog release notes for the 0.50 branch state that you need to explicitly specify the secret in an annotation, as mentioned above.

https://github.com/datawire/ambassador/blob/master/CHANGELOG.md

This is a documentation discrepancy that should be addressed.

@MeanderingCode thanks for flagging the doc issue; I just pushed an update to the TLS docs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ppeble picture ppeble  路  3Comments

klarose picture klarose  路  5Comments

kfkawalec picture kfkawalec  路  6Comments

caiobegotti picture caiobegotti  路  4Comments

vishal-yadav picture vishal-yadav  路  4Comments