Describe the bug
The tls termination does not work. Using curl or opening the browser only returns a "Connection refused".
To Reproduce
Use any version above: 0.40.2.
0.40.2 is the last version which works for me.
Tested versions:
0.50.0
0.50.2
0.50.0-rc1
0.50.0-rc2 (as suggested here: https://github.com/datawire/ambassador/issues/1070)
Expected behavior
TLS termination should work.
Versions (please complete the following information):
Running kubernetes on 1.11.6-gke.2 in google cloud.
Additional context
Cert is successfully loaded, (debug) logs doesn't show any helpful information.
I suspect the issue is your configuration (which isn't shared here). We've had many users who have successfully used TLS in 0.50.x.
@richarddli It's almost the basic one.
Here you go:
apiVersion: v1
kind: Service
metadata:
labels:
service: ambassador-admin
name: ambassador-admin
namespace: development
spec:
type: NodePort
ports:
- name: ambassador-admin
port: 8877
targetPort: 8877
selector:
service: ambassador
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: ambassador
namespace: development
rules:
- apiGroups: [""]
resources:
- services
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["create", "update", "patch", "get", "list", "watch"]
- apiGroups: [""]
resources:
- secrets
verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ambassador
namespace: development
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ambassador
namespace: development
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ambassador
subjects:
- kind: ServiceAccount
name: ambassador
namespace: development
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ambassador
namespace: development
spec:
replicas: 1
template:
metadata:
namespace: development
annotations:
sidecar.istio.io/inject: "false"
"consul.hashicorp.com/connect-inject": "false"
labels:
service: ambassador
spec:
serviceAccountName: ambassador
containers:
- name: ambassador
image: quay.io/datawire/ambassador:0.50.1
resources:
limits:
cpu: 1
memory: 400Mi
requests:
cpu: 200m
memory: 100Mi
env:
- name: AMBASSADOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8877
livenessProbe:
httpGet:
path: /ambassador/v0/check_alive
port: 8877
initialDelaySeconds: 30
periodSeconds: 3
readinessProbe:
httpGet:
path: /ambassador/v0/check_ready
port: 8877
initialDelaySeconds: 30
periodSeconds: 3
- name: statsd-sink
image: datawire/prom-statsd-exporter:0.6.0
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
service: ambassador
name: ambassador
namespace: development
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v0
kind: Module
name: tls
config:
server:
enabled: True
redirect_cleartext_from: 80
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: https
selector:
service: ambassador
@psychonetic well of course it doesn't work - you haven't told ambassador what secret to use!
The annotations for your LoadBalancer Service needs a secret key:
apiVersion: ambassador/v0
kind: Module
name: tls
config:
server:
enabled: True
secret: MY_TLS_SECRET_NAME
redirect_cleartext_from: 80
fwiw, tls works fine for me in a number of clusters!
@erulabs As mentioned in the documentation there is no need to specify the secret:
https://www.getambassador.io/user-guide/tls-termination/#tls-termination
I am using the default ambassador secret. I can also see that the secret is successfully loaded. But I already mentioned that above.
@psychonetic The changelog release notes for the 0.50 branch state that you need to explicitly specify the secret in an annotation, as mentioned above.
https://github.com/datawire/ambassador/blob/master/CHANGELOG.md
This is a documentation discrepancy that should be addressed.
@MeanderingCode thanks for flagging the doc issue; I just pushed an update to the TLS docs.
Most helpful comment
@MeanderingCode thanks for flagging the doc issue; I just pushed an update to the TLS docs.