TLS origination

Sometimes you may want traffic from Emissary-ingress to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary-ingress can be configured to originate TLS connections to your upstream services.

Basic configuration

Telling Emissary-ingress to talk to your services over HTTPS is easily configured in the Mapping definition by setting https:// in the service field.

Advanced configuration using a `TLSContext`

If your upstream services require more than basic HTTPS support (for example, providing a client certificate or setting the minimum TLS version support) you must create a TLSContext for Emissary-ingress to use when originating TLS. For example:

The Kubernetes Secret named by secret must contain a valid TLS certificate. If the environment variable AMBASSADOR_FORCE_SECRET_VALIDATION is set and the Secret contains an invalid certificate, Emissary-ingress will reject the TLSContext and prevent its use; see Certificates and Secrets in the TLS overview.

Configure Emissary-ingress to use this TLSContext for connections to upstream services by setting the tls attribute of a Mapping:

The example-service service must now support TLS v1.3 for Emissary-ingress to connect.

A TLSContext requires a certificate be provided, even in cases where the upstream service does not require it (for origination) and the TLSContext is not being used to terminate TLS. In this case, simply generate and provide a self-signed certificate.

ON THIS PAGE

Basic configuration
Advanced configuration using a TLSContext

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}TLS origination

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}Basic configuration

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}Advanced configuration using a TLSContext

TLS origination

Basic configuration

Advanced configuration using a `TLSContext`