Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Does Ambassador directly support mTLS?
See original GitHub issueThis is NOT a bug, but a simple question. I am not yet sure if Ambassador supports mTLS or not.
According to the documentation,
To configure mTLS between Ambassador Edge Stack and your upstream services, you need to create a TLSContext with certificates that are signed by the Certificate Authority (CA) of your upstream service.
With this statement, it loos like it does. All I have to do is to create an Ambassador object. But then it jumps to Istio mTLS and Consul mTLS. So, it takes advantage of other technology mTLS or does it provide this feature?
If it doesn’t, I find it not very practical to install Istio (which is quite resource consuming. well, not the latest versions, but still…), for this one feature when Istio itself provides most of the features Ambassador offers.
Also, it confuses me this statement:
Istio creates and stores its TLS certificates in a form that Ambassador Edge Stack is currently unable to automatically read.
It makes me believe that Ambassador actually delegates mTLS part to Istio, and doesn’t have this feature. Otherwise, why to not just create your own secret, with your own certs and mount it to Ambassador container.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Also of note: I recently had a PR land that will hopefully be released in the next version. When you mount the secrets as the docs specify then rotated certs are not picked up by ambassador, requiring a restart of the Ambassador pods. My PR changed to read directly from k8s, hopefully alleviating this: https://github.com/datawire/ambassador/pull/2277
The new format will be:
No more mounting!
We run with strict mTLS in our cluster without issues but it does require the
TLSContext.I will be submitting a PR to update to the docs sometime soon once this new functionality lands.
Thanks!