Helm Chart : setting tls module on helm installation breaks ambassador
See original GitHub issueDescribe the bug After creating a certificate secret with cert-manager and trying to get https working, ambassador gets stuck with the next error:
[000074][warning][config]
[bazel-out/k8-dbg/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70]
gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected:
Error adding/updating listener redirect_listener: cannot bind '0.0.0.0:80': Permission denied
To Reproduce Steps to reproduce the behavior:
- Create a challenge successfully with cert-manager:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ambassador-certs
namespace: dev
spec:
secretName: ambassador-certs
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: dev.api.example.com
dnsNames:
- dev.api.example.com
acme:
config:
- dns01:
provider: route53
domains:
- dev.api.example.com
- Add tls module config on “service.annotations.getambassador.io/config”, by adding this after ambassador module config:
---
apiVersion: ambassador/v1
kind: Module
name: tls
ambassador_id: ambassador-id
config:
server:
enabled: True
redirect_cleartext_from: 80
secret: ambassador-certs
- Get error printed in infinite loop.
Expected behavior
I expect ambassador to work with https.
Versions (please complete the following information):
- Ambassador: 0.52.0
- Helm Chart: 2.0.1
- Kubernetes environment: cluster over aws
- Version : v1.11.7
Additional context
If I remove the ambassador_id on the config annotation ambassador starts properly (and works with http), because it ignores the configuration of the tls module.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
setting tls module on helm installation breaks ambassador ...
You are trying to use port 80, the helm chart is not running as root.. so it can't bind to port 80 unless...
Read more >ambassador 6.9.1 · helm/datawire - Artifact Hub
This chart defaults to installing The Ambassador Edge Stack with all of its configuration objects. A Redis instance; AuthService resource for enabling ...
Read more >datawire/ambassador - Gitter
Hi, I'm trying to use two instance of ambassador for public & private traffic. Using edge-stack 3.0.0 (helm chart 8.0.0). The first deployed...
Read more >stable/ambassador - helm-charts - GitLab
This chart bootstraps an Ambassador deployment on a Kubernetes cluster using the Helm package manager. Prerequisites. Kubernetes 1.7+. Installing the Chart. To ...
Read more >The Ambassador Module Resource | Edge Stack
There are many config field items that can be configured on the ambassador Module . They are listed below with examples and grouped...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks! now it works.
For future use this is the setting:
Try the other way around? ie
service_port: 8443
andredirect_cleartext_from: 8080
. Personally don’t use ambassador with tls termination so not fully sure. But in 1 you are correct that it can’t be the same port, as that would (I assume) cause ambassador to try to bind twice to that port.By default it looks like ambassador will use service_port 80 and then when tls termination is enabled it will set its service_port to 443.