question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Helm Chart : setting tls module on helm installation breaks ambassador

See original GitHub issue

Describe the bug After creating a certificate secret with cert-manager and trying to get https working, ambassador gets stuck with the next error:

[000074][warning][config]
 [bazel-out/k8-dbg/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70]
 gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected:
 Error adding/updating listener redirect_listener: cannot bind '0.0.0.0:80': Permission denied

To Reproduce Steps to reproduce the behavior:

  1. Create a challenge successfully with cert-manager:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: ambassador-certs
  namespace: dev
spec:
  secretName: ambassador-certs
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: dev.api.example.com
  dnsNames:
  - dev.api.example.com
  acme:
    config:
    - dns01:
        provider: route53
      domains:
      - dev.api.example.com
  1. Add tls module config on “service.annotations.getambassador.io/config”, by adding this after ambassador module config:
      ---
      apiVersion: ambassador/v1
      kind: Module
      name: tls
      ambassador_id: ambassador-id
      config:
        server:
          enabled: True
          redirect_cleartext_from: 80
          secret: ambassador-certs

  1. Get error printed in infinite loop.

image

image

Expected behavior

I expect ambassador to work with https.

Versions (please complete the following information):

  • Ambassador: 0.52.0
  • Helm Chart: 2.0.1
  • Kubernetes environment: cluster over aws
    • Version : v1.11.7

Additional context

If I remove the ambassador_id on the config annotation ambassador starts properly (and works with http), because it ignores the configuration of the tls module.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
hugocarrascocommented, Mar 28, 2019

Thanks! now it works.

For future use this is the setting:

      ---
      apiVersion: ambassador/v1
      kind: Module
      name: ambassador
      ambassador_id: ambassador-development
      config:
        service_port: 8443
      ---
      apiVersion: ambassador/v1
      kind: Module
      name: tls
      ambassador_id: ambassador-development
      config:
        server:
          enabled: True
          redirect_cleartext_from: 8080
          secret: ambassador-certs
0reactions
Flydivernycommented, Mar 28, 2019

Try the other way around? ie service_port: 8443 and redirect_cleartext_from: 8080. Personally don’t use ambassador with tls termination so not fully sure. But in 1 you are correct that it can’t be the same port, as that would (I assume) cause ambassador to try to bind twice to that port.

By default it looks like ambassador will use service_port 80 and then when tls termination is enabled it will set its service_port to 443.

Read more comments on GitHub >

github_iconTop Results From Across the Web

setting tls module on helm installation breaks ambassador ...
You are trying to use port 80, the helm chart is not running as root.. so it can't bind to port 80 unless...
Read more >
ambassador 6.9.1 · helm/datawire - Artifact Hub
This chart defaults to installing The Ambassador Edge Stack with all of its configuration objects. A Redis instance; AuthService resource for enabling ...
Read more >
datawire/ambassador - Gitter
Hi, I'm trying to use two instance of ambassador for public & private traffic. Using edge-stack 3.0.0 (helm chart 8.0.0). The first deployed...
Read more >
stable/ambassador - helm-charts - GitLab
This chart bootstraps an Ambassador deployment on a Kubernetes cluster using the Helm package manager. Prerequisites. Kubernetes 1.7+. Installing the Chart. To ...
Read more >
The Ambassador Module Resource | Edge Stack
There are many config field items that can be configured on the ambassador Module . They are listed below with examples and grouped...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found