github.com/sl1pm4t/consul@v1.4.5-0.20190325224627-74c31c540f9c/website/source/docs/platform/k8s/ambassador.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Ambassador Integration - Kubernetes" 4 sidebar_current: "docs-platform-k8s-ambassador" 5 description: |- 6 Ambassador is a Kubernetes-native API gateway and ingress controller that 7 integrates well with Consul Connect. 8 --- 9 10 # Ambassador Integration with Consul Connect 11 12 In addition to enabling Kubernetes services to discover and securely connect to each other, 13 Connect also can help route traffic into a Kubernetes cluster from outside, when paired with 14 an [ingress controller] like DataWire's Ambassador. 15 16 [Ambassador] is a popular Kubernetes-native service that acts as an ingress controller 17 or API gateway. It supports an optional integration with Consul that allows it to 18 route incoming traffic to the [proxies] for your Connect-enabled services. 19 20 This means you can have **end-to-end encryption** from the browser, to Ambassador, 21 to your Kubernetes services. 22 23 24 ## Installation 25 26 Before you start, [install Consul] and [enable Connect] on the agents inside the cluster. Decide 27 whether you will enable [service sync] or manually register your services with 28 Consul. 29 30 Once you have tested and verified that everything is working, you can proceed with 31 the Ambassador installation. Full instructions are available on the [Ambassador 32 site][install], but a summary of the steps is as follows: 33 34 If you are deploying to GKE, create a `RoleBinding` to grant you cluster admin 35 rights: 36 37 ```bash 38 kubectl create clusterrolebinding my-cluster-admin-binding \ 39 --clusterrole=cluster-admin \ 40 --user=$(gcloud info --format="value(config.account)") 41 ``` 42 43 Install Ambassador and a `LoadBalancer` service for it: 44 45 ```bash 46 kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-rbac.yaml 47 kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-service.yaml 48 ``` 49 50 Install the Ambassador Consul Connector: 51 52 ```bash 53 kubectl apply -f https://getambassador.io/yaml/ambassador/pro/ambassador-consul-connector.yaml 54 ``` 55 56 Add `TLSContext` and `Mapping` annotations to your existing services, directing 57 HTTPS traffic to port 20000, which is opened by the Connect proxy. Here is an 58 example of doing this for the `static-server` example used in the documentation 59 for the [Connect sidecar]: 60 61 ```yaml 62 apiVersion: v1 63 kind: Service 64 metadata: 65 name: static-service 66 annotations: 67 getambassador.io/config: | 68 --- 69 apiVersion: ambassador/v1 70 kind: TLSContext 71 name: ambassador-consul 72 hosts: [] 73 secret: ambassador-consul-connect 74 --- 75 apiVersion: ambassador/v1 76 kind: Mapping 77 name: static-service_mapping 78 prefix: /echo/ 79 tls: ambassador-consul 80 service: https://static-server:443 81 spec: 82 type: NodePort 83 selector: 84 app: http-echo 85 ports: 86 - port: 443 87 name: https-echo 88 targetPort: 20000 89 ``` 90 91 Once Ambassador finishes deploying, you should have a new `LoadBalancer` service 92 with a public-facing IP address. Connecting to the HTTP port on this address 93 should display the output from the static service. 94 95 ```bash 96 kubectl describe service ambassador 97 98 ``` 99 100 101 ## Enabling end-to-end TLS 102 103 The Ambassador service definition provided in their documentation currently does not 104 serve pages over HTTPS. To enable HTTPS for full end-to-end encryption, follow 105 these steps. 106 107 First, upload your public SSL certificate and private key as a Kubernetes secret. 108 109 ```bash 110 kubectl create secret tls ambassador-certs --cert=fullchain.pem --key=privkey.pem 111 ``` 112 113 Download a copy of the [ambassador-service.yaml] file from Ambassador. Replace 114 the `metadata` section with one that includes an Ambassador TLS configuration block, 115 using the secret name you created in the previous step. Then add an entry for port 443 116 to the `LoadBalancer` spec. Here is a complete example: 117 118 ```yaml 119 apiVersion: v1 120 kind: Service 121 metadata: 122 name: ambassador 123 annotations: 124 getambassador.io/config: | 125 --- 126 apiVersion: ambassador/v1 127 kind: Module 128 name: tls 129 config: 130 server: 131 enabled: True 132 secret: ambassador-certs 133 spec: 134 type: LoadBalancer 135 externalTrafficPolicy: Local 136 ports: 137 - port: 80 138 targetPort: http 139 protocol: TCP 140 name: http 141 - port: 443 142 targetPort: https 143 protocol: TCP 144 name: https 145 selector: 146 service: ambassador 147 ``` 148 149 Update the service definition by applying it with `kubectl`: 150 151 ```bash 152 kubectl apply -f ambassador-service.yaml 153 ``` 154 155 You should now be able to test the SSL connection from your browser. 156 157 158 ## Troubleshooting 159 160 When Ambassador is unable to establish an authenticated connection to the Connect proxy servers, browser connections will display this message: 161 162 upstream connect error or disconnect/reset before headers 163 164 This error can have a number of different causes. Here are some things to check and troubleshooting steps you can take. 165 166 ### Check intentions between Ambassador and your upstream service 167 168 If you followed the above installation guide, Consul should have registered a service called "ambassador". Make sure you create an intention to allow it to connect to your own services. 169 170 To check whether Ambassador is allowed to connect, use the [`intention check`][intention-check] subcommand. 171 172 $ consul intention check ambassador http-echo 173 Allowed 174 175 ### Confirm upstream proxy sidecar is running 176 177 First, find the name of the pod that contains your service. 178 179 $ kubectl get pods -l app=http-echo,role=server 180 NAME READY STATUS RESTARTS AGE 181 http-echo-7fb79566d6-jmccp 2/2 Running 0 1d 182 183 Then describe the pod to make sure that the sidecar is present and running. 184 185 $ kubectl describe pod http-echo-7fb79566d6-jmccp 186 [...] 187 Containers: 188 consul-connect-envoy-sidecar: 189 [...] 190 State: Running 191 Ready: True 192 193 ### Start up a downstream proxy and try connecting to it 194 195 Log into one of your Consul server pods (or any pod that has a Consul binary in it). 196 197 $ kubectl exec -ti consul-server-0 -- /bin/sh 198 199 Once inside the pod, try starting a test proxy. Use the name of your service in place of `http-echo`. 200 201 # consul connect proxy -service=ambassador -upstream http-echo:1234 202 ==> Consul Connect proxy starting... 203 Configuration mode: Flags 204 Service: http-echo-client 205 Upstream: http-echo => :1234 206 Public listener: Disabled 207 208 If the proxy starts successfully, try connecting to it. Verify the output is as you expect. 209 210 # curl localhost:1234 211 "hello world" 212 213 Don't forget to kill the test proxy when you're done. 214 215 # kill %1 216 ==> Consul Connect proxy shutdown 217 218 # exit 219 220 ### Check Ambassador Connect sidecar logs 221 222 Find the name of the Connect Integration pod and make sure it is running. 223 224 $ kubectl get pods -l app=ambassador-pro,component=consul-connect 225 NAME READY STATUS RESTARTS AGE 226 ambassador-pro-consul-connect-integration-f88fcb99f-hxk75 1/1 Running 0 1d 227 228 Dump the logs from the integration pod. If the service is running correctly, there won't be much in there. 229 230 $ kubectl logs ambassador-pro-consul-connect-integration-f88fcb99f-hxk75 231 232 time="2019-03-13T19:42:12Z" level=info msg="Starting Consul Connect Integration" consul_host=10.142.0.21 consul_port=8500 version=0.2.3 233 2019/03/13 19:42:12 Watching CA leaf for ambassador 234 time="2019-03-13T19:42:12Z" level=debug msg="Computed kubectl command and arguments" args="[kubectl apply -f -]" 235 time="2019-03-13T19:42:14Z" level=info msg="Updating TLS certificate secret" namespace= secret=ambassador-consul-connect 236 237 ### Check Ambassador logs 238 239 Make sure the Ambassador pod itself is running. 240 241 $ kubectl get pods -l service=ambassador 242 NAME READY STATUS RESTARTS AGE 243 ambassador-655875b5d9-vpc2v 2/2 Running 0 1d 244 245 Finally, check the logs for the main Ambassador pod. 246 247 $ kubectl logs ambassador-655875b5d9-vpc2v 248 249 ### Check Ambassador admin interface 250 251 Forward the admin port from the Ambassador pod to your local machine. 252 253 $ kubectl port-forward pods/ambassador-655875b5d9-vpc2v 8877:8877 254 255 You should then be able to open http://localhost:8877/ambassador/v0/diag/ in your browser and view Ambassador's routing table. The table lists each URL mapping that has been set up. Service names will appear in green if Ambassador believes they are healthy, and red otherwise. 256 257 From this interface, you can also enable debug logging via the yellow "Set Debug On" button, which might give you a better idea of what's happening when requests fail. 258 259 ### Getting support 260 261 If you have tried the above troubleshooting steps and are still stuck, DataWire provides support for Ambassador via the popular Slack chat app. You can [request access] and then join the `#ambassador` room to get help. 262 263 264 [ambassador]: https://www.getambassador.io/ 265 [ingress controller]: https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d 266 [proxies]: https://www.consul.io/docs/connect/proxies.html 267 [service sync]: https://www.consul.io/docs/platform/k8s/service-sync.html 268 [connect sidecar]: https://www.consul.io/docs/platform/k8s/connect.html 269 [install]: https://www.getambassador.io/user-guide/consul-connect-ambassador/ 270 [ambassador-service.yaml]: https://getambassador.io/yaml/ambassador/ambassador-service.yaml 271 [request access]: https://d6e.co/slack 272 [intention-check]: https://www.consul.io/docs/commands/intention/check.html 273 [install consul]: https://www.consul.io/docs/install/index.html 274 [enable connect]: https://www.consul.io/docs/connect/index.html#getting-started-with-connect 275