TUTORIAL

Deploying the Ambassador Edge Stack as an Ingress Controller for Kubernetes with TLS

Get traffic into your Kubernetes cluster in less than 5 minutes

We’ve written before about how to route external traffic to your Kubernetes cluster. In that article, we defined the three main strategies: using a Kubernetes service of type NodePort, using a Kubernetes service of type LoadBalancer, or using a Kubernetes Ingress resource.

The Ambassador Edge Stack is powered by Envoy Proxy and configured declaratively through Kubernetes CRDs. The Ambassador Edge Stack also has integrated Automated Certificate Management Environment (ACME) support, enabling automatic HTTPS for everyone.

In this tutorial, we’ll show how to use the Ambassador Edge Stack as an ingress controller for Kubernetes and automatically expose your application over TLS.

Ambassador Edge Stack as an Ingress Controller

Install the Ambassador Edge Stack as your ingress controller.

kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml && \

kubectl wait --for condition=established --timeout=90s crd -lproduct=aes && \

kubectl apply -f https://www.getambassador.io/yaml/aes.yaml && \

kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes

2. We’re now going to deploy a simple service, the quote service, in Kubernetes. Save the below YAML into a file called quote.yaml .

---

apiVersion: v1

kind: Service

metadata:

name: quote

namespace: ambassador

spec:

ports:

- name: http

port: 80

targetPort: 8080

selector:

app: quote

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: quote

namespace: ambassador

spec:

replicas: 1

selector:

matchLabels:

app: quote

strategy:

type: RollingUpdate

template:

metadata:

labels:

app: quote

spec:

containers:

- name: backend

image: quay.io/datawire/quote:0.2.7

ports:

- name: http

containerPort: 8080

3. Deploy the quote service on the cluster:

kubectl apply -f quote.yaml

4. Now, create an Ingress resource that tells Ambassador (and our external users) how to access the quote service. Save the below into a file called quote-ingress.yaml .

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

annotations:

kubernetes.io/ingress.class: ambassador

name: quote-ingress

namespace: ambassador

spec:

rules:

- http:

paths:

- path: /quote/

backend:

serviceName: quote

servicePort: 80

4. Apply the ingress resource to your cluster:

kubectl apply -f quote-ingress.yaml

5. Get the IP address of your cluster:

kubectl get -n ambassador service ambassador -o 'go-template={{range .status.loadBalancer.ingress}}{{print .ip "

"}}{{end}}

6. One of the features of Ambassador Edge Stack is that it configures TLS by default. So, send a curl over https to your installation, using the IP address from the previous step:

Don’t forget the -k option — the Ambassador Edge Stack automatically installs a self-signed certificate so we need curl to automatically accept the certificate.

Congratulations! You’ve installed the Ambassador Edge Stack and have a full-fledged ingress controller.

Edge Policy Console

You can access the Ambassador Edge Stack Edge Policy Console UI to configure additional aspects of Ambassador. For example, the UI lets you automatically obtain a certificate of your own from Let’s Encrypt.

In your browser, enter the same IP address as above and follow the instructions to access the UI. Again, you’ll need to make sure your browser accepts the self-signed certificate until you configure your own certificate.

Questions?

If you have questions about this tutorial or the Ambassador Edge Stack in general, please join our Slack channel, or contact us.

If you’re just getting started with Kubernetes, you can learn more about best practices we recommend here.

If this tutorial addressed a need of yours, we’d love to hear about it. Drop us a line in the comments below, or @getambassadorio on Twitter.