Ambassador integrates automatic HTTPS for Kubernetes ingress
Today, virtually all major websites enable HTTPS by default. HTTPS provides a crucial layer of privacy and security protection for end users by. Moreover, lack of HTTPS impacts your digital marketing. Google penalizes websites that do not support HTTPS, and browsers such as Chrome will also label websites that don’t support HTTPS as insecure.
HTTPS configuration is painful
Unfortunately, enabling HTTPS on Kubernetes is fairly technical and complicated. To enable HTTPS, a protocol called Transport Layer Security (TLS) is used (for a quick overview of TLS, check out this post). With Ambassador, one of the most common friction points is configuring TLS in a production-ready scenario. In theory, configuring TLS requires three steps:
- Obtaining a certificate from a Certificate Authority.
- Installing the certificate in the Kubernetes cluster.
- Configure an Ambassador TLSContext to point to the certificate
In practice, each of these steps requires some user education and manual toil. And, since certificates periodically expire, these steps need to be repeated — but not so frequently that the steps can be memorized!
Automatic, production-ready HTTPS for everyone
We’re excited to announce today that we’ve integrated Automated Certificate Management Environment (ACME) support directly into Ambassador, enabling automatic HTTPS for everyone. With automatic HTTPS, Ambassador will:
- Obtain a certificate from any ACME provider such as Let’s Encrypt
- Configure TLS to use the certificate
- Renew the certificate automatically prior to expiration
If you’re deploying your application on Kubernetes, Ambassador is the simplest way for you to expose your application over TLS.
Under the Hood
How does this work? We’ve added a new resource, the Host resource. Here’s an example Host resource:
apiVersion: getambassador.io/v2
kind: Host
metadata:
creationTimestamp: null
labels:
created-by: aes-firstboot-web-ui
name: localhost
namespace: default
spec:
acmeProvider:
authority: https://acme-v02.api.letsencrypt.org/directory
email: datawire@example.org
privateKeySecret:
name: httpv02.api.letsencrypt.org
hostname: example.org
selector:
matchLabels:
hostname: localhost
tlsSecret:
name: https-v02.api.letsencrypt.org
status:
tlsCertificateSource: ACMEAs shown above, the Host resource has a hostname which maps to the domain for the certificate and an acmeProvider which maps to a particular ACME provider.
Get in touch
You can Contact Us here or at @ambassadorlabs on Twitter
