Emissary-ingress 2.2.2: How to enable https on kubernetes cluster using emissary-ingress [ambassador] 2.2.2 version?

Question

I am trying to enable https using the following documentation [Emissary ingress 2.2.2] https://www.getambassador.io/docs/emissary/latest/howtos/tls-termination/

I followed these steps to enable https:

i) Create a self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj '/CN=ambassador-cert' -nodes

ii) Store the certificate and key in a Kubernetes Secret

kubectl create secret tls tls-cert --cert=cert.pem --key=key.pem -n test-namespace

iii) Tell Emissary-ingress to use this secret for TLS termination

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: wildcard-host
spec:
  hostname: "*"
  acmeProvider:
    authority: none
  tlsSecret:
    name: tls-cert
  selector:
    matchLabels:
      hostname: wildcard-host

iv) Applied this manifest

kubectl apply -f wildcard-host.yaml -n test-namespace

I verified Emissary-ingress service is listening on 443 and forwarding to port 8443.

Also I have mapped node service with it.

apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: node-service-mapping
  namespace: test-namespace
spec:
  hostname: "*"
  prefix: /node-service  
  service: node-service

But when I send request to backend service with curl

curl -Lk https://{{AMBASSADOR_IP}}/node-service

I am getting following error [attached screenshot]:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Just for information: I am using following kubernetes cluster version

kubectl version --short

Client Version: v1.19.0

Server Version: v1.21.7

Appropriate Listener definitions for both http and https:

apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: http-listener
spec:
  port: 8080
  protocol: HTTPS # NOT A TYPO
  securityModel: XFP
  hostBinding:
    namespace:
      from: SELF  
---
apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: https-listener
spec:
  port: 8443
  protocol: HTTPS
  securityModel: XFP
  hostBinding:
    namespace:
      from: SELF 

I followed this document for adding listeners: https://www.getambassador.io/docs/emissary/latest/howtos/configure-communications/#listeners

I also tried to use the original certificate but that too also didn't worked.

What am I doing wrong here? Why I am getting this error and not able to hit https ? How can I resolve it? How should I debug the issue here? I tried to find several solutions for this error on stackoverflow website and other sites, but was not able to get proper solution for it till now. This link is also related to my question here How can I use Ambassador Emissary -ingress for TLS? . But I didn't find answer for it.

Would appreciate if anyone provide solution for this. Thanks in advance!

Answer 1

I've been struggling with exactly the same problem for a few evenings, - been following the official docs, but got stuck at getting "wrong version number" error when trying to access k8s dashboard over HTTPS with curl,

what solve the problem for me, was an explicit setting of tls-certificate for a host. A "wildcard" host block described in the docs, alone, doesn't seem to work, so, apart from setting a wildcard Host, I've also set another one, specific to k8s dashboard endpoint:

---
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: "kubernetes-dashboard-dns"
  # namespace: "kubernetes-dashboard"
  annotations:
    external-dns.ambassador-service: emissary-ingress.emissary
spec:
  hostname: "dashboard.mydomain.tld"
  tlsSecret:
    name: tls-cert