Ambassador Edge Stack to Consul Connect
“Everything Changes and Nothing Stands Still” — Heraclitus
At the end of 2019 I was wrapping up our new ingress to our microservices. We had Ambassador API Gateway Pro accepting inbound connections and then forwarding them off to the Consul Connect based service mesh. Purchasing had taken a couple months to purchase the Ambassador Pro product and I had finally got the installation keys. I was ready to put a big red done stamp on the project.
Then came the news, that Ambassador Pro wasn’t really a thing anymore, and our license keys would be valid on the brand new Ambassador Edge Stack. Ambassador Edge Stack is mostly a rebranding of Ambassador Pro, and most of the secuirty features of Pro now appear in the Community Edition.
As I started again, I document in his walk though, how to create an Ambassador Edge Stack on Kubernetes and connect it to the Consul Connect Service Mesh. This article builds on the Kubernetes and Consul Connect infrastructure created in another article. Goto the article and create a Consul Cluster on Kubernetes with Consul-Helm. You don’t need to install them sample applications, just create a consul cluster and log into the management console.
Now that we have similar Consul installations thanks to consul-helm, we will add Ambassador Edge Stack.
Installation of Ambassador Edge Stack largely follows the installation instructions on the getambassador.io web page. I differ from those instructions in:
- I installed consul with consul-helm and consul resource naming is different, many things are named “consul-consul-*” instead of just “consul-*”
- I enabled ACLs on my Consul Cluster
- I only show how to do the full mTLS connection, I don’t bother showing the non-TLS method.
The base helm chart does a pretty good job of installing Ambassador Edge Stack (AES), so install it that way. When installing there will be a repeated warning about a hook, this is known and not a problem.
helm repo add datawire https://www.getambassador.io && \
kubectl create namespace ambassador && \
helm install ambassador --namespace ambassador datawire/ambassadorFirst Time Login and Licensing
You have now installed the software, but there is bit of work to do to Log in and get it licensed. But don’t worry most things you need to explore and use Ambassador Edge Stack (AES) is available in the community edition.
To log into your installation. kubectl -n ambassador get svc ambassador, once that initializes and you have an IP address, you can use your browser to go to http://{ambassador service ip}/edge_stack_admin/#dashboard.
When you browse that URL, it will first land you on a page that warns you the next page will have an untrusted certificate. Accept and go to the next page.
This brings you to the next page. At the bottom it tells you how to install edgectl on your machine. The edgectl login establishes a secure connection to the Ambassador console. Install edgectl and bring up the Amabassador UI by running edgectl login --namespace=ambassador {ambassador public ip}.
On this Dashboard page is a place to give your email and get a license. You don’t need it to get a license for this walk-though.
Connecting Ambassador Edge Stack to Consul Connect
In the yaml file for Cluster Role For Administrator, you need to edit the last line of the file, and it probably needs to be “consul-consul-boostrap-acl-token” if you installed with consul helm. Do helm list for a definitive name of your helm release of Consul.
I have added CONSUL_HTTP_TOKEN to enable this container to talk to consul, it needs this due to Consul ACLs being enabled. I would imagine that you can tweak any of the consul communication environment variables in this manner.
You need to patch the Helm Release name in this file before applying the file that tells ambassador to talk to consul to resolve service names. This file again needs to be checked for the appropriate name of your consul-helm release.
Creating Hello World
We can now create our demo service, which is a hello-world website (you’d probably normally install a rest service). The installation YAML files differs from the Ambassador Docs due to ACLs. When creating a service when ACLs are enabled a few things must be done for Consul to accept the service.
- You must create a service account
- You must run the pod as the service account
- The first container in the pod must be named the same as the service account.
This yaml file is ready to go, and needs no edits.
Create a mapping that maps a URL to a Consul Connect based service. In this case we have Ambassador talk directly to the SideCar and not to the main service name. The Documentation for the Mapping CRD. This file is ready to go and needs no edits.
One final step with ACL enabled Consul. We need to allow Ambassador to talk to the HelloWorld container. In the consul UI, navigate to Intentions->Create and enter, the below.
Gotchas:
- The ambassador name must be typed out, ambassador isn’t registering with consul so it doesn’t appear as a service.
- The ambassador name must be lower case.
- The UI has a default of “Deny” make sure to tick Allow.
It may be less error prone to open a shell to a consul agent and use the cli, this also would allow automated Intention Creation.
Now navigate to https://<ambassador ip addr/helloworld/ and you should see:
Configure Certificate for Ambassador IP address
So having done all that work to ensure mTLS throughout the service layer, you kinda get an empty feeling about that “Not Secure” https warning in the browser address bar. Let’s fix that.
To make things look profession, configure a DNS entry for the IP address anyway that is easy for you. Not necessary, but makes things look better.
You will be using the UI in the Ambassador console to configure a connection to LetsEncrypt.com. It’s pretty simple and the Ambassador documentation is spot on. Skip down to “Config TLS Termination” and follow the steps there.
Wrapping Up
In this walkthrough we covered setting up the new Ambassador Edge Stack with Helm. This was complicated by having ACLs enabled on our Consul server, and the naming produced by the consul-helm chart. We took a simple hello world service, that knows nothing of Certificates, Service Mesh and Load Balancers and wrapped a secure transport layer around it.