Manual Installation Guide
In this guide, we'll walk you through installing, configuring, and customizing the Ambassador Edge Stack in your Kubernetes cluster.
The manual install process does require more user configuration than the quick start method, but it does allow you to control the aspects of your base Edge Stack installation.
Before You Begin
The Ambassador Edge Stack is designed to run in Kubernetes for production. The most essential requirements are:
- Kubernetes 1.11 or later
- The
kubectl
command-line tool
Install the Ambassador Edge Stack
The Ambassador Edge Stack is typically deployed to Kubernetes from the command line. If you don't have Kubernetes, you should use our Docker image to deploy the Ambassador Edge Stack locally.
In your terminal, run the following command:
kubectl apply -f https://www.getambassador.io/yaml/aes-crds.yaml && \kubectl wait --for condition=established --timeout=90s crd -lproduct=aes && \kubectl apply -f https://www.getambassador.io/yaml/aes.yaml && \kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aesDetermine the IP address or hostname of your cluster by running the following command:
kubectl get -n ambassador service ambassador -o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}"Your load balancer may take several minutes to provision your IP address. Repeat the provided command until you get an IP address.
Note: If you are a Minikube user, Minikube does not natively support load balancers. Instead, use
minikube service list
. You should see something similar to the following:(⎈ |minikube:ambassador)$ minikube service list|-------------|------------------|--------------------------------|| NAMESPACE | NAME | URL ||-------------|------------------|--------------------------------|| ambassador | ambassador | http://192.168.64.2:31230 || | | http://192.168.64.2:31042 || ambassador | ambassador-admin | No node port || ambassador | ambassador-redis | No node port || default | kubernetes | No node port || kube-system | kube-dns | No node port ||-------------|------------------|--------------------------------|Use any of the URLs listed next to
ambassador
to access the Ambassador Edge Stack.Navigate to
http://<your-IP-address>
and click through the certificate warning for access to the Edge Policy Console interface. The certificate warning appears because, by default, the Ambassador Edge Stack uses a self-signed certificate for HTTPS.- Chrome users should click Advanced > Proceed to website.
- Safari users should click Show details > visit the website and provide your password.
To login to the Edge Policy Console, download and install
edgectl
, the command line tool Edge Control, by following the provided instructions on the page. The Console lists the correct command to run and provides download links for theedgectl
binary.The Edge Policy Console must authenticate your session using a Kubernetes Secret in your cluster. Edge Control accesses that secret using
kubectl
, then sends a URL to your browser that contains the corresponding session key. This extra step ensures that access to the Edge Policy Console is just as secure as access to your Kubernetes cluster.For more information, see Edge Control.
To access the Edge Policy Console going forward, you can access it using one of the following options:
edgectl login -n <namespace> <AES_host>
orhttps://{{AES_URL}}/edge_stack/admin
Configure TLS Termination and Automatic HTTPS
The Ambassador Edge Stack enables TLS termination by default using a self-signed certificate. See the Host CRD for more information about disabling TLS. If you have the ability to update your DNS, Ambassador can automatically configure a valid TLS certificate for you, eliminating the TLS warning. If you do not have the ability to update your DNS, skip to the next section, "Create a Mapping."
Update your DNS so that your domain points to the IP address for your cluster.
In the Edge Policy Console, create a
Host
resource:- On the "Hosts" tab, click the Add button on the right.
- Enter your hostname (domain) in the hostname field.
- Check the "Use ACME to manage TLS" box.
- Review the Terms of Service and check the box that you agree to the Terms of Service.
- Enter the email address to be associated with your TLS certificate.
- Click the Save button.
You'll see the newly created
Host
resource appear in the UI with a status of "Pending." This will change to "Ready" once the certificate is fully provisioned. If you receive an error that your hostname does not qualify for ACME management, you can still configure TLS manually or by reviewing configuration in the Host CRD.Once the Host is ready, navigate to
https://<hostname>
in your browser. Note that the certificate warning has gone away. Additionally, the Ambassador Edge Stack automatically will redirect HTTP connections to HTTPS.
Create a Mapping
In a typical configuration workflow, Custom Resource Definitions (CRDs) are used to define the intended behavior of Ambassador Edge Stack. In this example, we'll deploy a sample service and create a Mapping
resource. Mappings allow you to associate parts of your domain with different URLs, IP addresses, or prefixes.
We'll start by deploying the
quote
service. Save the below configuration into a file namedquote.yaml
. This is a basic configuration that tells Kubernetes to deploy thequote
container and create a Kubernetesservice
that points to thequote
container.---apiVersion: v1kind: Servicemetadata:name: quotenamespace: ambassadorspec:ports:- name: httpport: 80targetPort: 8080selector:app: quote---apiVersion: apps/v1kind: Deploymentmetadata:name: quotenamespace: ambassadorspec:replicas: 1selector:matchLabels:app: quotestrategy:type: RollingUpdatetemplate:metadata:labels:app: quotespec:containers:- name: backendimage: quay.io/datawire/quote:0.2.7ports:- name: httpcontainerPort: 8080Deploy the
quote
service to the cluster by typing the commandkubectl apply -f quote.yaml
.Now, create a
Mapping
configuration that tells Ambassador to route all traffic from/backend/
to thequote
service. Copy the YAML and save it to a file calledquote-backend.yaml
.---apiVersion: getambassador.io/v2kind: Mappingmetadata:name: quote-backendnamespace: ambassadorspec:prefix: /backend/service: quoteApply the configuration to the cluster by typing the command
kubectl apply -f quote-backend.yaml
.Test the configuration by typing
curl -Lk https://<hostname>/backend/
orcurl -Lk https://<IP address>/backend/
. You should see something similar to the following:(⎈ |rdl-1:default)$ curl -Lk https://aes.ri.k36.net/backend/{"server": "idle-cranberry-8tbb6iks","quote": "Non-locality is the driver of truth. By summoning, we vibrate.","time": "2019-12-11T20:10:16.525471212Z"}
A Single Source of Configuration
In the Ambassador Edge Stack, Kubernetes serves as the single source of
configuration. Changes made on the command line (via kubectl
) are reflected in
the UI, and vice versa. This enables a consistent configuration workflow.
You can see this in action by navigating to the Mappings tab, or
the Hosts tab. You'll see an entry for the quote-backend
Mapping that was
just created on the command line.
To see your mappings via the command line, run
kubectl get mappings
If you configured TLS, you can type
kubectl get hosts
to see theHost
resource that was created:(⎈ |rdl-1:default)$ kubectl get hostsNAME HOSTNAME STATE PHASE COMPLETED PHASE PENDING AGEaes.ri.k36.net aes.ri.k36.net Ready 158m
Developer Onboarding
The Quote service we just deployed publishes its API as a Swagger document. This API is automatically detected by the Ambassador Edge Stack and published.
In the Edge Policy Console, navigate to the APIs tab. You'll see the documentation there for internal use.
Navigate to
https://<hostname>/docs/
orhttps://<IP address>/docs/
to see the externally visible Developer Portal (make sure you include the trailing/
). This is a fully customizable portal that you can share with third parties who need information about your APIs.
What’s Next?
The Ambassador Edge Stack has a comprehensive range of features to support the requirements of any edge microservice.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.