TLS origination

Sometimes you may want traffic from Emissary-ingress to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary-ingress can be configured to originate TLS connections to your upstream services.

Basic configuration

Telling Emissary-ingress to talk to your services over HTTPS is easily configured in the Mapping definition by setting https:// in the service field.

Advanced configuration using a TLSContext

If your upstream services require more than basic HTTPS support (e.g. minimum TLS version support or SNI support) you can create a TLSContext for Emissary-ingress to use when originating TLS.

Configure Emissary-ingress to use this TLSContext for connections to upstream services by setting the tls attribute of a Mapping

The example-service service must now support TLS v1.3 for Emissary-ingress to connect.

Note:

A TLSContext requires a certificate be provided even if not using it to terminate TLS. For origination purposes, this certificate can simply be self-signed unless mTLS is required.