DocsEmissary-ingress2.4The Host CRD
The Host CRD
The custom Host
resource defines how Emissary-ingress will be
visible to the outside world. It collects all the following information in a
single configuration resource:
- The hostname by which Emissary-ingress will be reachable
- How Emissary-ingress should handle TLS certificates
- How Emissary-ingress should handle secure and insecure requests
- Which
Mappings
should be associated with thisHost
A minimal Host
resource, assuming no TLS configuration, would be:
This Host
tells Emissary-ingress to expect to be reached at host.example.com
,
with no TLS termination, and only associating with Mapping
s that also set a
hostname
that matches host.example.com
.
Remember that a Listener
will also be required for this example to
be functional. Many examples of setting up Host
and Listener
are available
in the Configuring Emissary-ingress Communications
document.
Setting the hostname
The hostname
element tells Emissary-ingress which hostnames to expect. hostname
is a DNS glob,
so all of the following are valid:
host.example.com
*.example.com
host.example.*
The following are not valid:
host.*.com
-- Envoy supports only prefix and suffix globs*host.example.com
-- the wildcard must be its own element in the DNS name
In all cases, the hostname
is used to match the :authority
header for HTTP routing.
When TLS termination is active, the hostname
is also used for SNI matching.
Controlling Association with Mapping
s
A Mapping
will not be associated with a Host
unless at least one of the following is true:
- The
Mapping
specifies ahostname
attribute that matches theHost
in question. - The
Host
specifies amappingSelector
that matches theMapping
's Kuberneteslabel
s.
If neither of the above is true, the Mapping
will not be associated with the Host
in
question. This is intended to help manage memory consumption with large numbers of Host
s and large
numbers of Mapping
s.
If the Host
specifies mappingSelector
and the Mapping
specifies hostname
, both must match
for the association to happen.
The selector
is a Kubernetes label selector, but in 2.0, only matchLabels
is supported, for example:
The above Host
will associate with these Mapping
s:
It will not associate with any of these:
Future versions of Emissary-ingress will support matchExpressions
as well.
Secure and insecure requests
A secure request arrives via HTTPS; an insecure request does not. By default, secure requests will be routed and insecure requests will be redirected (using an HTTP 301 response) to HTTPS. The behavior of insecure requests can be overridden using the requestPolicy
element of a Host
:
The insecure-action
can be one of:
Redirect
(the default): redirect to HTTPSRoute
: go ahead and route as normal; this will allow handling HTTP requests normallyReject
: reject the request with a 400 response
Some special cases to be aware of here:
- Case matters in the actions: you must use e.g.
Reject
, notreject
. - The
X-Forwarded-Proto
header is honored when determining whether a request is secure or insecure. For more information, see "Load Balancers, theHost
Resource, andX-Forwarded-Proto
" below. - ACME challenges with prefix
/.well-known/acme-challenge/
are always forced to be considered insecure, since they are not supposed to arrive over HTTPS. - Ambassador Edge Stack provides native handling of ACME challenges. If you are using this support, Ambassador Edge Stack will automatically arrange for insecure ACME challenges to be handled correctly. If you are handling ACME yourself - as you must when running Emissary-ingress - you will need to supply appropriate
Host
resources and Mappings to correctly direct ACME challenges to your ACME challenge handler.
TLS settings
The Host
is responsible for high-level TLS configuration in Emissary-ingress. There are
several settings covering TLS:
tlsSecret
enables TLS termination
tlsSecret
specifies a Kubernetes Secret
is required for any TLS termination to occur. No matter what other TLS
configuration is present, TLS termination will not occur if tlsSecret
is not specified.
The following Host
will configure Emissary-ingress to read a Secret
named
tls-cert
for a certificate to use when terminating TLS.
tlsContext
links to a TLSContext
for additional configuration
tlsContext
specifies a TLSContext
to use for additional TLS information. Note that you must still
define tlsSecret
for TLS termination to happen. It is an error to supply both tlsContext
and tls
.
See the TLS discussion for more details.
tls
allows manually providing additional configuration
tls
allows specifying most of the things a TLSContext
can, inline in the Host
. Note that you must still
define tlsSecret
for TLS termination to happen. It is an error to supply both tlsContext
and tls
.
See the TLS discussion for more details.
Load balancers, the Host
resource, and X-Forwarded-Proto
In a typical installation, Emissary-ingress runs behind a load balancer. The configuration of the load balancer can affect how Emissary-ingress sees requests arriving from the outside world, which can in turn can affect whether Emissary-ingress considers the request secure or insecure. As such:
- We recommend layer 4 load balancers unless your workload includes long-lived connections with multiple requests arriving over the same connection. For example, a workload with many requests carried over a small number of long-lived gRPC connections.
- Emissary-ingress fully supports TLS termination at the load balancer with a single exception, listed below.
- If you are using a layer 7 load balancer, it is critical that the system be configured correctly:
- The load balancer must correctly handle
X-Forwarded-For
andX-Forwarded-Proto
. - The
l7Depth
element in theListener
CRD must be set to the number of layer 7 load balancers the request passes through to reach Emissary-ingress (in the typical case, where the client speaks to the load balancer, which then speaks to Emissary-ingress, you would setl7Depth
to 1). Ifl7Depth
remains at its default of 0, the system might route correctly, but upstream services will see the load balancer's IP address instead of the actual client's IP address.
- The load balancer must correctly handle
It's important to realize that Envoy manages the X-Forwarded-Proto
header such that it always reflects the most trustworthy information Envoy has about whether the request arrived encrypted or unencrypted. If no X-Forwarded-Proto
is received from downstream, or if it is considered untrustworthy, Envoy will supply an X-Forwarded-Proto
that reflects the protocol used for the connection to Envoy itself. The l7Depth
element is also used when determining trust for X-Forwarded-For
, and it is therefore important to set it correctly. Its default of 0 should always be correct when Emissary-ingress is behind only layer 4 load balancers; it should need to be changed only when layer 7 load balancers are involved.
CRD specification
The Host
CRD is formally described by its protobuf specification. Developers who need access to the specification can find it here.