TLS origination

Sometimes you may want traffic from Emissary-ingress to your services to be encrypted. For the cases where terminating TLS at the ingress is not enough, Emissary-ingress can be configured to originate TLS connections to your upstream services.

Basic configuration

Telling Emissary-ingress to talk to your services over HTTPS is easily configured in the Mapping definition by setting https:// in the service field.

Advanced configuration using a TLSContext

If your upstream services require more than basic HTTPS support (for example, providing a client certificate or setting the minimum TLS version support) you must create a TLSContext for Emissary-ingress to use when originating TLS. For example:

Configure Emissary-ingress to use this TLSContext for connections to upstream services by setting the tls attribute of a Mapping:

The example-service service must now support TLS v1.3 for Emissary-ingress to connect.