The Ambassador Edge Stack is a self-service, comprehensive edge stack that is Kubernetes-native and built on Envoy Proxy.
$ helm repo add datawire https://getambassador.io
$ helm install ambassador datawire/ambassador
This chart bootstraps an Ambassador deployment on a Kubernetes cluster using the Helm package manager.
- Kubernetes 1.11+
helm repo add datawire https://getambassador.io
To install the chart with the release name my-release
:
$ kubectl create namespace ambassador
$ helm install my-release datawire/ambassador -n ambassador
The command deploys Ambassador Edge Stack in the ambassador namespace on the Kubernetes cluster in the default configuration.
It is recommended to use the ambassador namespace for easy upgrades.
The configuration section lists the parameters that can be configured during installation.
This chart defaults to installing The Ambassador Edge Stack with all of its configuration objects.
- A Redis instance
AuthService
resource for enabling authenticationRateLimitService
resource for enabling rate limitingMapping
s for internal request routing
If installing alongside another deployment of Ambassador, some of these resources can cause configuration errors since only one AuthService
or RateLimitService
can be configured at a time.
If you already have one of these resources configured in your cluster, please see the configuration section below for information on how to disable them in the chart.
This chart can still be used to install Ambassador OSS.
To install OSS, change the image
to use the OSS image and set enableAES: false
to skip the install of any AES resources.
To uninstall/delete the my-release
deployment:
$ helm uninstall my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
Notable chart changes are listed in the CHANGELOG
The following tables lists the configurable parameters of the Ambassador chart and their default values.
Parameter | Description | Default |
---|---|---|
nameOverride |
Override the generated chart name. Defaults to .Chart.Name. | |
fullnameOverride |
Override the generated release name. Defaults to .Release.Name. | |
adminService.create |
If true , create a service for Ambassador's admin UI |
true |
adminService.nodePort |
If explicit NodePort for admin service is required | true |
adminService.type |
Ambassador's admin service type to be used | ClusterIP |
adminService.annotations |
Annotations to apply to Ambassador admin service | {} |
adminService.loadBalancerIP |
IP address to assign (if cloud provider supports it) | "" |
adminService.loadBalancerSourceRanges |
Passed to cloud provider load balancer if created (e.g: AWS ELB) | None |
ambassadorConfig |
Config thats mounted to /ambassador/ambassador-config |
"" |
crds.enabled |
If true , enables CRD resources for the installation. |
true |
crds.create |
If true , Creates CRD resources |
true |
crds.keep |
If true , if the ambassador CRDs should be kept when the chart is deleted |
true |
daemonSet |
If true , Create a DaemonSet. By default Deployment controller will be created |
false |
hostNetwork |
If true , uses the host network, useful for on-premise setups |
false |
dnsPolicy |
Dns policy, when hostNetwork set to ClusterFirstWithHostNet | ClusterFirst |
env |
Any additional environment variables for ambassador pods | {} |
envRaw |
Additional environment variables in raw YAML format | {} |
image.pullPolicy |
Ambassador image pull policy | IfNotPresent |
image.repository |
Ambassador image | docker.io/datawire/aes |
image.tag |
Ambassador image tag | 1.7.0 |
imagePullSecrets |
Image pull secrets | [] |
namespace.name |
Set the AMBASSADOR_NAMESPACE environment variable |
metadata.namespace |
scope.singleNamespace |
Set the AMBASSADOR_SINGLE_NAMESPACE environment variable and create namespaced RBAC if rbac.enabled: true |
false |
podAnnotations |
Additional annotations for ambassador pods | {} |
deploymentAnnotations |
Additional annotations for ambassador DaemonSet/Deployment | {} |
podLabels |
Additional labels for ambassador pods | |
deploymentLabels |
Additional labels for ambassador DaemonSet/Deployment | |
affinity |
Affinity for ambassador pods | {} |
nodeSelector |
NodeSelector for ambassador pods | {} |
priorityClassName |
The name of the priorityClass for the ambassador DaemonSet/Deployment | "" |
rbac.create |
If true , create and use RBAC resources |
true |
rbac.podSecurityPolicies |
pod security polices to bind to | |
rbac.nameOverride |
Overrides the default name of the RBAC resources | `` |
replicaCount |
Number of Ambassador replicas | 3 |
resources |
CPU/memory resource requests/limits | { "limits":{"cpu":"1000m","memory":"600Mi"},"requests":{"cpu":"200m","memory":"300Mi"}} |
securityContext |
Set security context for pod | { "runAsUser": "8888" } |
security.podSecurityContext |
Set the security context for the Ambassador pod | { "runAsUser": "8888" } |
security.containerSecurityContext |
Set the security context for the Ambassador container | { "allowPrivilegeEscalation": false } |
security.podSecurityPolicy |
Create a PodSecurityPolicy to be used for the pod. | {} |
restartPolicy |
Set the restartPolicy for pods |
`` |
initContainers |
Containers used to initialize context for pods | [] |
sidecarContainers |
Containers that share the pod context | [] |
livenessProbe.initialDelaySeconds |
Initial delay (s) for Ambassador pod's liveness probe | 30 |
livenessProbe.periodSeconds |
Probe period (s) for Ambassador pod's liveness probe | 3 |
livenessProbe.failureThreshold |
Failure threshold for Ambassador pod's liveness probe | 3 |
readinessProbe.initialDelaySeconds |
Initial delay (s) for Ambassador pod's readiness probe | 30 |
readinessProbe.periodSeconds |
Probe period (s) for Ambassador pod's readiness probe | 3 |
readinessProbe.failureThreshold |
Failure threshold for Ambassador pod's readiness probe | 3 |
service.annotations |
Annotations to apply to Ambassador service | "" |
service.externalTrafficPolicy |
Sets the external traffic policy for the service | "" |
service.ports |
List of ports Ambassador is listening on | [{"name": "http","port": 80,"targetPort": 8080},{"name": "https","port": 443,"targetPort": 8443}] |
service.loadBalancerIP |
IP address to assign (if cloud provider supports it) | "" |
service.loadBalancerSourceRanges |
Passed to cloud provider load balancer if created (e.g: AWS ELB) | None |
service.type |
Service type to be used | LoadBalancer |
service.externalIPs |
External IPs to route to the ambassador service | [] |
serviceAccount.create |
If true , create a new service account |
true |
serviceAccount.name |
Service account to be used | ambassador |
volumeMounts |
Volume mounts for the ambassador service | [] |
volumes |
Volumes for the ambassador service | [] |
enableAES |
Create the AES configuration objects | true |
createDevPortalMappings |
Expose the dev portal on /docs/ and /documentation/ |
true |
licenseKey.value |
Ambassador Edge Stack license. Empty will install in evaluation mode. | `` |
licenseKey.createSecret |
Set to false if installing mutltiple Ambassdor Edge Stacks in a namespace. |
true |
licenseKey.secretName |
Name of the secret to store Ambassador license key in. | `` |
licenseKey.annotations |
Annotations to attach to the license-key-secret. | {} |
redisURL |
URL of redis instance not created by the release | "" |
redisEnv |
(DEPRECATED: Use envRaw ) Set env vars that control how Ambassador interacts with redis. |
"" |
redis.create |
Create a basic redis instance with default configurations | true |
redis.annotations |
Annotations for the redis service and deployment | "" |
redis.resources |
Resource requests for the redis instance | "" |
redis.nodeSelector |
NodeSelector for redis pods | {} |
authService.create |
Create the AuthService CRD for Ambassador Edge Stack |
true |
authService.optional_configurations |
Config options for the AuthService CRD |
"" |
rateLimit.create |
Create the RateLimit CRD for Ambassador Edge Stack |
true |
registry.create |
Create the Project registry. |
false |
autoscaling.enabled |
If true, creates Horizontal Pod Autoscaler | false |
autoscaling.minReplicas |
If autoscaling enabled, this field sets minimum replica count | 2 |
autoscaling.maxReplicas |
If autoscaling enabled, this field sets maximum replica count | 5 |
autoscaling.metrics |
If autoscaling enabled, configure hpa metrics | |
podDisruptionBudget |
Pod disruption budget rules | {} |
prometheusExporter.enabled |
DEPRECATED: Prometheus exporter side-car enabled | false |
prometheusExporter.pullPolicy |
DEPRECATED: Image pull policy | IfNotPresent |
prometheusExporter.repository |
DEPRECATED: Prometheus exporter image | prom/statsd-exporter |
prometheusExporter.tag |
DEPRECATED: Prometheus exporter image | v0.8.1 |
prometheusExporter.resources |
DEPRECATED: CPU/memory resource requests/limits | {} |
metrics.serviceMonitor.enabled |
Create ServiceMonitor object (adminService.create should be to true ) |
false |
metrics.serviceMonitor.interval |
Interval at which metrics should be scraped | 30s |
metrics.serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended | 30s |
metrics.serviceMonitor.selector |
Label Selector for Prometheus to find ServiceMonitors | { prometheus: kube-prometheus } |
servicePreview.enabled |
If true, install Service Preview components: traffic-manager & traffic-agent (enableAES needs to also be to true ) |
false |
servicePreview.trafficManager.image.repository |
Ambassador Traffic-manager image | Same value as image.repository |
servicePreview.trafficManager.image.tag |
Ambassador Traffic-manager image tag | Same value as image.tag |
servicePreview.trafficManager.serviceAccountName |
Traffic-manager Service Account to be used | traffic-manager |
servicePreview.trafficAgent.image.repository |
Ambassador Traffic-agent image | Same value as image.repository |
servicePreview.trafficAgent.image.tag |
Ambassador Traffic-agent image tag | Same value as image.tag |
servicePreview.trafficAgent.injector.enabled |
If true, install the ambassador-injector | true |
servicePreview.trafficAgent.injector.crtPEM |
TLS certificate for the Common Name of ..svc | Auto-generated, valid for 365 days |
servicePreview.trafficAgent.injector.keyPEM |
TLS private key for the Common Name of ..svc | Auto-generated, valid for 365 days |
servicePreview.trafficAgent.port |
Traffic-agent listening port number when injected with ambassador-injector | 9900 |
servicePreview.trafficAgent.serviceAccountName |
Label Selector for Prometheus to find ServiceMonitors | traffic-agent |
servicePreview.trafficAgent.singleNamespace |
If true , installs the traffic-agent ServiceAccount and Role in the current installation namespace; Otherwise uses a global ClusterRole applied to every ServiceAccount |
true |
NOTE: Make sure the configured service.http.targetPort
and service.https.targetPort
ports match your Ambassador Module's service_port
and redirect_cleartext_from
configurations.
The Ambassador Edge Stack provides a comprehensive, self-service edge stack in the Kubernetes cluster with a decentralized deployment model and a declarative paradigm.
By default, this chart will install the latest image of The Ambassador Edge Stack which will replace your existing deployment of Ambassador with no changes to functionality.
This helm chart includes the creation of the core CRDs Ambassador uses for configuration.
The crds
flags (Helm 2 only) let you configure how a release manages crds.
crds.create
Can only be set on your first/master Ambassador release.crds.enabled
Should be set on all releases using Ambassador CRDscrds.keep
Configures if the CRDs are deleted when the master release is purged. This value is only checked for the master release and can be set to any value on secondary releases.
Ambassador takes security very seriously. For this reason, the YAML installation will default with a couple of basic security policies in place.
The security
field of the values.yaml
file configures these default policies and replaces the securityContext
field used earlier.
The defaults will configure the pod to run as a non-root user and prohibit privilege escalation and outline a PodSecurityPolicy
to ensure these conditions are met.
security:
# Security Context for all containers in the pod.
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core
podSecurityContext:
runAsUser: 8888
# Security Context for the Ambassador container specifically
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core
containerSecurityContext:
allowPrivilegeEscalation: false
# A basic PodSecurityPolicy to ensure Ambassador is running with appropriate security permissions
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
#
# A set of reasonable defaults is outlined below. This is not created by default as it should only
# be created by a one Release. If you want to use the PodSecurityPolicy in the chart, create it in
# the "master" Release and then leave it unset in all others. Set the `rbac.podSecurityPolicies`
# in all non-"master" Releases.
podSecurityPolicy: {}
# # Add AppArmor and Seccomp annotations
# # https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
# annotations:
# spec:
# seLinux:
# rule: RunAsAny
# supplementalGroups:
# rule: 'MustRunAs'
# ranges:
# # Forbid adding the root group.
# - min: 1
# max: 65535
# fsGroup:
# rule: 'MustRunAs'
# ranges:
# # Forbid adding the root group.
# - min: 1
# max: 65535
# privileged: false
# allowPrivilegeEscalation: false
# runAsUser:
# rule: MustRunAsNonRoot
Ambassador is configured using Kubernetes Custom Resource Definitions (CRDs). If you are unable to use CRDs, Ambassador can also be configured using annotations on services. The service.annotations
section of the values file contains commented out examples of Ambassador Module and a global TLSContext configurations which are typically created in the Ambassador service.
If you intend to use service.annotations
, remember to include the getambassador.io/config
annotation key as above.
Using the Prometheus Exporter has been deprecated and is no longer recommended. You can now use metrics.serviceMonitor.enabled
to create a ServiceMonitor
from the chart if the Prometheus Operator has been installed on your cluster.
Please see Ambassador's monitoring with Prometheus docs for more information on using the /metrics
endpoint for metrics collection.
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
$ helm install --wait my-release \
--set adminService.type=NodePort \
datawire/ambassador
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install --wait my-release -f values.yaml datawire/ambassador
Introduces Ambassador Edge Stack being installed by default.
Ambassador Pro support has been removed in 6.0.0. Please upgrade to the Ambassador Edge Stack.
Note If upgrading an existing helm 2 installation no action is needed, previously installed CRDs will not be modified.
- Helm 3 support for CRDs was added. Specifically, the CRD templates were moved to non-templated files in the
/crds
directory, and to keep Helm 2 support they are globbed from there by/templates/crds.yaml
. However, because Helm 3 CRDs are not templated, the labels for new installations have necessarily changed
The 4.0.0 chart contains a number of changes to the way Ambassador Pro is installed.
- Introduces the performance tuned and certified build of open source Ambassador, Ambassador core
- The license key is now stored and read from a Kubernetes secret by default
- Added
.Values.pro.licenseKey.secret.enabled
.Values.pro.licenseKey.secret.create
fields to allow multiple releases in the same namespace to use the same license key secret. - Introduces the ability to configure resource limits for both Ambassador Pro and it's redis instance
- Introduces the ability to configure additional
AuthService
options (see AuthService documentation) - The ambassador-pro-auth
AuthService
and ambassador-pro-ratelimitRateLimitService
and now created as CRDs when.Values.crds.enabled: true
- Fixed misnamed selector for redis instance that failed in an edge case
- Exposes annotations for redis deployment and service
The value of .Values.pro.image.tag
has been shortened to assume amb-sidecar
(and amb-core
for Ambassador core)
values.yaml
<3.0.0>
image:
repository: quay.io/datawire/ambassador_pro
- tag: amb-sidecar-0.6.0
<4.0.0+>
image:
repository: quay.io/datawire/ambassador_pro
+ tag: 0.7.0
Method for creating a Kubernetes secret to hold the license key has been changed
values.yaml
<3.0.0>
- secret: false
<4.0.0>
+ secret:
+ enabled: true
+ create: true
The way ports are assigned has been changed for a more dynamic method.
Now, instead of setting the port assignments for only the http and https, any port can be open on the load balancer using a list like you would in a standard Kubernetes YAML manifest.
pre-3.0.0
service:
http:
enabled: true
port: 80
targetPort: 8080
https:
enabled: true
port: 443
targetPort: 8443
3.0.0
service:
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
This change has also replaced the .additionalTCPPorts
configuration. Additional TCP ports can be created the same as the http and https ports above.
The below Ambassador Module
annotation is no longer being applied by default.
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: ambassador
config:
service_port: 8080
This was causing confusion with the service_port
being hard-coded when enabling TLS termination in Ambassador.
Ambassador has been listening on port 8080 for HTTP and 8443 for HTTPS by default since version 0.60.0
(chart version 2.2.0).
A ClusterRole
and ClusterRoleBinding
named {{release name}}-crd
will be created to watch for the Ambassador Custom Resource Definitions. This will be created regardless of the value of scope.singleNamespace
since CRDs are created the cluster scope.
rbac.namespaced
has been removed. For namespaced RBAC, set scope.singleNamespace: true
and rbac.enabled: true
.
crds.enabled
will indicate that you are using CRDs and will create the rbac resources regardless of the value of crds.create
. This allows for multiple deployments to use the CRDs.
ambassador.id has been removed in favor of setting it via an environment variable in env
. AMBASSADOR_ID
defaults to default
if not set in the environment. This is mainly used for running multiple Ambassadors in the same cluster.
Parameter | Env variables |
---|---|
ambassador.id |
AMBASSADOR_ID |
Chart now runs ambassador as non-root by default, so you might need to update your ambassador module config to match this.
Timings values have been removed in favor of setting the env variables using `env´
Parameter | Env variables |
---|---|
timing.restart |
AMBASSADOR_RESTART_TIME |
timing.drain |
AMBASSADOR_DRAIN_TIME |
timing.shutdown |
AMBASSADOR_SHUTDOWN_TIME |
Parameter | Env variables |
---|---|
namespace.single |
AMBASSADOR_SINGLE_NAMESPACE |
Service ports values have changed names and target ports have new defaults.
Previous parameter | New parameter | New default value |
---|---|---|
service.enableHttp |
service.http.enabled |
|
service.httpPort |
service.http.port |
|
service.httpNodePort |
service.http.nodePort |
|
service.targetPorts.http |
service.http.targetPort |
8080 |
service.enableHttps |
service.https.enabled |
|
service.httpsPort |
service.https.port |
|
service.httpsNodePort |
service.https.nodePort |
|
service.targetPorts.https |
service.https.targetPort |
8443 |
Pre version 0.50.0
ambassador was using socat and required a sidecar to export statsd metrics. In 0.50.0
ambassador no longer uses socat and doesn't need a sidecar anymore to export its statsd metrics. Statsd metrics are disabled by default and can be enabled by setting environment STATSD_ENABLED
, this will (in 0.50) send metrics to a service named statsd-sink
, if you want to send it to another service or namespace it can be changed by setting STATSD_HOST
If you are using prometheus the chart allows you to enable a sidecar which can export to prometheus see the prometheusExporter
values.