Download a copy of the [ambassador-service.yaml] file from Ambassador. Replace
the `metadata` section with one that includes an Ambassador TLS configuration block,
using the secret name you created in the previous step. Then add an entry for port 443
to the `LoadBalancer` spec. Here is a complete example:
```yaml
apiVersion: v1
kind: Service
metadata:
name: ambassador
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: tls
config:
server:
enabled: True
secret: ambassador-certs
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
service: ambassador
```
Update the service definition by applying it with `kubectl`:
```bash
kubectl apply -f ambassador-service.yaml
```
You should now be able to test the SSL connection from your browser.
## Troubleshooting
When Ambassador is unable to establish an authenticated connection to the Connect proxy servers, browser connections will display this message:
upstream connect error or disconnect/reset before headers
This error can have a number of different causes. Here are some things to check and troubleshooting steps you can take.
### Check intentions between Ambassador and your upstream service
If you followed the above installation guide, Consul should have registered a service called "ambassador". Make sure you create an intention to allow it to connect to your own services.
To check whether Ambassador is allowed to connect, use the [`intention check`][intention-check] subcommand.
$ consul intention check ambassador http-echo
Allowed
### Confirm upstream proxy sidecar is running
First, find the name of the pod that contains your service.
$ kubectl get pods -l app=http-echo,role=server
NAME READY STATUS RESTARTS AGE
http-echo-7fb79566d6-jmccp 2/2 Running 0 1d
Then describe the pod to make sure that the sidecar is present and running.
$ kubectl describe pod http-echo-7fb79566d6-jmccp
[...]
Containers:
consul-connect-envoy-sidecar:
[...]
State: Running
Ready: True
### Start up a downstream proxy and try connecting to it
Log into one of your Consul server pods (or any pod that has a Consul binary in it).
$ kubectl exec -ti consul-server-0 -- /bin/sh
Once inside the pod, try starting a test proxy. Use the name of your service in place of `http-echo`.
# consul connect proxy -service=ambassador -upstream http-echo:1234
==> Consul Connect proxy starting...
Configuration mode: Flags
Service: http-echo-client
Upstream: http-echo => :1234
Public listener: Disabled
If the proxy starts successfully, try connecting to it. Verify the output is as you expect.
# curl localhost:1234
"hello world"
Don't forget to kill the test proxy when you're done.
# kill %1
==> Consul Connect proxy shutdown
# exit
### Check Ambassador Connect sidecar logs
Find the name of the Connect Integration pod and make sure it is running.
$ kubectl get pods -l app=ambassador-pro,component=consul-connect
You should then be able to open http://localhost:8877/ambassador/v0/diag/ in your browser and view Ambassador's routing table. The table lists each URL mapping that has been set up. Service names will appear in green if Ambassador believes they are healthy, and red otherwise.
From this interface, you can also enable debug logging via the yellow "Set Debug On" button, which might give you a better idea of what's happening when requests fail.
### Getting support
If you have tried the above troubleshooting steps and are still stuck, DataWire provides support for Ambassador via the popular Slack chat app. You can [request access] and then join the `#ambassador` room to get help.
