YAML
To migrate from Emissary 1.X to Emissary 2.X, see the Emissary migration matrix. This guide will not work for that, due to changes to the configuration resources used for Emissary 2.X.
In this guide, we’ll walk you through installing Emissary in your Kubernetes cluster.
The manual install process does not allow for as much control over configuration as the Helm install method, so if you need more control over your Emissary installation, it is recommended that you use helm.
Before you begin
Emissary is designed to run in Kubernetes for production. The most essential requirements are:
- Kubernetes 1.11 or later
- The
kubectlcommand-line tool
Install with YAML
Emissary is typically deployed to Kubernetes from the command line. If you don’t have Kubernetes, you should use our Docker image to deploy Emissary locally.
In your terminal, run the following command:
kubectl create namespace $productNamespace$ || true kubectl apply -f https://app.getambassador.io/yaml/emissary/$version$/emissary-crds.yaml && \ kubectl apply -f https://app.getambassador.io/yaml/emissary/$version$/emissary-emissaryns.yaml && \ kubectl -n $productNamespace$ wait --for condition=available --timeout=90s deploy $productDeploymentName$Emissary $version$ includes a Deployment in the $productNamespace$ namespace called emissary-apiext. This is the APIserver extension that supports converting Emissary CRDs betweengetambassador.io/v2andgetambassador.io/v3alpha1. This Deployment needs to be running at all times.If the emissary-apiextDeployment's Pods all stop running, you will not be able to usegetambassador.io/v3alpha1CRDs until restarting theemissary-apiextDeployment.There is a known issue with the emissary-apiextservice that impacts all Emissary 2.x and 3.x users. Specifically, the TLS certificate used by apiext expires one year after creation and does not auto-renew. All users who are running Emissary/Ambassador Edge Stack 2.x or 3.x with the apiext service should proactively renew their certificate as soon as practical by runningkubectl delete --all secrets --namespace=emissary-systemto delete the existing certificate, and then restart theemissary-apiextdeployment withkubectl rollout restart deploy/emissary-apiext -n emissary-system. This will create a new certificate with a one year expiration. We will issue a software patch to address this issue well before the one year expiration. Note that certificate renewal will not cause any downtime.Determine the IP address or hostname of your cluster by running the following command:
kubectl get -n $productNamespace$ service $productDeploymentName$ -o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}"Your load balancer may take several minutes to provision your IP address. Repeat the provided command until you get an IP address.
Next Steps
Emissary shold now be successfully installed and running, but in order to get started deploying Services and test routing to them you need to configure a few more resources.
- The
ListenerResource is required to configure which ports the Emissary pods listen on so that they can begin responding to requests. - The
MappingResouce is used to configure routing requests to services in your cluster. - The
HostResource configures TLS termination for enablin HTTPS communication. - Explore how Emissary configures communication with clients
- The
Listener, deploying a simple service to test with, and setting up a Mapping to route requests from Emissary to the demo service.Upgrading an existing installation
See the migration matrix for instructions about upgrading Emissary.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.