c60a6ea was definitely over-zealous. At a minimum, the 2 reference/pro/* pages need to come back.

https://www.getambassador.io/docs/argo/latest/howtos/configure-argo-rollouts/

I’m not really sure if it’s useful to even mention ArgoCD or use it in this context. I know from personal experience that folks around me end up shortening all the Argo stuff to just Argo and I have to ask them ArgoRollouts or ArgoCD? - And they don’t realize those are totally different things.

Additionally, I didn’t follow this guide because it misses a bunch of seemingly very important information that this guide nails: https://argoproj.github.io/argo-rollouts/features/traffic-management/ambassador/

Finally, the ambassador guide for argo-rollouts sends you through Ambassador Cloud to complete the setup, which again, I thought wasn’t very useful from a “bare minimum” standpoint.

docs/telepresence-oss & docs/telepresence have Edit this page on GitHub button broken.

docs/telepresence-oss on the latest version leads to gh:telepresence-oss/2.18
docs/telepresence on the latest version leads to gh:telepresence/2.19

All versions starting from including 2.17 & up are absent in github:datawire/ambassador-docs

ps. there is an inconsistency in links to telepresence documentation.

telepresence.io Docs menu section leads to getambassador.io/docs/telepresence-oss note the -oss part.
While getambassador.io/docs Telepresence menu section leads to getambassador.io/docs/telepresence with no -oss part.

Ambassador can automatically create a ServiceMonitor which would really simply the story around configuring prometheus with the helm chart

Please create dedicated CRD API documentation pages such as what has been done here:

• https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io%2fv1
• https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/

I've seen this statement several times when I was attempting to get acquainted, and each time I saw this again, the diagnostic service can help you here., I was like, "Again?" When was I taught anything about this service?

Literally, you start here:
https://www.getambassador.io/docs/edge-stack/latest/tutorials/getting-started/

Then "What's Next?"

https://www.getambassador.io/docs/edge-stack/latest/topics/using/intro-mappings/

Doing a search for Diagnostics was less than useful too. 😞

https://www.getambassador.io/docs/edge-stack/latest/topics/running/diagnostics/#diagnostics
First sentence is:

If you're experiencing issues with Ambassador Edge Stack, log in to your Edge Policy Console...

Oh, well, I'm not using the service yet... so maybe this isn't the page.

Then I go here: https://www.getambassador.io/docs/edge-stack/latest/topics/running/debugging/ and see:

If you’re experiencing issues with the Ambassador Edge Stack and cannot diagnose the issue through the /ambassador/v0/diag/ diagnostics endpoint, this document covers various approaches and advanced use cases for debugging Ambassador Edge Stack issues.

This doesn't explain where this endpoint is located, or how to access it. Searching the page of /v0 has 1 entry, which is this sentence, which doesn't actually tell me anything.

Closest thing to useful was this:
https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#observability

This page actually caused more confusion than anything:
https://www.getambassador.io/docs/edge-stack/latest/topics/install/docker/#2-productnames-diagnostics

I see several references to http://localhost:8080/qotm/ and http://localhost:8080/ambassador/v0/diag/

And if you look at the files that you asked to deploy (https://app.getambassador.io/yaml/edge-stack/2.1.2/aes.yaml) I see no reference to this path.

I never got this working properly at first because I just kept getting 301 redirects. After deploying the Host that allows insecure traffic, that's when I was able to visit that URL. See #503

Anyways... circles.. Sorry this was long, but I wanted to accurately try to reproduce what I ended up going through as I ran into several different, related, interconnected issues, documentation failures, and some other things (#502, emissary-ingress/emissary#4071, and emissary-ingress/emissary#4072)

Hindsight is 2020, if I port-forwarded directly to the admin port on the pod, I would have been able to see this, even while I was having the 301 redirect issue, and the TLS issues.

https://www.getambassador.io/reference/configuration/ has clickable resource types, but https://www.getambassador.io/reference/core/crds/ does not. (Please add them to the Core CRDs page rather than removing them from the configuration page. 😉)

I'm trying to configure tracing via Zipkin, and all the traces have their "ServiceName" set to ambassador-<k8s namespace>. I'd want to set it to a custom value, but I've been unable to find a way in the official docs.

I installed ambassador via Helm and followed the Istio HowTo.

Helm Chart version: ambassador-6.7.13
Isitio version: 1.10.3

I followed the instructions here: https://www.getambassador.io/docs/edge-stack/latest/howtos/istio/#integrating-productname-with-istio-15-and-above

The ambassador deployment YAML that includes the istio envoy proxy that is used on that page doesn't work with the deployment that is installed in the Helm Chart.

The first error prevents that the deployment is applied at all: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"service":"ambassador"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

The deployment from the Helm Chart has different selectors:

spec:
  selector:
    matchLabels:
      app.kubernetes.io/instance: ambassador
      app.kubernetes.io/name: ambassador

After changing the selectors, the YAML can be applied, and after a restart the ambassador pod boots and is healthy, but it doesn't work. I'm not sure what is going on, but I think the problem is in the istio-envoy container.

I managed to create a working version of the deployment by basically comparing the deployment from the Helm Chart and the one from the HowTo:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ambassador
  namespace: ambassador
  labels:
    app.kubernetes.io/instance: ambassador
    app.kubernetes.io/name: ambassador
    app.kubernetes.io/part-of: ambassador
    product: aes
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: ambassador
      app.kubernetes.io/name: ambassador
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8877"
        prometheus.io/scheme: "http"
        prometheus.io/path: "/metrics"
      labels:
        app.kubernetes.io/instance: ambassador
        app.kubernetes.io/name: ambassador
        product: aes
    spec:
      volumes:
        - name: istio-certs
          emptyDir:
            medium: Memory
        - name: istiod-ca-cert
          configMap:
            defaultMode: 420
            name: istio-ca-root-cert
        - emptyDir:
            medium: Memory
          name: istio-envoy
        - name: istio-token
          projected:
            defaultMode: 420
            sources:
              - serviceAccountToken:
                  audience: istio-ca
                  expirationSeconds: 43200
                  path: istio-token
        - downwardAPI:
            defaultMode: 420
            items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.labels
                path: labels
          name: ambassador-pod-info
        - name: ambassador-edge-stack-secrets
          secret:
            secretName: ambassador-edge-stack
            defaultMode: 420
      containers:
      - name: ambassador
        image: docker.io/datawire/aes:1.13.10
        imagePullPolicy: IfNotPresent
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        env:
        - name: AMBASSADOR_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: REDIS_URL
          value: ambassador-redis:6379
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.hostIP
        - name: AMBASSADOR_ISTIO_SECRET_DIR
          value: "/etc/istio-certs"
        - name: AMBASSADOR_ENVOY_BASE_ID
          value: "1"
        livenessProbe:
          httpGet:
            path: /ambassador/v0/check_alive
            port: admin
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 1
          periodSeconds: 3
          successThreshold: 1
          failureThreshold: 3
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        - containerPort: 8443
          name: https
          protocol: TCP
        - containerPort: 8877
          name: admin
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /ambassador/v0/check_ready
            port: admin
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 1
          periodSeconds: 3
          successThreshold: 1
          failureThreshold: 3
        resources:
          limits:
            cpu: '1'
            memory: 600Mi
          requests:
            cpu: 200m
            memory: 300Mi
        securityContext:
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /tmp/ambassador-pod-info
          name: ambassador-pod-info
        - mountPath: /.config/ambassador
          name: ambassador-edge-stack-secrets
          readOnly: true
        - mountPath: /etc/istio-certs/
          name: istio-certs
      - name: istio-proxy
        # Use the same version as your Istio installation
        image: istio/proxyv2:1.10.3
        args:
        - proxy
        - sidecar
        - --domain
        - $(POD_NAMESPACE).svc.cluster.local
        - --serviceCluster
        - istio-proxy-ambassador
        - --discoveryAddress
        - istio-pilot.istio-system.svc:15012
        - --connectTimeout
        - 10s
        - --statusPort
        - "15020"
        - --trust-domain=cluster.local
        - --controlPlaneBootstrap=false
        env:
        - name: OUTPUT_CERTS
          value: "/etc/istio-certs"
        - name: JWT_POLICY
          value: third-party-jwt
        - name: PILOT_CERT_PROVIDER
          value: istiod
        - name: CA_ADDR
          value: istiod.istio-system.svc:15012
        - name: ISTIO_META_MESH_ID
          value: cluster.local
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: INSTANCE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: SERVICE_ACCOUNT
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: ISTIO_META_POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: ISTIO_META_CONFIG_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: ISTIO_META_CLUSTER_ID
          value: Kubernetes
        imagePullPolicy: IfNotPresent
        readinessProbe:
          failureThreshold: 30
          httpGet:
            path: /healthz/ready
            port: 15020
            scheme: HTTP
          initialDelaySeconds: 1
          periodSeconds: 2
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /etc/istio/proxy
          name: istio-envoy
        - mountPath: /etc/istio-certs/
          name: istio-certs
        - mountPath: /var/run/secrets/tokens
          name: istio-token
        securityContext:
          runAsUser: 0
      restartPolicy: Always
      securityContext:
        runAsUser: 8888
      serviceAccountName: ambassador
      terminationGracePeriodSeconds: 0
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

I changed lots of things and I'm not sure what change made it work, but my version is basically a copy of the one from the Helm Chart, with the exception that I added the prometheus.io annotations which allows the prometheus operator to configure prometheus without having to change the ConfigMap manually how it is described later in the HowTo.

Since I don't really know what I'm doing, I didn't create a PR here (also for some reason I cannot find the istio HowTo page in this repository). But maybe my deployment YAML helps someone to update that HowTo.

If not then this is just a "bug" report, that the Istio HowTo doesn't work.

Hi,

I suggest adding a reference in the "gRPC and Ambassador" to
https://github.com/datawire/ambassador/blob/master/docs/reference/core/ambassador.md#grpc-web-enable_grpc_web.

Could have saved me several hours trying to understand why grpc-web is not working in Ambassador.

Thanks.

Was following the instructions and this error occurs. Retried several times, in case it can be fixed by retrying, but error still occurs

$ helm install ambassador --namespace ambassador datawire/ambassador
Error: INSTALLATION FAILED: failed to install CRD crds/filter.yaml: resource mapping not found for name: "filters.getambassador.io" namespace: "" from "": no matches for kind "CustomResourceDefinition" in
 version "apiextensions.k8s.io/v1beta1"
ensure CRDs are installed first

tls attribute should be set after service attribute in the mapping configuration of the service in the Istio mTLS guide and TLS documentation for Istio and Consul

The table header on the big table in reference/core/crds.md isn't marked as being a header, so it looks like it's just another row of data.

LogService was added in 0.86.1. However, other than a single line mentioning that it exists, there are no docs for it.

In deploying emissary-ingress with multiple deployments it was unclear from the documentation that the ambassador_id parameter needed to be specified on Listener/Host custom resources.

Could we have the Listener and Host resource documentation updated to show that ambassador_id is an option available on these resources? https://www.getambassador.io/docs/emissary/latest/topics/running/listener https://www.getambassador.io/docs/emissary/latest/topics/running/host-crd

In 425570157c14b1fb7da4a970aa06d39c0b781117 we removed references to using Helm to install Ambassador. However, it also over-zealously removed docs on using Prometheus-as-installed-by-Helm from user-guide/monitoring.md. Those docs continue to be useful.

While reading the docs regarding the API change for Emissary-Ingress auth service I found a typo pictured below.

Also would like to know if in the same paragraph this section Emissary-ingress 3.Y. should actually be Emissary-ingress 3.x.

Will submit an MR to fix the default typo.

For AWS users, it seems that using an AWS NLB is a good move in order to reduce latency when exposing a Kubernetes Cluster to outside traffic. With that said, I think the "GettingStarted" page could actually reduce the number of different things that are needed by requesting that the user not try to access the "quote" service from a loadbalancer at first, but instead, just kubectl port-forward to the edge-stack service.

Unfortunately, I found that when I attempted to do that, I ran into 2 issues. 1 of which was that the Getting Started guide doesn't have you deploy a Host object at all. And that ends up resulting in automatic https and a 301 redirect which I found somewhat surprising and hard to figure out what was going on and why.

Here's the getting started page I'm referring to:
https://www.getambassador.io/docs/edge-stack/latest/tutorials/getting-started/

This page, which seems to be specific to AWS contained what appears to be invaluable data in regards to how to
https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador-with-aws/#l4-load-balancer-default-elb-or-nlb

specifically how to essentially disable Ambassador's automatic TLS functionality via:

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: ambassador
spec:
  hostname: "*"
  selector:
    matchLabels:
      hostname: wildcard
  acmeProvider:
    authority: none
  requestPolicy:
    insecure:
      action: Route

This was really really helpful once I pulled some of my hair out trying to find it (again), since I looked all over these places:
https://www.getambassador.io/docs/edge-stack/latest/topics/running/listener/

this page does tell me a bit about this behavior I was seeing (the 301), but it wasn't clear where what requestPolicy was, or where I should be setting this configuration.
https://www.getambassador.io/docs/edge-stack/latest/topics/running/host-crd/#secure-and-insecure-requests

Finally, when request to run this command:

curl -Lki https://$LB_ENDPOINT/backend/

I was unsure why -L, --location Follow redirects was included, and it was clear that SSL was broken since it also required -k, --insecure Allow insecure server connections when using SSL in the command.

So, why not just skip the "automatic TLS and such" until a second page?

Additionally, there are multiple other pages that claim that Host is required for traffic routing to work, yet it's not part of the Getting Started at all.

The AuthService page (reference/auth-service.md) should be edited to clarify that OSS users should use an AuthService, but that AES users are discouraged from using an AuthService, and should use Filters instead.

• The big downside of an AuthService is there can only be one for all of Ambassador. An "External" Filter (non-OSS) is a drop-in replacement for an AuthService, and there can be many of them, orchestrated by a FilterPolicy.
• AES itself wants to be the AuthService. Using your own AuthService means deleting the ambassador-edge-stack-auth AuthService that is part of aes.yaml, which will disable a substantial portion of the non-OSS functionality, including the ACME client.
• Perhaps some of the information in the AuthService page should be copied/moved to the docs about External Filters.

Just wanted to drop another learning gotcha that I ran into - GettingStarted refers to a service called qotm, yet the repo matching that service (below) appears to be dead.

Filed an issue asking for redirection to datawire/quote as well as archiving the dead repo:

datawire/qotm#13

I also didn’t notice until later that the docker image, is actually datawire/quote of which, there is a repo for that, so I have another issue here asking for releases, tags, and better documentation, including of that on DockerHub.

datawire/quote#8

This is just a general request to update documentation on the website, as well as in Github and Dockerhub for consistency.

Thank you!

In c5e93fd and a697e58, @scoyle391 wrote

gRPC-Web is a binary HTTP/2-based protocol that extends the benefits of gRPC to the browser; gRPC-Web wraps around gRPC for clients that cannot speak raw HTTP/2

Which is a little confused (which is on me, she sent me what she wrote before adding it, and I just didn't reply :/)

In truth:

• gRPC (not "-Web") is a binary HTTP/2-based protocol
• That is problematic for some programs, as some programs (such as JavaScript running in the browser) cannot speak raw HTTP/2
• gRPC-Web is a JSON (instead of binary) HTTP-based (any version, instead of just HTTP/2) protocol that wraps around plain gRPC, to help alleviate that problem (at the cost of performance).

The AES install instructions tell users to go to https://{{AES_URL}}/ to access the admin page. However, this does not work if you have a Mapping with prefix: /.

Therefore, I propose we edit the upgrade doc to just tell users to go to https://{{AES_URL}}/edge_stack/admin so there is no confusion

Automatic HTTPS is a cool feature. However, for users who are currently running Ambassador to only listen for cleartext (ex: terminating tls at LB), the AES will appear broken since you now have to opt-out of TLS termination.

We need to call this out as much as we can so people are aware of what they must do to get AES working. If it appears broken, people will not upgrade. A good place to do this is in the upgrade docs but I believe it should be done as much as we can

Based on the report in emissary-ingress/emissary#4155 the API version v3alpha1 only accepts an object. string and bool are not accepted anymore and should be removed from the documentation and the examples.

The RateLimitService should be rewritten to clarify that it should only be used by open source Ambassador.

AES ships with a RateLimitService and configuring another one is not supported.

This PR addresses actual typos, such as misspelled words, missing words, incorrect word usage, etc.

The EPC is not supported in the docker quickstart. This should be made clear so people do not think it does not work.

Also add an example of how to access the diagnostics page with authentication

curl http://localhost:8080/ambassador/v0/diag/ -u admin:admin

Why?
Documentation PRs are an easy entrypoint for community contributions. However, members don't have the ability to tag reviewers, nor do they know who the best person to tag is. PRs might stay open and go stale as a result.

What?
Per a quick Slack thread with @kflynn, a CODEOWNERS configuration is an easy solution.