Deploying Ambassador Edge Stack with Kubermatic KubeOne

Ambassador Edge Stack is an open-source, Kubernetes-native API Gateway that delivers Edge-as-a-Service to application developers. Built on the powerful Envoy Proxy, it routes and secures traffic to your cluster. Ambassador Edge Stack makes it easy to secure your microservices with a comprehensive set of security functionality, including automatic TLS, authentication, rate limiting, WAF integration, and fine-grained access control. This allows teams to reduce the number of components they need to install and manage, thereby minimizing operational intervention and allowing developer self-service.   

On top of that, Edge Stack is quite easy to deploy. In this blog post, we are going to show you step by step how you can use Kubermatic KubeOne to deploy Edge Stack on AWS. The prerequisite for this is that you already have a running KubeOne Kubernetes cluster. In case you do not have one yet, read this blog post by Richard Li on how to easily set up your highly-available Kubernetes cluster on AWS to get you started. 

A Closer Look at Ambassador Edge Stack

Ambassador Edge Stack is a proven Kubernetes-native API gateway built on Envoy Proxy.E dge Stack can function as a full-fledged Kubernetes ingress controller. It also supports a broad range of functionality not supported in the ingress specification, including traffic management controls such as load balancing and circuit breaking, authentication, and observability.

Edge Stack can be installed using Helm or YAML. For more advanced configuration options such as TLS termination and Single Sign-On integration with Keycloak, the K8s Initializer will automatically generate the necessary configuration.

Ambassador Edge Stack can be deployed in any cloud provider, or on-premise. In this blog post, we’ll take AWS as an example . For more detailed information, see the Edge Stack documentation on deploying with specific AWS Load Balancers:


In this example we will be using Helm 3 to deploy the Edge Stack.

Add the Repo:

helm repo add datawire

Create Namespace and Install:

kubectl create namespace ambassador && \

helm install ambassador --namespace ambassador datawire/ambassador && \

kubectl -n ambassador wait --for condition=available --timeout=90s deploy -lproduct=aes

Congratulations! You have successfully installed The Ambassador Edge Stack!

Routing Traffic from the Edge

Edge Stack empowers developers and devops teams with self-service functionality for managing changes to routing. This includes a declarative policy engine and CRD configurations.

Like any other Kubernetes object, Custom Resource Definitions (CRDs) are used to declaratively define Edge Stack’s desired state. 

The workflow you are going to build uses a simple demo app and the Mapping CRD, which is the core resource that you will use with Edge Stack. It lets you route requests by host and URL path from the edge of your cluster to Kubernetes services.

 Now let’s deploy and expose a sample service.

  1. First, apply the YAML for the “Quote of the Moment" service

kubectl apply -f

The Service and Deployment are created in the Ambassador namespace. You can use <kubectl get services,deployments quote –namespace ambassador> to see their status.

  1. Copy the configuration below and save it to a file called quote-backend.yaml so that you can create a Mapping on your cluster. 

This Mapping tells Edge Stack to route all traffic inbound to the /backend/ path to the quote Service.

kind: Mapping
 name: quote-backend
 namespace: ambassador
 prefix: /backend/
 service: quote
  1. Apply the configuration to the cluster:

kubectl apply -f quote-backend.yaml

With our Mapping created, now we need to access it!

  1. Store the Edge Stack load balancer IP address to a local environment variable. You will use this variable to test accessing your service.

export AMBASSADOR_LB_ENDPOINT=$(kubectl -n ambassador get svc ambassador \

-o "go-template={{range .status.loadBalancer.ingress}}{{or .ip .hostname}}{{end}}")

  1. Test the configuration by accessing the service through the Ambassador load balancer:

curl -Lk https://$AMBASSADOR_LB_ENDPOINT/backend/

$ curl -Lk https://$AMBASSADOR_LB_ENDPOINT/backend/ 


   "server": "idle-cranberry-8tbb6iks",

   "quote": "Non-locality is the driver of truth. By summoning, we vibrate.",

   "time": "2021-02-26T15:55:06.884798988Z"

Victory! You have created your first Edge Stack Mapping, routing a request from your cluster’s edge to a service!

Connect your Cluster to Ambassador Cloud

The Service Catalog is a web-based interface that lists all of your cluster’s services. You can view, add, and update metadata associated with each service, such as the owner, version control repository, and associated Slack channel.

  1. Log in to Ambassador Cloud with your GitHub account
  2. At the top, hover over All Clusters then click Add a Cluster
  3. Follow the prompts to name the cluster and click Generate a Cloud Token.
  4. Follow the prompts to install the cloud token into your cluster
  5. When the token installation completes, refresh the Service Catalog page

Fantastic! You can now see all your services in your Ambassador Cloud account! Metadata on your services about the owner, repo location, etc. can also be shown in Service Catalog via Kubernetes annotations. Continue in the Service Catalog docs to set annotations on your Services.

Learn More

Sebastian Scheele

Sebastian Scheele

Co-founder and CEO