4

I have a functional Ingress running with TLS setup and working correctly. I can access http://whoami.domain.com and https://whoami.domain.com, and correct certificate is used on the https domain.

I'm running on Google, and I know that Googles Ingress controller does not allow setting force ssl to assure that the traffic goes over https. I know I can disable http with kubernetes.io/ingress.allow-http: "false" but we do not want the friction for the user to know that they need to use https://

My thought of how to solve this would be to have a "redirect" backend that I define as default backend for all port=80 requests, that just 301 to https... However, I cannot find a way to define ingress rules that respects the incoming port.

This is my current thought of how to do it, but of course it does not function :)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-ingress
spec:
  tls:
  - hosts:
    - whoami.domain.com
    secretName: tls-whoami
  rules:
  - host: whoami.domain.com
    port: 443  # my wish :)
    http:
      paths:
      - backend:
          serviceName: whoami-service
          servicePort: 80
  - host: whoami.domain.com
    port: 80  # my wish :)
    http:
      paths:
      - backend:
          serviceName: http-redirect-service
          servicePort: 80

I have been trying to find WHAT rule keys one can supply, but cannot find any list, just examples where they are all about host and path.

pjotr_dolphin
  • 1,207
  • 9
  • 34

1 Answers1

1

It is currently not possible to set up redirection from http:// to https:// in Google Cloud Load Balancers. Therefore you cannot do this in GKE Ingress. https://issuetracker.google.com/35904733

I personally recommend running a simple service like an nginx container that just rewrites the http:// requests to https:// and putting it behind the port 80 version of your app.

EDIT: I'm not sure how to achieve this. You may need two separate Ingress objects with the same hostname, but one with tls: and one without. BUT I'm still not sure if it will work, because the Ingress controller can create multiple forwarding-rules and likely you won't be able to achieve this.

The best solution here might be just using a TCP/IP Load Balancer (Service type:LoadBalancer) listening on both :80 and :443 and terminating TLS yourself.

Check out this question, it's very similar to yours: Implementing workaround for missing http->https redirection in ingress-gce with GLBC

ahmet alp balkan
  • 42,679
  • 38
  • 138
  • 214
  • I am aware of that, therefor my question :) If you see my example, that is exactly what I want to do. But I have not found a way to do that. One cannot define the port in the Ingress. So I do not think your answer is correct. – pjotr_dolphin Apr 18 '18 at 20:13
  • Sorry! My bad. I think you may need two ingress objects here. One with TLS, one without. They both specify the same static IP, and the hostname. Can you give this a try. – ahmet alp balkan Apr 19 '18 at 03:23
  • On a second thought I don't think that will work either. Edited my response. – ahmet alp balkan Apr 19 '18 at 03:27