K
Q

Ingress backend rule by port?

4/14/2018

I have a functional Ingress running with TLS setup and working correctly. I can access http://whoami.domain.com and https://whoami.domain.com, and correct certificate is used on the https domain.

I'm running on Google, and I know that Googles Ingress controller does not allow setting force ssl to assure that the traffic goes over https. I know I can disable http with kubernetes.io/ingress.allow-http: "false" but we do not want the friction for the user to know that they need to use https://

My thought of how to solve this would be to have a "redirect" backend that I define as default backend for all port=80 requests, that just 301 to https... However, I cannot find a way to define ingress rules that respects the incoming port.

This is my current thought of how to do it, but of course it does not function :)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-ingress
spec:
  tls:
  - hosts:
    - whoami.domain.com
    secretName: tls-whoami
  rules:
  - host: whoami.domain.com
    port: 443  # my wish :)
    http:
      paths:
      - backend:
          serviceName: whoami-service
          servicePort: 80
  - host: whoami.domain.com
    port: 80  # my wish :)
    http:
      paths:
      - backend:
          serviceName: http-redirect-service
          servicePort: 80

I have been trying to find WHAT rule keys one can supply, but cannot find any list, just examples where they are all about host and path.

-- pjotr_dolphin
google-cloud-platform
google-kubernetes-engine
kubernetes
kubernetes-ingress

Similar Questions

Kubernetes Pods intercommunication with internal/external IP addresses
Why ingress "servicePort" can be "port" and "targetPort" of service?
How to change maximum memory allowed for function in OpenWhisk
Kubernetes cluster - communication between the services using Ingress

1 Answer

4/18/2018

It is currently not possible to set up redirection from http:// to https:// in Google Cloud Load Balancers. Therefore you cannot do this in GKE Ingress. https://issuetracker.google.com/35904733

I personally recommend running a simple service like an nginx container that just rewrites the http:// requests to https:// and putting it behind the port 80 version of your app.

EDIT: I'm not sure how to achieve this. You may need two separate Ingress objects with the same hostname, but one with tls: and one without. BUT I'm still not sure if it will work, because the Ingress controller can create multiple forwarding-rules and likely you won't be able to achieve this.

The best solution here might be just using a TCP/IP Load Balancer (Service type:LoadBalancer) listening on both :80 and :443 and terminating TLS yourself.

Check out this question, it's very similar to yours: Implementing workaround for missing http->https redirection in ingress-gce with GLBC

-- AhmetB - Google
Source: StackOverflow