Allow single ingress to run HTTP without forcing SSL using Traefik Ingress Controller

9/21/2018

I have Traefik set as my Ingress controller via the helm chart on version 1.5.4. I have LetsEncrypt enabled and SSL set to Enforced so all of my exposed services are forcing SSL as desired.

I have recently run into a situation where I need to not force SSL on a single ingress. I have tried every annotation I could find but the most I can get to happen is a redirect loop (http -> https -> http) leading me to believe that SSL is still enforced.

Has anyone managed to get this running via annotations? Here are the annotations for 1.5 Thanks!

My currently deployed Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  creationTimestamp: 2018-09-18T05:52:41Z
  generation: 1
  labels:
    app: prerender
    chart: prerender-0.4.0
    heritage: Tiller
    release: prerender
  name: prerender-prerender
  namespace: production-prerender-io
  resourceVersion: "41421557"
  selfLink: /apis/extensions/v1beta1/namespaces/production-prerender-io/ingresses/prerender-prerender
  uid: 0e8a1286-bb07-11e8-9938-06e82a01885c
spec:
  rules:
  - host: prerender.mydomain.com
    http:
      paths:
      - backend:
          serviceName: prerender-prerender
          servicePort: 3000
        path: /
status:
  loadBalancer: {}
-- Cameron Carranza
kubernetes
kubernetes-ingress
ssl
traefik
traefik-ingress

1 Answer

9/21/2018

This is not supported by Kubernetes on a single Ingress. In other words, once you go TLS on an Ingress you can't go back. Ingress as in this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myingress
spec:
  tls:
  - secretName: mytlssecret
  backend:
    serviceName: service1
    servicePort: 80

It would be nice to have something like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myingress
spec:
  tls:
  - secretName: mytlssecret
  backend:
    serviceName: service1
    servicePort: 80
    tlsFrontend: false

Created this to see if it can happen. The workaround I guess is creating another Ingress.

Edit:

The Traefik helm chart configures Traefik specifically with letsencrypt so in this case the non-TLS backend would have to be supported specifically by Traefik through a backend annotation.

-- Rico
Source: StackOverflow