Kubernetes HTTP to HTTPS Redirect on AWS with ELB terminating SSL

5
votes

I'm trying to set up a simple HTTP to HTTPS redirect for traffic going to a Kubernetes cluster. The SSL termination is happening on the ELB. When I try to use the nginx.ingress.kubernetes.io/ssl-redirect = true it results in an infinite redirect which led me to setting up a config map to handle this (nginx-ingress: Too many redirects when force-ssl is enabled).

Now there seems to be no redirection happening at all.

My ingress service is defined as:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...:certificate/...
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
  labels:
    k8s-addon: ingress-nginx.addons.k8s.io
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Cluster
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: http
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    app: ingress-nginx
  type: LoadBalancer

My config map is defined as:

apiVersion: v1
kind: ConfigMap
data:
  client-body-buffer-size: 32M
  hsts: "true"
  proxy-body-size: 1G
  proxy-buffering: "off"
  proxy-read-timeout: "600"
  proxy-send-timeout: "600"
  server-tokens: "false"
  ssl-redirect: "false"
  upstream-keepalive-connections: "50"
  use-proxy-protocol: "true"
  http-snippet: |
    server {
      listen 8080 proxy_protocol;
      server_tokens off;
      return 307 https://$host$request_uri;
    }
metadata:
  labels:
    app: ingress-nginx
  name: nginx-configuration
  namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-services
  namespace: ingress-nginx

And, the ingress is defined as:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: gateway-ingress
  annotations:
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-headers: Authorization, origin, accept
    nginx.ingress.kubernetes.io/cors-allow-methods: GET, OPTIONS
    nginx.ingress.kubernetes.io/cors-allow-origin: gateway.example.com.com/monitor
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - host: gateway.example.com
    http:
      paths:
      - backend:
          serviceName: gateway
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - gateway.example.com
1
amazon-web-servicessslkubernetesamazon-elbnginx-ingress
Have you looked at this article? medium.com/store2be-tech/… - Jose
Yes. They are overriding the ingress controller config which is not ideal (in their own words). The config map should be doing the same thing according to the linked SO article. - BHarman

1 Answers

6
votes

The issue was the target port I was using on the load balancer not matching the port the redirection server was listening on:

ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http

This was just sending everything to port 80. It should have been this:

ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080

That way it matches up with the ConfigMap's:

data:
  ...
  http-snippet: |
    server {
      listen 8080 proxy_protocol;
      server_tokens off;
      return 307 https://$host$request_uri;
    }