Application-gateway-kubernetes-ingress: HttpListener is created for http when http is disabled

Created on 12 Nov 2018  路  8Comments  路  Source: Azure/application-gateway-kubernetes-ingress

Currently there is always a httpListener created for both http and https even if http is disabled in the ingress

The solution i'd like is to skip the generation of the httpListener creation if http is disabled.

See also this TODO in the code https://github.com/Azure/application-gateway-kubernetes-ingress/blob/6a9ce466bd37133d569417905eca6ae912df55b5/pkg/appgw/httpListeners.go#L96

feature

Most helpful comment

I support all previous comments on this thread and would like to see this implemented ASAP.

Using the application gateway to enable the HTTPS listener and perform SSL offload to the K8S cluster is working great, but leaving the HTTP listener enabled is causing us grief with our security team. We want the ingress controller to update the gateway and set the desired state without manual updates.

An annotation would work, suggest 2 possible ones:

  1. ssl-require: if this annotation is present, would disable the HTTP listener if HTTPS is specified in the ingress
  2. ssl-redirect: if this annotation is present, would keep both the HTTP and HTTPS listeners present on the gateway, but apply a redirect rule for HTTP -> HTTPS (k8s--80-rr rule would redirect k8s--80-fl listener to k8s--443-fl listener)

All 8 comments

@wesselkranenborg make sense. Just to clarify, you want the HTTP listener to be disabled if we specify only HTTPS in the ingress right?

That is indeed what we want.

@asridharan can you indicate when the annotation support for disabling HTTP access will be available? Creating an HTTP endpoint by default really isn't ideal and means more manual work to do remember after deployment

I support all previous comments on this thread and would like to see this implemented ASAP.

Using the application gateway to enable the HTTPS listener and perform SSL offload to the K8S cluster is working great, but leaving the HTTP listener enabled is causing us grief with our security team. We want the ingress controller to update the gateway and set the desired state without manual updates.

An annotation would work, suggest 2 possible ones:

  1. ssl-require: if this annotation is present, would disable the HTTP listener if HTTPS is specified in the ingress
  2. ssl-redirect: if this annotation is present, would keep both the HTTP and HTTPS listeners present on the gateway, but apply a redirect rule for HTTP -> HTTPS (k8s--80-rr rule would redirect k8s--80-fl listener to k8s--443-fl listener)

@wesselkranenborg @robertprather have a partial fix for this problem in
https://github.com/Azure/application-gateway-kubernetes-ingress/pull/120

Its partial since even after this PR we won't have support for SSL-redirect on HTTP listeners. Will work on that after this PR. Wanted to check if it would help resolve this issue?

@wesselkranenborg @dan-jackson-github @robertprather can you try helm chart 0.3.0 which has the fix for this issue?

Thanks,
Avinash

Fixed by #120

I've tried helm chart 0.3.0 and it works as expected - no http listener created. Rob

Was this page helpful?
0 / 5 - 0 ratings