Currently there is always a httpListener created for both http and https even if http is disabled in the ingress
The solution i'd like is to skip the generation of the httpListener creation if http is disabled.
See also this TODO in the code https://github.com/Azure/application-gateway-kubernetes-ingress/blob/6a9ce466bd37133d569417905eca6ae912df55b5/pkg/appgw/httpListeners.go#L96
@wesselkranenborg make sense. Just to clarify, you want the HTTP listener to be disabled if we specify only HTTPS in the ingress right?
That is indeed what we want.
@asridharan can you indicate when the annotation support for disabling HTTP access will be available? Creating an HTTP endpoint by default really isn't ideal and means more manual work to do remember after deployment
I support all previous comments on this thread and would like to see this implemented ASAP.
Using the application gateway to enable the HTTPS listener and perform SSL offload to the K8S cluster is working great, but leaving the HTTP listener enabled is causing us grief with our security team. We want the ingress controller to update the gateway and set the desired state without manual updates.
An annotation would work, suggest 2 possible ones:
@wesselkranenborg @robertprather have a partial fix for this problem in
https://github.com/Azure/application-gateway-kubernetes-ingress/pull/120
Its partial since even after this PR we won't have support for SSL-redirect on HTTP listeners. Will work on that after this PR. Wanted to check if it would help resolve this issue?
@wesselkranenborg @dan-jackson-github @robertprather can you try helm chart 0.3.0 which has the fix for this issue?
Thanks,
Avinash
Fixed by #120
I've tried helm chart 0.3.0 and it works as expected - no http listener created. Rob
Most helpful comment
I support all previous comments on this thread and would like to see this implemented ASAP.
Using the application gateway to enable the HTTPS listener and perform SSL offload to the K8S cluster is working great, but leaving the HTTP listener enabled is causing us grief with our security team. We want the ingress controller to update the gateway and set the desired state without manual updates.
An annotation would work, suggest 2 possible ones: