Application-gateway-kubernetes-ingress: http to https redirection

Created on 27 Feb 2019  Â·  18Comments  Â·  Source: Azure/application-gateway-kubernetes-ingress

It would be great to have http to https redirection configurable via an annotation, similar to ingress.kubernetes.io/ssl-redirect in nginx ingress (https://docs.microsoft.com/en-us/azure/aks/ingress-basic#create-an-ingress-route)

Currently, even if the rule is manually created in AppGateway, it will get overwritten by the ingress.

Bug

Most helpful comment

@dan-jackson-github agreed, it is a bug in ingress controller that ends up overwriting the app gateway configuration not installed by ingress controller. We are going to work on fixing this soon. Unfortunately due to resource constraints we haven't been able to get to this sooner. Apologize for the inconvenience and thank you for your patience. I am hoping we can make some progress on this in the coming weeks.

All 18 comments

Hi @rnarayana a number of us keen to see this, its causing real headaches, as you say, whatever approach you use to put in place redirects, the ingress control plane reverts it eventually (for example, when the pod is restarted). Issue referenced here, not sure whether its planned for implementation #70

@dan-jackson-github agreed, it is a bug in ingress controller that ends up overwriting the app gateway configuration not installed by ingress controller. We are going to work on fixing this soon. Unfortunately due to resource constraints we haven't been able to get to this sooner. Apologize for the inconvenience and thank you for your patience. I am hoping we can make some progress on this in the coming weeks.

Hi @rnarayana, we have a couple of customers asking for this functionality. Is there any update on the planning of this issue?

@MarkDNL I'm also waiting for this 🤣

I would also like this, the http to https part.
I don't really mind that it overwrites other config...

I would classify it as an enhancement

@MarkDNL I'm also waiting for this 🤣

My bad, I meant to mention @asridharan :blush

@rnarayana @dan-jackson-github have a PR out:
https://github.com/Azure/application-gateway-kubernetes-ingress/pull/120
that would partially fix #70 . Would this be enough to help your use case over here.

I am calling that PR a partial fix since we still haven't introduced annotations for ssl-redirect in this PR. Should be introduced in a follow up PR, but it would disable HTTP access to any ingress which has only TLS specified in it.

@MarkDNL @rnarayana could you try helm chart release 0.3.0. #120 partially fixes this issue and is part of the latest release.

@asridharan just tried it this morning, works a treat. Looking forward to an http redirect next :). One question, if I manually create a redirect listener on HTTP in Application Gateway, will the ingress controller still remove it, the next time there is a config change on the ingress that it applies ?

@asridharan It works like a charm, thank you. I am as well looking forward to be able to redirect http to https.

@asridharan just tried it this morning, works a treat. Looking forward to an http redirect next :). One question, if I manually create a redirect listener on HTTP in Application Gateway, will the ingress controller still remove it, the next time there is a config change on the ingress that it applies ?

@dan-jackson-github unfortunately it would. Currently the ingress controller takes over all the listeners, HTTP settings, URL pathmaps in an AG and doesn't work well with another entity configuring certain portions of the AG. We need to incorporate this into the ingress controller to make it play nice with other entities.

Can anyone tell me what events trigger a rewrite by the ingress? I made the unfortunate decision to employ the ingress on a live site ( though a mostly internally used low traffic site ) that needed http->https redirection. I have been having to keep adding the listener and rule to support the redirection every so often but I want to know if I can listen for certain cluster/ingress events and know when I need to add the listener and rule again. This is obviously temporary until this support is added as annotations or I make the decision to use another ingress.

@dfcarpenter the ingress re-write would be triggered when any of the following events happen?

  • ingress update.
  • service update.
  • pod (backend update).
  • Any secret referenced by the ingress is updated.

Sorry for the pain. Working on introducing ssl-redirect. Hopefully will land it sooner rather than later.

@rnarayana @dan-jackson-github @MarkDNL @dfcarpenter release 0.5.0 is out and adds the ssl-redirect annotation fixing this issue. Please give it a try.

@asridharan just tested 0.5.0 and ssl-redirect, seems to work partially. It works for all path-based rules, but it won't be set for the default route / when I look into the configuration section, i can see, that it the 443-backend is still available for setting another rule.

@dersia Would you be able to share with me your Ingress YAML? (Please remove any sensitive information – remove domains, urls, TLS certs etc.)
Also – when you look at the kubectl logs of the Ingress controller – do you see errors? I’d love to see those as well!

Could you share the solution? I've hit the same problem.

Was this page helpful?
0 / 5 - 0 ratings