HTTP to HTTPS redirection #1075
Comments
|
I think this is a duplicated of #51 |
|
cc @spencerhance who is working on integrating this into GKE Ingress. |
|
any news on this? |
|
Yes we are currently working on this. It's currently in development so we don't have a committed timeline yet. We will update this thread as development gets closer to completion and we can provide a realistic estimate. |
rramkumar1
added
the
kind/feature
|
Can we get an approximate date for this fix into ingress-gce yaml |
|
+1 |
|
@thaniyarasu can the GKE ingress have this feature ? like annotation or something like that ? |
At the moment we have no easy way to redirect http to https on the live site. See kubernetes/ingress-gce#1075 Until this is fixed, moved HTTPS-only settings to separate settings_https file.
|
+1 |
Ideally this would be the preferred way to use this feature, via annotation. |
|
Hi All, here's a quick update on where we stand with HTTPS redirects for GKE Ingress:
|
Good to hear, thanks for sharing. |
|
Just out of curiosity (not rushing!), will it be available towards the beginning or end of Q3? |
|
#1206 Implement support for HTTPS Redirects finally!! It's coming. I'm really waiting for this features. |
|
Now that #1206 has been merged, what's the rollout process look like? |
|
Hi @icco, This should be rolling out to the GKE Rapid channel within the next two weeks. It will be at least 2-3 weeks after that before you will see it in the GKE Regular channel. I will post an update here as soon as we officially launch 🚀 . |
|
That's great news. How the redirection will be specified? In the apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: app-remote-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: app-gcp-ip
networking.gke.io/managed-certificates: app-certificate
networking.gke.io/RedirectToHttps: PERMANENT_REDIRECT
spec:
backend:
serviceName: app-server-remote
servicePort: 7777 |
|
From #1206, it's possible to determine that the configuration is very similar to SSL Policies, as it uses the same resource kind I believe it would be something like this: apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: test-frontend-config
spec:
redirectToHttps:
enabled: true
responseCodeName: PERMANENT_REDIRECT # possible values are: FOUND, TEMPORARY_REDIRECT, PERMANENT_REDIRECT, looks like the default is PERMANENT_REDIRECTAnd the networking.gke.io/v1beta1.FrontendConfig: test-frontend-config@spencerhance is it correct? |
|
@iagomelanias that Here's how mine looks: When I try to deploy it, it says redirectToHttps doesn't exist. |
|
@spencerhance Any relation between GKE version and GCE ingress version? I have been looking at Rapid channel release notes since it is expected to arrive soon. But, not sure which version of GCE ingress is included with it. For instance, this was released 2 days ago and I am not able to see a release note for GCE ingress there: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1189 . Or did I miss something? |
|
Indeed It's hard to match the ingress-GCE version with a GKE version. My point of reference is here : https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features |
|
Hi @tvvignesh We have still not officially released this in GKE unfortunately. This is currently available in all Ingress-GCE 1.10 versions. @iagomelanias that setup looks correct. |
|
fix plzzzzzzzz I am doing a deployment call right now and they just asked about this. |
As someone who is also still waiting for this solution, the work around I have in place today (without spinning up some insane nginx/haproxy/httpd stack inside my cluster) is to stop listening to http on my k8s cluster.
Then you are free to setup an entirely separate load balancer at google, on the same IP address that does nothing but listen on port 80 and return permanent redirect (or your preference) to port 443.
(As someone who has worked with Apache HTTPd/HAProxy/BigIP F5 LTM, this does irk me and I am looking forward to GCE supporting this directly) |
|
Ingress lifecycle is tied to the LB lifecycle. Can you create a new ingress that points to the same service as the current ingress? This will create a new LB and then you can switch over DNS. Once that's complete you can delete the original ingress and the old LB will be torn down. |
|
@spencerhance That makes sense, I can do that. Although I will have to call it <ingress-name>2 I suppose. |
|
@Cyral Yes your new Ingress will have to have a different name than the existing one, Kubernetes will not allow you to create two objects of the same Kind in the same namespace with identical names. An other Option is to run two clusters with Multi Cluster Ingress, have a single VIP attached to the DNS record your customers use and failover the clusters to do maintenance on your clusters. You can find few examples on how to do that here [1] [1]https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/master/multi-cluster-ingress |
|
MultiClusterIngress is great! However one of the drawbacks is that it doesn't support HTTPS Redirects yet. This is changing very soon though :) |
|
Yes correct. We are working on it :) @mark-church FYI |
|
Is this supported for private ingresses? I get this error: does not exist: ensureRedirectUrlMap() = error: cannot enable HTTPS Redirects with L7 ILB |
|
@red8888 The frontendConfig CRD is not supported with Internal HTTP(s) LB. Have a look at this page [1] which contains the compatibility matrix between features and the various types of loadBalancers [1]https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features |
Eagerly waiting for this feature. Is there any suggested approach documented somewhere for HTTS redirects in multi-cluster ingress? Thanks. |
|
@gaurav517 you can do the http->https redirect in your app. Or maybe run a simple proxy which will redirect http calls to the LB and proxy https directly to your app. I have never done this before so to be tested |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
@gaurav517 FrontendConfig for MCI is GA now. I just finished documenting an example here https://github.com/GoogleCloudPlatform/gke-networking-recipes/pull/68/files. Once merged (hopefully today) it will go under https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/master/ingress/multi-cluster/mci-frontend-config This recipe contains an example of HTTP to HTTPS redirect with MCI and SSL-Policies at the LB Level. Hope this helps. Let us know in the gke-network-recipes repo if you have any issues. Suggestions ;) |
|
One last update and we can probably close this one for good as it have been going on for a while ;) We are actively working on https://github.com/GoogleCloudPlatform/gke-networking-recipes. Feedback is appreciated it ;) |
|
@boredabdel this is coming just in the nick of time for a project I'm working on. Having trouble getting it to work using the provided example. Let me know if I should start a new issue, but I'll post the info here. The FrontEnd Config annotation in the Ingress YAML creates what appears in the console menu as a HTTP(S) load balancer but only has a single HTTP front-end with no certificate or SSL policy attached, despite these being annotated in the Ingress YAML. the SSL cert is stuck in provisioning as FAILED_NOT_VISIBLE. If I understand correctly from the docs here, two load balancers should be provisioned, one HTTP and one HTTPS. The HTTP should redirect to the HTTPS. Instead, one HTTP load balancer is created with the original Ingress backends. The HTTP Load Balancer reports the original HTTP backends as healthy while the Ingress reports its backend services as "Unknown". Is there something wrong with syntax or spec that is preventing the HTTPS Load Balancer from generating correctly? The HTTP LB worked fine before the frontend config was added, but I want to force HTTPS. FrontEnd Config YAML: Here are the in-console annotations for the Ingress after it has finished creating. EDIT: |
|
@Gageperrin can you please log an issue against our repo ? https://github.com/GoogleCloudPlatform/gke-networking-recipes Sorry for asking to duplicate the work but i rather keep our examples bugs in our own repo, just tag me and i will have a look right away Thanks |
|
Please also share all your YAML files (MCI, MCS, Deployment, FrontendConfig, and BackendConfig if you have one). Screenshots could help too. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Following these two steps, worked for me, there are articles all over that have the leadup steps, the documentation here should be the latest. https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
For all those interested in the second half of the implementation, please help upvoting the Issuetracker: |
|
Apologies if this is obvious, but where can we find a list of acceptable annotations and spec for these resource kinds (ingress, multiclusteringress, for example)? The two are not directly translatable, so conversion is not straightforward. |
and others
Now that GCP Load Balancers finally have HTTP to HTTPS redirection support, can this be configured through YAML so redirection is handled by GCP and not the application?
The text was updated successfully, but these errors were encountered: