Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to makes changes to the default rule for a listener? #1672

Closed
C2L2C opened this issue Nov 19, 2020 · 9 comments
Closed

How to makes changes to the default rule for a listener? #1672

C2L2C opened this issue Nov 19, 2020 · 9 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@C2L2C
Copy link

C2L2C commented Nov 19, 2020

My use case is to enable SSL redirection from port 80 to 443 The problem is, even after I use the ssl-redirection annotation, it works but creates the SSL redirection rules per host on the 80 listener, which is not efficient. Another way to do this would be to add a default SSL redirection rule to the listener on port 80 but I can't seem to find it in the docs. Please help!!
@M00nF1sh
Copy link
Collaborator

@C2L2C
Currently, you can only achieve it using our IngressGroup feature.
I.e. Define two Ingress one for 80 and one for 443, and make them belong to same group. for the Ingress with port 80, use the ssl redirect action in its Ingress.spec.backend.
Will this suit your need?

Also, i think we should consider offer a easier way to configure HTTP_HTTPS redirect, something in my mind like

alb.ingress.kubernetes.io/ssl-redirect: "443"

And the semantic of above annotation is redirect all HTTP port to this 443 port.

@C2L2C
Copy link
Author

C2L2C commented Nov 20, 2020

@M00nF1sh I will try the ingress group method as you said. Is there a way to change the default rule for a listener through the controller?

@Hunter-Thompson
Copy link

@C2L2C
Currently, you can only achieve it using our IngressGroup feature.
I.e. Define two Ingress one for 80 and one for 443, and make them belong to same group. for the Ingress with port 80, use the ssl redirect action in its Ingress.spec.backend.
Will this suit your need?

Also, i think we should consider offer a easier way to configure HTTP_HTTPS redirect, something in my mind like

alb.ingress.kubernetes.io/ssl-redirect: "443"

And the semantic of above annotation is redirect all HTTP port to this 443 port.

Can confirm that it works using the group.name annotation, thanks, this freed up almost 40 rules on our ALB.

Port 80 ingress config :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "nginx-p80"
  namespace: "default"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: >
     {"type": "redirect", "redirectconfig": { "protocol": "HTTPS", "port": "443", "statuscode": "HTTP_301"}}
    alb.ingress.kubernetes.io/group.name: nginx-ingress
spec:
  rules:
    - http:
        paths:
         - path: /*
           backend:
             serviceName: ssl-redirect
             servicePort: use-annotation

Port 443 ingress config :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "nginx-p443"
  namespace: "default"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: xxxxxxxxxxxxxx
    alb.ingress.kubernetes.io/group.name: nginx-ingress
spec:
  rules:
    - host: nginx.example.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: "nginx-svc"
              servicePort: 80

Important thing to note above is that we have the same alb.ingress.kubernetes.io/group.name: nginx-ingress annotation for both ingress, this makes sure that we use the same ALB.

@kishorj
Copy link
Collaborator

kishorj commented Dec 2, 2020

/kind feature
we will add an annotation to simplify this configuration.

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 2, 2020
@xdays
Copy link

xdays commented Dec 5, 2020

You can give this yaml a try, it works to me #487 (comment)

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 5, 2021
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 4, 2021
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@xdays @kishorj @k8s-ci-robot @Hunter-Thompson @C2L2C @fejta-bot @M00nF1sh