add https redirect to deck #6081
Conversation
|
once this looks OK I'll bump deck and then we can merge / deploy |
|
We could also muck with the ingress or something, but all we need here is to optionally dissallow non-https in deck (by always redirecting anything else), which gives some nicer guarantees hopefully and isn't much code. |
prow/cmd/deck/main.go
Outdated
| r.URL.Scheme = "https" | ||
| http.Redirect(w, r, r.URL.String(), http.StatusMovedPermanently) | ||
| } else { | ||
| mux.ServeHTTP(w, r) |
There was a problem hiding this comment.
s/mux/oldMux/
This would create an infinite recursion loop as is because this mux reference is actually captured so after line 127 mux==redirectMux 😄
There was a problem hiding this comment.
whoops, yeah originally I wasn't capturing, and then I realized I couldn't swap them, will fix.
45fde52 to
d042d11
Compare
I don't think so, there's not much useful to assert here, and it's not a critical behavior. |
|
This should be an option in Ingress and not something codified in prow. In Openshift, we use Openshift Routes (predecessor to k8s Ingress) for all external traffic to prow and the redirects happen automatically by the router. |
prow/cmd/deck/main.go
Outdated
| buildCluster = flag.String("build-cluster", "", "Path to file containing a YAML-marshalled kube.Cluster object. If empty, uses the local cluster.") | ||
| tideURL = flag.String("tide-url", "", "Path to tide. If empty, do not serve tide data.") | ||
| hookURL = flag.String("hook-url", "", "Path to hook plugin help endpoint.") | ||
| redirectToHTTPS = flag.Bool("redirect-to-https", false, "Enable http to https redirect.") |
There was a problem hiding this comment.
I prefer a config option for this, but I'm not 100% sure.
|
It *should*, but I don't want to add another server to our deployment just
for such a trivial redirect so I've essentially implemented
kubernetes/ingress-gce#51 (comment)
and placed it behind a flag.
…On Sat, Dec 23, 2017, 01:16 Michalis Kargakis ***@***.***> wrote:
This should be an option in Ingress and not something codified in prow. In
Openshift, we use Openshift Routes (predecessor to k8s Ingress) for all
external traffic to prow and the redirects happen automatically by the
router.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#6081 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA4Bq5UF3ilE_FnpHqIVAy0B-it5Rqtuks5tDMT3gaJpZM4RLg2m>
.
|
|
/hold |
|
I think it's pretty standard to use something like nginx or openshift routes or whatever your cloud supports for HTTPS redirection. On GCE it seems like nginx is the norm.
I hear you, but I actually prefer it to writing our own code. Because this is a pretty common pattern for k8s/GKE users, we should show how simple it is to do with kubernetes :) |
d042d11 to
fac9917
Compare
Writing an NGINX rule is code :-) Optionally handling GCE-Ingress / Load Balancer -> kube-proxy / iptables -> nginx -> kube-proxy -> kube-proxy (if on another node) -> deck and back again is pretty overkill just to gain a single redirect. If we were using an ingress-nginx it would be simple. Really the GCE ingress / load balancer should support this :( |
prow/cmd/deck/main.go
Outdated
| buildCluster = flag.String("build-cluster", "", "Path to file containing a YAML-marshalled kube.Cluster object. If empty, uses the local cluster.") | ||
| tideURL = flag.String("tide-url", "", "Path to tide. If empty, do not serve tide data.") | ||
| hookURL = flag.String("hook-url", "", "Path to hook plugin help endpoint.") | ||
| redirectToHTTPS = flag.Bool("redirect-to-https", false, "Enable x-forwarded-for http to https redirect.") |
There was a problem hiding this comment.
x-forwarded-for != x-forwarded-proto
fac9917 to
3f973b4
Compare
3f973b4 to
5904f77
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, cjwagner The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
This has a key (and rather stupid) mistake: it needs to redirect to the external domain, not the one in the forwarded in the request. This is an easy fix. |
/area prow
fixes #5282