Redirect HTTP to HTTPS on Kubernetes using Nginx
With HPCC TLS Implementation
This page uses HPCC TLS configuration using Jetstack cert-manager. NGINX will be implemented to enable traffic routing to the service ECLWatch, and Ingress rules are configured to redirect all HTTP traffic to use HTTPS. To make sure visitors always will be using a secured connection, redirect visitors that are making the first connection via HTTP. This configuration will make use of the permanent HTTP redirect code (HTTP status 308).
What is Ingress?
Ingress defines traffic routing rules to manage external user access to services within a Kubernetes cluster. With Ingress, you can easily set up rules for routing traffic. It does this by mapping URLs to the services.
What is NGINX?
NGINX is a free, open-source, high-performance HTTP and reverse proxy server responsible for handling the load of some of the largest sites on the Internet. NGINX is responsible for routing requests to the appropriate services within the Kubernetes cluster, by reading and processing the rules in the Ingress resource.
Before getting started, have the following prerequisites deployed and running,
Then, follow the tutorial linked here to:
- Install cert-manager custom resource definitions
- Install cert-manager helm chart
- Create a root certificate for the local cluster certificate authority
- Create a Kubernetes TLS secret
- Install HPCC with certificates enabled
After Installing HPCC with certificates enabled, verify that all pods, certificate issuers, certificates, and secrets are Ready before continuing.
Using rewrite Annotations
After verifying that all pods, certificates issuers, certificates, and secrets are ready, use the rewrite annotations defined in the Ingress resource below, for redirecting all traffic to HTTPS. The Ingress resource tells NGINX to route requests to service ECLWatch, which can be reached through the Ingress-Nginx controller External IP.
- Create an Ingress resource file with the following annotations.
Summary of the Ingress Resource file:
Lines 5–9: Annotations-
kubernetes.io/ingress.class: "nginx"tells Kubernetes that this Ingress Resource (eclwatch-ingress) will use the NGINX controller from Ingress.
ingress.kubernetes.io/force-ssl-redirect: "true" forces every incoming HTTP request to HTTPS. It is done by the Ingress-NGINX controller.
nginx.ingress.kubernetes.io/backend-protocol: “HTTPS"Indicates how NGINX should communicate with the backend service. By default NGINX uses
nginx.org/ssl-services: “eclwatch" is used to enable HTTPS between NGINX and the backends. Clients can use either HTTP or HTTPS to connect to the NGINX Ingress Controller, but NGINX will always establish an HTTPS connection with a backend.
Lines 11–13: TLS-
secretName, we reference a secret resource by its name,
hpcc-local-issuer-key-pair. The secret must be of the type
kubernetes.io/tls and contain keys named
tls.key, which were created when OpenSSL was used to generate the root certificate for HPCC local cluster certificate authority.
2. Configure the Ingress rules
kubectl apply -f eclwatch-ingress.yaml
Validate that the annotations configured in the Ingress resource have been applied by NGINX.
3. For this example, the name of the Ingress defined previously is
kubectl describe ingress eclwatch-ingressName: eclwatch-ingressNamespace: defaultAddress: 18.104.22.168. . .TLS:hpcc-local-issuer-key-pair terminatesRules:Host Path Backends---- ---- --------*/ eclwatch:8010 (10.244.0.12:8888)Annotations: kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/backend-protocol: HTTPSingress.kubernetes.io/force-ssl-redirect: "true"nginx.org/ssl-services: eclwatch. . .
After validating that the Ingress annotations were configured, test the annotations by visiting the service ECLWatch with a normal HTTP protocol. Now it will automatically redirect to HTTPS. You can test with the
4. First, get the External IP of the Ingress-Nginx controller
kubectl get svc
The result of the command lists all services, and we are looking for the Ingress-Nginx controller External IP. It is shown below:
The External IP is 22.214.171.124, which will be used to test the Ingress rules in the next step.
5. Test the Ingress rules with the External IP, using the
curl -I http://126.96.36.199
As seen below, there is a permanent redirect to HTTPS. The location of the request is now at https://188.8.131.52
HTTP/1.1 308 Permanent RedirectDate: Tue, 17 Aug 2021 03:17:28 GMTContent-Type: text/htmlContent-Length: 164Connection: keep-aliveLocation: https://184.108.40.206
- Delete the Ingress resource file
kubectl delete -f hpcc-ingress.yaml
Uninstalling releases with Helm
2. Delete the NGINX controller, specifying a namespace if necessary
helm delete ingress-nginx
3. Delete the HPCC Helm chart and all resources associated with it
helm delete hpcc
4. Delete Cert-manager and all associated resources
helm delete cert-manager
All HTTP requests to service ECLWatch on port 8010 were permanently redirected to the HTTPS location. Now, ECLWatch is always using SSL certificates.
HPCC-Platform/README.md at master · hpcc-systems/HPCC-Platform
This example demonstrates HPCC TLS configuration using Jetstack cert-manager. The following will use cert-manager to…