Redirect HTTP to HTTPS on Kubernetes using Nginx
Page Overview
This page uses HPCC TLS configuration using Jetstack cert-manager. NGINX will be implemented to enable traffic routing to the service ECLWatch, and Ingress rules are configured to redirect all HTTP traffic to use HTTPS. To make sure visitors always will be using a secured connection, redirect visitors that are making the first connection via HTTP. This configuration will make use of the permanent HTTP redirect code (HTTP status 308).
What is Ingress?
Ingress defines traffic routing rules to manage external user access to services within a Kubernetes cluster. With Ingress, you can easily set up rules for routing traffic. It does this by mapping URLs to the services.
What is NGINX?
NGINX is a free, open-source, high-performance HTTP and reverse proxy server responsible for handling the load of some of the largest sites on the Internet. NGINX is responsible for routing requests to the appropriate services within the Kubernetes cluster, by reading and processing the rules in the Ingress resource.
Prerequisites
Before getting started, have the following prerequisites deployed and running,
Then, follow the tutorial linked here to:
- Install cert-manager custom resource definitions
- Install cert-manager helm chart
- Create a root certificate for the local cluster certificate authority
- Create a Kubernetes TLS secret
- Install HPCC with certificates enabled
After Installing HPCC with certificates enabled, verify that all pods, certificate issuers, certificates, and secrets are Ready before continuing.
Using rewrite Annotations
After verifying that all pods, certificates issuers, certificates, and secrets are ready, use the rewrite annotations defined in the Ingress resource below, for redirecting all traffic to HTTPS. The Ingress resource tells NGINX to route requests to service ECLWatch, which can be reached through the Ingress-Nginx controller External IP.
- Create an Ingress resource file with the following annotations.
Summary of the Ingress Resource file:
Lines 5–9: Annotations-
kubernetes.io/ingress.class: "nginx"tells Kubernetes that this Ingress Resource (eclwatch-ingress) will use the NGINX controller from Ingress.
ingress.kubernetes.io/force-ssl-redirect: "true" forces every incoming HTTP request to HTTPS. It is done by the Ingress-NGINX controller.
nginx.ingress.kubernetes.io/backend-protocol: “HTTPS"Indicates how NGINX should communicate with the backend service. By default NGINX uses HTTP.
nginx.org/ssl-services: “eclwatch" is used to enable HTTPS between NGINX and the backends. Clients can use either HTTP or HTTPS to connect to the NGINX Ingress Controller, but NGINX will always establish an HTTPS connection with a backend.
Lines 11–13: TLS-
In the secretName, we reference a secret resource by its name, hpcc-local-issuer-key-pair. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key, which were created when OpenSSL was used to generate the root certificate for HPCC local cluster certificate authority.
2. Configure the Ingress rules
kubectl apply -f eclwatch-ingress.yamlValidation
Validate that the annotations configured in the Ingress resource have been applied by NGINX.
3. For this example, the name of the Ingress defined previously is eclwatch-ingress
kubectl describe ingress eclwatch-ingressName: eclwatch-ingressNamespace: defaultAddress: 20.190.200.130. . .TLS:hpcc-local-issuer-key-pair terminatesRules:Host Path Backends---- ---- --------*/ eclwatch:8010 (10.244.0.12:8888)Annotations: kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/backend-protocol: HTTPSingress.kubernetes.io/force-ssl-redirect: "true"nginx.org/ssl-services: eclwatch. . .
Test
After validating that the Ingress annotations were configured, test the annotations by visiting the service ECLWatch with a normal HTTP protocol. Now it will automatically redirect to HTTPS. You can test with the curl command.
4. First, get the External IP of the Ingress-Nginx controller
kubectl get svcThe result of the command lists all services, and we are looking for the Ingress-Nginx controller External IP. It is shown below:
The External IP is 20.190.200.130, which will be used to test the Ingress rules in the next step.
5. Test the Ingress rules with the External IP, using the curl command
curl -I http://20.190.200.130As seen below, there is a permanent redirect to HTTPS. The location of the request is now at https://20.190.200.130
HTTP/1.1 308 Permanent RedirectDate: Tue, 17 Aug 2021 03:17:28 GMTContent-Type: text/htmlContent-Length: 164Connection: keep-aliveLocation: https://20.190.200.130
Clean Up
- Delete the Ingress resource file
kubectl delete -f hpcc-ingress.yamlUninstalling releases with Helm
2. Delete the NGINX controller, specifying a namespace if necessary
helm delete ingress-nginx3. Delete the HPCC Helm chart and all resources associated with it
helm delete hpcc4. Delete Cert-manager and all associated resources
helm delete cert-managerConclusion
All HTTP requests to service ECLWatch on port 8010 were permanently redirected to the HTTPS location. Now, ECLWatch is always using SSL certificates.
