Reputation: 12044
Kubernetes HTTPS Ingress in Google Container Engine
I want to expose a HTTP service running in Google Container Engine over HTTPS only load balancer.
How to define in ingress object that I want HTTPS only load balancer instead of default HTTP?
Or is there a way to permanently drop HTTP protocol from created load balancer? When I add HTTPS protocol and then drop HTTP protocol, HTTP is recreated after few minutes by the platform.
Ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
spec:
backend:
serviceName: myapp-service
servicePort: 8080
Upvotes: 7
Views: 1337
Answers (2)
Reputation: 1919
You could also use FrontendConfig
HTTP to HTTPS redirects are configured using the redirectToHttps field in a FrontendConfig custom resource. Redirects are enabled for the entire Ingress resource so all services referenced by the Ingress will have HTTPS redirects enabled.
The following FrontendConfig manifest enables HTTP to HTTPS redirects. Set the spec.redirectToHttps.enabled field to true to enable HTTPS redirects. The spec.responseCodeName field is optional. If it's omitted a 301 Moved Permanently redirect is used.
For example
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: your-frontend-config-name
spec:
redirectToHttps:
enabled: true
responseCodeName: MOVED_PERMANENTLY_DEFAULT
MOVED_PERMANENTLY_DEFAULT is on of the available RESPONSE_CODE field value, to return a 301 redirect response code (default if responseCodeName is unspecified).
You can find more options here: HTTP to HTTPS redirects
Then you have to link your FrontendConfig to the Ingress, like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: your-ingress-name
annotations:
networking.gke.io/v1beta1.FrontendConfig: your-frontend-config-name
spec:
tls:
...
Upvotes: 1
Reputation: 1967
In order to have HTTPs service exposed only, you can block traffic on port 80 as mentioned on this link:
You can block traffic on :80 through an annotation. You might want to do this if all your clients are only going to hit the loadbalancer through https and you don't want to waste the extra GCE forwarding rule, eg:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test
annotations:
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
# This assumes tls-secret exists.
# To generate it run the make in this directory.
- secretName: tls-secret
backend:
serviceName: echoheaders-https
servicePort: 80
Upvotes: 4
Related Questions
- Kubernetes ingress: How to enable HTTPS to backend service
- Kubernetes Ingress SSL certificate problem
- How do I use HTTPS between a GKE Ingress and the Service it forwards to?
- SSL certificate for Kubernetes Ingress
- GKE, NGINX ingress, HTTPS, and certificates
- Kubernetes enable service for HTTPS
- Ensure SSL all the way to the pod using Google Container Engine Ingress
- Exposing a Kubernetes pod to HTTPS using Google Container Engine? (easiest way)
- HTTPS on Google Cloud Container Engine
- container engine kubernetes and ssl