Http to https redirection on K8S Ingress

Traefik Traefik v2
1

Hello everybody,

I need a short advice regarding http to https redirects with Kubernetes Ingress.
My Ingress configuration is:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "true" <-- this was used for Traefik 1.7
    ingress.kubernetes.io/ssl-redirect: "true" <-- this was used for Traefik 1.7
    traefik.ingress.kubernetes.io/app-root: /client
    traefik.ingress.kubernetes.io/router.tls: "true"
  creationTimestamp: "2020-11-18T12:29:45Z"
  generation: 1
  managedFields:
  - apiVersion: networking.k8s.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:ingress.kubernetes.io/force-ssl-redirect: {}
          f:ingress.kubernetes.io/ssl-redirect: {}
          f:traefik.ingress.kubernetes.io/app-root: {}
      f:spec:
        f:rules: {}
    manager: Go-http-client
    operation: Update
    time: "2020-11-18T12:29:45Z"
  - apiVersion: extensions/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:          
          f:traefik.ingress.kubernetes.io/router.tls: {}
    manager: kubectl
    operation: Update
    time: "2020-11-19T10:44:47Z"
  name: client
  namespace: default
  resourceVersion: "536999"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/client
  uid: 14753259-9d8f-4a04-a298-a4f6ff4391d6
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: client
          servicePort: 80
        path: /webclient
        pathType: ImplementationSpecific
      - backend:
          serviceName: client
          servicePort: 80
        path: /webgui
        pathType: ImplementationSpecific     
status:
  loadBalancer: {}

The arguments for Traefik are:


 - --api.insecure
        - --api.dashboard
        - --providers.kubernetesingress
        - --providers.kubernetescrd=true
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443
        - --log.level=debug
        - --certificatesresolvers.default.acme.email=<mailaddress>
        - --certificatesresolvers.default.acme.storage=acme.json
        - --certificatesresolvers.default.acme.tlschallenge
        - --metrics.prometheus
        - --serverstransport.insecureskipverify

I already tried to create a middleware as described in the documentation:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-redirectscheme
spec:
  redirectScheme:
    scheme: https

And added the middleware by using this annotation:

traefik.ingress.kubernetes.io/router.middlewares: default-test-redirectscheme@kubernetescrd

The dashboard shows:

image
image1475×794 47.4 KB

But unfortunately it does not work. If I call the website by using http:// - it stays on http instead of redirecting to https.

Traefik Version is 2.3.2

Does anybody have an idea?

Thx!

1 Like
2

I solved using the ingress-route:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingress-tls
  namespace: mynamespace
spec:
  entryPoints:
    - yyyy <--- https endpoint
  routes:
  - match: Host(`myhost.io`)
    kind: Rule
    scheme: https
    passHostHeader: true
    services:
      - name: myservice
        namespace: mynamespace
        scheme: https <---- you need this
        port: xxx <--- https port
   tls:
    - secretName: tls-xxx-management.cluster
1 Like
3

Hello,

you can use an ingress listening for https with TLS termination and the entrypoint default configuration.

I could be something like:

# Traefik service
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  labels:
    app: traefik-lb

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-lb
  template:
    metadata:
      labels:
        app: traefik-lb
    spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
          image: traefik:v2.3
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.web.http.redirections.entryPoint.to=websecure
            - --entrypoints.websecure.address=:443
            - --providers.kubernetesingress
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  selector:
    app: traefik-lb
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
      name: web
    - protocol: TCP
      port: 443
      targetPort: 443
      name: websecure
  type: LoadBalancer

# ingress
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: whoami-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"

spec:
  rules:
    - host: whoami
      http:
        paths:
          - backend:
              serviceName: whoami
              servicePort: 80
  tls:
    - secretName: mysecret

Let me know if it helps. :slight_smile:

4

I already tested this approach, but if a user types http:// in the browser url it results in an error. I want to make sure that the user is redirected to https:// by default.

5

The configuration I provided allows redirection, if you have an error, you have another issue :slight_smile:

6

Thats true, but by using this setting:

This is a global configuration which redirects all http calls to https.

I want it configured by Ingress. For example:

Ingress A uses redirection, Ingress B accepts http.

7

Indeed, if you don't want global redirection, you can use kubernetescrd provider (by adding --providers.kubernetescrd option to Traefik) apply something like:

# HTTPS ingress
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: whoami-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"

spec:
  rules:
    - host: whoami
      http:
        paths:
          - backend:
              serviceName: whoami
              servicePort: 80
  tls:
    - secretName: mysecret

---
# Ingresses
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect

spec:
  redirectScheme:
    scheme: https
    permanent: true

---
# http ingress for http->https redirection
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: whoami-redirect
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd
    traefik.ingress.kubernetes.io/router.entrypoints: web

spec:
  rules:
    - host: whoami
      http:
        paths:
          - backend:
              serviceName: whoami
              servicePort: 80

In the kubernetescrd, the trap is to not apply the <namespace>-<name>@kubernetescrd in the middleware reference as mentioned in the documentation

Alternatively, if you don't want to use the kubernetescrd provider, you can use a file configuration in config map mounted in a container volume and activate the traefik file provider.

1 Like
8

Hey and thx for fast reply!

This is exactly what I did (at least I am thinking that I did this) :face_with_monocle:

Can you cross-check this:

9

Could you share your Traefik Logs ?
I made a quick sandbox repo with my tests and both global and full ingress redirect configurations work.

10

Good morning,

the logs are pretty huge - where do you want them?

11

At least, I need the beginning of the log, so we can check the configuration loaded.
if you can activate the API, can you share the /api/rawdata?

Did you check my test repo?

12

Yes - I get these messages:

Starting stack

Created a new certificate valid for the following names 📜
 - "whoami"

The certificate is at "./whoami.pem" and the key at "./whoami-key.pem" ✅

It will expire on 2 March 2023 🗓

/home/admin/ingress-redirect-master
 ERROR: Exception loading options: no element found line: 1 column: 0
 WARNING: Resetting options data to version 4
 0x55c7bc8deea0Error connecting to DBus session bus: /usr/bin/dbus-launch terminated abnormally without any error message
 ERROR: no element found line: 1 column: 0
 ERROR: no element found line: 1 column: 0
 ERROR: no element found line: 1 column: 0
 ERROR: no element found line: 1 column: 0
 ERROR: no element found line: 1 column: 0
 ERROR: no element found line: 1 column: 0
13

Have you got k3d installed?
Can you test the script command by command?

14

k3d is installed.

Here is the output for the create cluster command:

k3d cluster create mycluster --api-port 6550 -p 80:80@loadbalancer -p 8080:8080@loadbalancer -p 443:443@loadbalancer --k3s-server-arg '--no-deploy=traefik' -i rancher/k3s:v1.18.6-k3s1
 ERROR: Exception loading options: no element found line: 1 column: 0
 WARNING: Resetting options data to version 4
15

Could you check the k3d version with the following command: k3d version?

16

Sorry, my fault. Now it works and my implementation works as well.

The solution was, that you configured two ingresses:

  • The first with http and https which redirects
  • The second with https enabled

I only had one ingress - I think this was my mistake.

Thx for your help!

17

I'm glad to see you found the solution. :slight_smile:
Could you mark your previous post as a solution?

Thanks

18

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.