Can I have both http and https in Ingress configuration? - kubernetes

I have ingress yaml like below which makes ingress to proxy HTTPS to HTTP connection. I'm confused how can I make this same ingress to process also HTTP to HTTP connection. Meaning I want it to use the same rule for both incoming HTTP or HTTPS. Removing tls portion makes it work with HTTP but adding it stops HTTP and makes it HTTPS only. Is it limitation of Kubernetes which prevents both HTTP and HTTPS routing in the same ingress controller?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
tls:
- hosts:
- "*.mydomain.com"
secretName: aks-ingress-tls
rules:
- host: "*.mydomain.net"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: frontend-service
port:
number: 80

You should redirect the HTTP request to your HTTPS listener. The requests hitting your Azure LB 80/443 listeners will be handled in the same way.
Due to Azure App gateway limitation, you cannot use a wildcard host in your ingress rules and you have to use workarounds.
See: https://azure.github.io/application-gateway-kubernetes-ingress/annotations/#ssl-redirect
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- "*.mydomain.com"
secretName: aks-ingress-tls
rules:
- host: "www.mydomain.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: frontend-service
port:
number: 80

Related

How to ByPass Traffic directly to Backend from K8S NGINX Ingress Controller

OAUTH2 is used for authentication and the OAUTH2 proxy is deployed in Kubernetes. When a request is received by the NGINX Ingress controller, it always routes the traffic to OAUTH proxy. The requirement is when the request contains a specific header (For example: abc) then those requests should be routed directly to the backend. Those shouldn't be routed to OAUTH proxy. Can this be done using some sort of an annotation in NGINX Ingress controller? Can we by pass those traffic going to OAUTH2?
You may want to have a look at https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#canary
Let's say you have a normal Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend
spec:
ingressClassName: nginx
rules:
- host: XXX
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend
port:
number: 80
Set the header name and value for your desired backend on a second Ingress, with canary enabled.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend-header
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: sample-header
nginx.ingress.kubernetes.io/canary-by-header-value: abc
spec:
ingressClassName: nginx
rules:
- host: XXX
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-with-header
port:
number: 80
Now, every request with sample-header: abc routes to the second ingress/service. Any other value, e. g. sample-header: test, will route to the first ingress/service.

K8S traffic to one service via two separate ingress (http + https)

So I have a bunch of services running in a cluster, all exposed via HTTP only ingress object, example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: some-ingress
spec:
ingressClassName: nginx
rules:
- http:
paths:
- backend:
service:
name: some-svc
port:
number: 80
path: /some-svc(/|$)(.*)
pathType: Prefix
They are accessed by http://<CLUSTER_EXTERNAL_IP>/some-svc, and it works ofc.
Now I want to create an additional ingress object for every service which will force SSL connections and allow the use of a domain instead of an IP address.
The problem is that the newer SSL ingresses always return 404 while testing the connection.
The manifests are as follows:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "some-ingress-ssl"
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/app-root: "/some-svc"
spec:
tls:
- hosts:
- foobar.com
secretName: foobar-tls
rules:
- host: foobar.com
http:
paths:
- path: /some-svc(/|$)(.*)
pathType: Prefix
backend:
service:
name: some-svc
port:
number: 80
tests (foobar.com point to CLUSTER_EXTERNAL_IP):
> curl -I http://<CLUSTER_EXTERNAL_IP>/some-svc
HTTP/1.1 200 OK
> curl -I https://foobar.com/some-svc
HTTP/2 404
Is it possible to have both ingresses simultaneously? (one enforcing SSL, the other not)
If so what am I doing wrong here?
Figured out I was missing this annotation:
nginx.ingress.kubernetes.io/rewrite-target: /$2
in SSL ingress...
works like a charm now, maybe someone will find this usefull

Kubernetes Ingress www.example.com gives 404 while https://example.com works

Does anyone know what could be the problem that i'm getting a 404 when trying to access the website via www.example.com while https://example.com works without any issues.
Here is the example of my ingress:
# Ingress
apiVersion: networking.k8s.io/v1
# make a new cert
kind: Ingress
metadata:
name: ${APP_NAME}
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
spec:
defaultBackend:
service:
name: ${APP_NAME}
port:
number: 80
tls:
- secretName: ${APP_NAME}
hosts:
- ${URL}
- www.${URL}
Also I tried to run
kubectl describe ingress
it returns:
host: example.com
Is there an issue with the configuration or why does the www. not redirect properly?
You don't specify the hosts. They need to be specified in spec.rules, for example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-virtual-host-ingress-no-third-host
spec:
rules:
- host: first.bar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: service1
port:
number: 80
- host: second.bar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: service2
port:
number: 80
Note: Keep in mind that TLS will not work on the default rule because the certificates would have to be issued for all the possible sub-domains. Therefore, hosts in the tls section need to explicitly match the host in the rules section.
Source

Combining routes of frontend and backend

I have a React front-end and Flask API as back-end.
I wish to have both front-end and back-end routes accessible at same address. E.g frontend at myapp.web.com and backend at myapp.web.com/api.
It will have different deployments for them. I want to know how to do this.
Yes, you can have the same domain that can point to multiple services based on the path.
Normally this can help you to resolve the CORS issue.
API
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: backend-ingress
namespace: backend-api
spec:
rules:
- host: myapp.web.com
http:
paths:
- backend:
service:
name: backend-service-name
port:
number: 80
path: /api
pathType: Prefix
tls:
- hosts:
- myapp.web.com
secretName: my-secret-tls
Frontend ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: frontend-service
namespace: frontend-service
spec:
rules:
- host: myapp.web.com
http:
paths:
- backend:
service:
name: frontend-service-name
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- myapp.web.com
secretName: my-secret-tls
so in this case, all the requests that start with /api will route to the backend app and rest of the requests will route to frontend.

How to disable tls for specific traefik ingress in kubernetes?

I am using traefik ingress controller in Kubernetes. It is configured to redirect all request to https and terminate tls connection before passing the request to backend service.
Is it possible to only enable http for one particular ingress config but https for other ingresses ? Any example would be helpful.
I only want to enable http(no https) for this ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
spec:
rules:
- host: testdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 8080
You can create the one ingress with the config like
apiVersion: networking.k8s.io/v1
kind: Ingress
annotation:
kubernetes.io/ingress.class: "traefik"
ingress.kubernetes.io/force-ssl-redirect: "false"
ingress.kubernetes.io/ssl-redirect: "false"
traefik.ingress.kubernetes.io/frontend-entry-points: http
metadata:
name: test-ingress
spec:
rules:
- host: testdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-service
port:
number: 8080
you can get more idea about the annotation from here : https://doc.traefik.io/traefik/v1.6/configuration/backends/kubernetes/