Kubernetes 入口：SSL（HTTP -> HTTPS）重定向不起作用（Nginx Docker）

Question

I am using Kubernetes within Google Cloud Kubernetes Engine and have setup the following: - Nginx docker image (nginx:latest), which is hosting a web application - Kubernetes Deployment (yaml file) - Kubernetes Service (yaml file) - Kubernetes Secret with existing key and certificates (Wildcard PositiveSSL) - Kubernetes Ingress

Currently I have both HTTP and HTTPS working. However, I want to redirect any and all HTTP calls to HTTPS automatically, but don't seem to get it to be working.

I have tried many variations of the conf and script files below, and it doesn't seem to be able to redirect HTTP to HTTPS.

Any idea what I might be doing wrong here?

Please see below for my conf, yaml and docker files.

Nginx Conf:

server {
  listen 80;
  charset utf-8;
  root /usr/share/nginx/html;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect  http:// https://;
    proxy_pass              http://portal.domain.com;
    proxy_http_version 1.1;
    proxy_request_buffering off;
  }
}

server {
  listen 443 ssl;

  charset utf-8;
  root /usr/share/nginx/html;

  ssl_certificate       /etc/nginx/ssl/domain_com_full.crt;
  ssl_certificate_key   /etc/nginx/ssl/domain_com.key;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect  http:// https://;
    proxy_pass              http://portal.domain.com;
    proxy_http_version 1.1;
    proxy_request_buffering off;
  }
}

Docker file:

FROM nginx:latest
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY domain_com_full.crt /etc/nginx/ssl/domain_com_full.crt
COPY domain_com.key /etc/nginx/ssl/domain_com.key
COPY dist /usr/share/nginx/html
EXPOSE 443 80

Deployment YAML (I use a script to fill in the revision part of the image):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: domain-frontend-prd
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
        maxSurge: 1
        maxUnavailable: 0
  selector:
    matchLabels:
      run: domain-frontend-prd
  template:
    metadata:
      labels:
        run: domain-frontend-prd
    spec:
      containers:
      - name: domain-frontend-image
        image: eu.gcr.io/domain-service/domain-frontend-image:{{REVISION_ID}}
        ports:
        - containerPort: 80
        - containerPort: 443
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1

Service YAML:

apiVersion: v1
kind: Service
metadata:
  name: domain-frontend-service-prd
spec:
  type: NodePort
  selector:
    run: domain-frontend-prd
  ports:
  - protocol: TCP
    port: 443
    targetPort: 443
    name: https-port
  - protocol: TCP
    port: 80
    targetPort: 80
    name: http-port

Ingress YAML (The Secret is working, as the HTTPS call also works + static IP is also there and working):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: domain-frontend-ingress-prd
  annotations:
    kubernetes.io/ingress.global-static-ip-name: kubernetes-ingress
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - portal.domain.com
    secretName: domain-tls
  backend:
    serviceName: domain-frontend-service-prd
    servicePort: 80
  rules:
  - host: portal.domain.com
    http:
      paths:
        - path: /
          backend:
            serviceName: domain-frontend-service-prd
            servicePort: 80

Answer 1

Through extensive search I have found out that apparently the standard Ingress controller in Google Cloud Kubernetes engine, does not support redirect to HTTPS.

In order to be able to resend traffic to HTTPS (from HTTP), you need to install the NGINX Ingress controller according to this tutorial/documentation:

https://cloud.google.com/community/tutorials/nginx-ingress-gke

This has resolved my issue.

Answer 2

As of GKE version 1.18.10-gke.600, you can use FrontendConfig to create HTTP -> HTTPS redirection in Google Kubernetes Engine Ingress Controller .

HTTP to HTTPS redirects are configured using the redirectToHttps field in a FrontendConfig custom resource. Redirects are enabled for the entire Ingress resource so all services referenced by the Ingress will have HTTPS redirects enabled.

The following FrontendConfig manifest enables HTTP to HTTPS redirects. Set the spec.redirectToHttps.enabled field to true to enable HTTPS redirects. The spec.responseCodeName field is optional. If it's omitted a 301 Moved Permanently redirect is used.

For example:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: your-frontend-config-name
spec:
  redirectToHttps:
    enabled: true
    responseCodeName: MOVED_PERMANENTLY_DEFAULT

MOVED_PERMANENTLY_DEFAULT is on of the available RESPONSE_CODE field value, to return a 301 redirect response code (default if responseCodeName is unspecified).

You can find more options here: HTTP to HTTPS redirects

Then, you have to link your FrontendConfig to your Ingress , like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: your-ingress-name
  annotations:
    networking.gke.io/v1beta1.FrontendConfig: your-frontend-config-name
spec:
  tls:
    ...