14

I am trying to route all HTTP traffic to HTTPS. I have a ALB ingress resource and following the guide here https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/#how-it-works but its not working. When i try to access http://www.myhost.in it stays with http but does not redirect to https

below is my ingress resource file

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: eks-learning-ingress
  namespace: production
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn878ef678df
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
  labels:
    app: eks-learning-ingress
spec:
  rules:
  - host: www.myhost.in
    http:
      paths:
        - path: /*
          backend:
            serviceName: eks-learning-service
            servicePort: 80

Any help in this would be really great, Thanks.

opensource-developer
  • 2,826
  • 4
  • 38
  • 88

4 Answers4

22

AWS ALB Ingress controller now has added a new annotation for a easy redirection of HTTP requests to HTTPS. Available in apiVersion: networking.k8s.io/v1

This new annotation called as ssl-redirect is available in ALB Controller v2.4

So your problem can be fixed just with the following 2 annotations.

alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'

No need to mention any ingress rules.

Complete example-

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  namespace: myapp
  labels:
    name: myapp
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/group.name: my-alb-group  #Use this to share ALB among multiple ingresses. #CostEffective
    alb.ingress.kubernetes.io/load-balancer-name: my-alb  # give ALB a meaningfull name otherwise a random name is assigned by AWS.
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-west-1:XXXX:certificate/YYYY" # Get it by $ aws acm list-certificates 
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
spec:
  ingressClassName: alb
  rules:
  - host: app.example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port: 
              number: 80
akshaykrjain
  • 373
  • 2
  • 8
  • Thanks for clarifying this! I was wondering if I still needed to include the old `ssl-redirect` path when using the annotation method. Guess not and seems to be working fine without it! – skupjoe Sep 22 '22 at 05:54
  • 1
    @skupjoe No, you don't need to specify `ssl-redirect` path. This annotation is sufficient. – akshaykrjain Sep 26 '22 at 16:02
  • 1
    perfectly working – Ben Jun 24 '23 at 23:28
20

For anyone stumbling on this post. I was missing adding this as my http paths. Have in mind this needs to be the first specified path.

        - path: /*
          backend:
            serviceName: ssl-redirect
            servicePort: use-annotation

Once i added this redirection started working.

So the final config in question should look like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: eks-learning-ingress
  namespace: production
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: arn878ef678df
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
  labels:
    app: eks-learning-ingress
spec:
  rules:
  - host: www.myhost.in
    http:
      paths:
        - path: /*
          backend:
            serviceName: ssl-redirect
            servicePort: use-annotation
        - path: /*
          backend:
            serviceName: eks-learning-service
            servicePort: 80
HelloWorld
  • 35
  • 4
opensource-developer
  • 2,826
  • 4
  • 38
  • 88
  • Do you only expose port 80 on the service? or do I also need to set up port 443? – Aldy syahdeini Jan 28 '21 at 09:14
  • 1
    It's right in the doc https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/tasks/ssl_redirect/ But looking at that it seems that `ssl-redirect` is some example service. Not sure why they use annotation and then a dummy service. Doesn't make much sense to me – nakamume Sep 24 '21 at 07:46
  • This answer is obsolete now. The approach is not working anymore. See this answer instead: https://stackoverflow.com/a/73037420/7820212 – M. Gleria Aug 08 '23 at 17:09
13

In case anyone else is setting up a cluster with a newer API version; apiVersion: networking.k8s.io/v1, where the syntax is different, this is the way to go:

  - path: /
    pathType: Prefix
    backend:
      service:
        name: ssl-redirect
        port:
          name: use-annotation

Note: path must not contain a wildcard, as you are using pathType: Prefix that will fail to configure the ALB.

suren
  • 7,817
  • 1
  • 30
  • 51
2

https://github.com/kubernetes-sigs/aws-load-balancer-controller/pull/2274

Description

Controller v2.2.0 and later provides a simpler way to configure SSL redirection via the annotation alb.ingress.kubernetes.io/ssl-redirect.

alb.ingress.kubernetes.io/ssl-redirect: '443'

thearavindhs
  • 31
  • 3