Skip to content

add support for ssl-redirect annotation #1837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 25, 2021
Merged

add support for ssl-redirect annotation #1837

merged 1 commit into from
Feb 25, 2021

Conversation

M00nF1sh
Copy link
Collaborator

add a new annotation "ssl-redirect" to simply the configuration for HTTP-HTTPS redirect

What is the problem

  1. The current solution (https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/tasks/ssl_redirect/) to configure HTTP→HTTPS redirect via AWSLoadBalancer is complicated and intrusive to customer’s Ingress rules.
  2. The current solution (https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/tasks/ssl_redirect/) to configure HTTP→HTTPS redirect via AWSLoadBalancer is not AWS-config compatible.
    1. AWS Config is a AWS service that validates best practices on AWS resource configurations.
    2. with current solution, we’ll have a catch all rule(*path:/**) to do SSL-redirect instead of using the default rule per listener (which AWS config expects).
  3. The current solution (https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/tasks/ssl_redirect/) to configure HTTP→HTTPS redirect is tricky, that relies on an implementation detail that the controller will ignore infinite redirect rules.
    1. when generate rules for port 80, the controller inserts the redirect-to-ssl rule as expected.
    2. when generate rules for port 443, the controller ignores the redirect-to-ssl rule as it will be a infinite redirect.

What will be changed

We’ll introduce a new annotation called “alb.ingress.kubernetes.io/ssl-redirect” to do SSL redirection.
The value of alb.ingress.kubernetes.io/ssl-redirect is simply the SSL port to redirect to. e.g. alb.ingress.kubernetes.io/ssl-redirect: 443

  1. The port must be appears in the listen-port for Ingresses, and must be a HTTPS port.
  2. All HTTP port for Ingresses will be redirect to this SSL port under HTTP_301 redirect.

Note:

  1. currently ALB only supports HTTP_301 or HTTP_302 for ** redirect actions. And HTTP_301 is the preferred status_code for HTTP to HTTPS redirection.
  2. There are also a HTTP_308 status code can be used be achieve HTTP to HTTPS redirection. However, ALB currently don’t support it. If ALB supports it in the future, we can add a separate annotation like alb.ingress.kubernetes.io/ssl-redirect-status-code: HTTP_308 to further customize the behavior for advanced users.

Alternative designs considered:

  1. we can allow specify both port and status code for the SSL redirect, like alb.ingress.kubernetes.io/ssl-redirect: '{"port":443, "status_code": "HTTP_301"}'
    1. pros: more flexible since we can have more settings like status_code.
    2. cons: more complicated to configure.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 19, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 19, 2021
@k8s-ci-robot k8s-ci-robot requested a review from kishorj February 19, 2021 22:22
kishorj
kishorj reviewed Feb 24, 2021
View reviewed changes
Copy link
Collaborator

@kishorj kishorj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some minor comments, changes look good otherwise.

@M00nF1sh M00nF1sh force-pushed the sslRedirect branch 2 times, most recently from 6f64b74 to 20ee2bf Compare February 24, 2021 20:18
@kishorj kishorj added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Feb 24, 2021
@kishorj
Copy link
Collaborator

kishorj commented Feb 25, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 25, 2021
@k8s-ci-robot k8s-ci-robot merged commit 48b4a7d into kubernetes-sigs:main Feb 25, 2021
@M00nF1sh M00nF1sh mentioned this pull request Mar 11, 2021
Closed
@M00nF1sh M00nF1sh mentioned this pull request Apr 20, 2021
Closed
@kishorj kishorj mentioned this pull request May 5, 2021
Closed
Timothy-Dougherty pushed a commit to adammw/aws-load-balancer-controller that referenced this pull request Nov 9, 2023
@M00nF1sh @Timothy-Dougherty
add support for ssl-redirect annotation (kubernetes-sigs#1837)
6580b27
@pmint93 pmint93 mentioned this pull request Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kishorj kishorj kishorj left review comments

Assignees

@kishorj kishorj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@M00nF1sh @k8s-ci-robot @kishorj