Skip to content

Latest commit

 

History

History
165 lines (123 loc) · 5.82 KB

https-redirection.md

File metadata and controls

165 lines (123 loc) · 5.82 KB

Redirect HTTP to HTTPS

Traefik, the default Ingress controller for K3s, listens for access over both HTTP and HTTPS by default, but can be configured to redirect HTTP to HTTPS.

Table of Contents

Procedure

Note that the method described in this page is applicable only when Traefik is used as Ingress Controller.

Prepare Traefik

To enable redirection, you need to deploy a middleware with redirectScheme.

Since this can be referenced from other namespaces, you will create it in the default namespace for ease of sharing.

cat <<EOF > middleware.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
spec:
  redirectScheme:
    scheme: https
    permanent: true
EOF

kubectl -n default apply -f middleware.yaml
kubectl -n default get middleware

Patch your AWX to enable HTTPS redirection

To enable redirection, the Ingress resource must have the following annotation.

  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd

AWX Operator allows you to add any annotations to your Ingress by ingress_annotations parameter for AWX. Here are two ways to add ingress_annotations parameter.

  • Patch your AWX using Kustomize
  • Patch your AWX manually

Patch your AWX using Kustomize

In this repository, Kustomize was used to deploy AWX. If you still have the files you used for your first deployment, it is easy to use them again to modify AWX.

Add these two lines to your awx.yaml,

spec:
  ...
  ingress_annotations: |     👈👈👈
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd     👈👈👈

then invoke apply again. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.

$ kubectl apply -k base
namespace/awx unchanged
secret/awx-admin-password unchanged
secret/awx-postgres-configuration unchanged
secret/awx-secret-tls configured
persistentvolume/awx-postgres-volume unchanged
persistentvolume/awx-projects-volume unchanged
persistentvolumeclaim/awx-projects-claim unchanged
awx.awx.ansible.com/awx configured     👈👈👈

Once this completed, the logs of deployments/awx-operator-controller-manager end with:

$ kubectl -n awx logs -f deployments/awx-operator-controller-manager -c manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost                  : ok=54   changed=0    unreachable=0    failed=0    skipped=37   rescued=0    ignored=0
----------

You can confirm that the annotations will be added to the Ingress resource.

$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
}

Now the redirection should be working. Go to http://awx.example.com/ or the hostname you specified and make sure you are redirected to https://.

Patch your AWX manually

You can patch the AWX resource with the following command. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.

kubectl -n awx patch awx awx --type=merge \
 -p '{"spec": {"ingress_annotations": "traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd"}}'

Once this completed, the logs of deployments/awx-operator-controller-manager end with:

$ kubectl -n awx logs -f deployments/awx-operator-controller-manager -c manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost                  : ok=54   changed=0    unreachable=0    failed=0    skipped=37   rescued=0    ignored=0
----------

You can confirm that the annotations will be added to the Ingress resource.

$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
}

Now the redirection should be working. Go to http://awx.example.com/ and make sure you are redirected to https://awx.example.com/.

Enable redirects for other services in this repository

You can also enable HTTPS redirection for Git Repository, Container Registry and Galaxy NG, which are included in this repository, by configuring Ingress as well.

Add the following lines to the ingress.yaml for each resource,

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: <resouce name>
  annotations:     👈👈👈
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd     👈👈👈
...

and apply them by Kustomize as you did the first time you deployed it.

kubectl apply -k <path>

Or you can also patch Ingress resources directly.

kubectl -n <namespace> patch ingress <resouce name> --type=merge \
 -p '{"metadata": {"annotations": {"traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"}}}'