Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: support external TLS with HTTP 301 upgrades #715

Closed
davecheney opened this issue Sep 28, 2018 · 5 comments
Closed

Feature request: support external TLS with HTTP 301 upgrades #715

davecheney opened this issue Sep 28, 2018 · 5 comments
Labels
area/tls Issues or PRs related to TLS support. blocked/needs-design Categorizes the issue or PR as blocked because it needs a design document. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@davecheney
Copy link
Contributor

Currently Contour configures Envoy to handle TLS directly on port 8443. If this is enabled then a second option to issue 301 redirects from port 8080 to port 8443 is available, via an annotation on Ingress, and automatically via IngressRoute.

Currently it is not possible to configure contour to both issue 301 upgrades to HTTP requests and have TLS managed externally (say an ELB managed by a cloud provider). We should look into making this possible.
@davecheney davecheney added kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. blocked/needs-design Categorizes the issue or PR as blocked because it needs a design document. labels Sep 28, 2018
@so0k so0k mentioned this issue Oct 30, 2018
Closed
@so0k
Copy link

so0k commented Oct 30, 2018
edited
Loading

We recently switched from zalando/kube-ingress-aws-controller + zalando/skipper to zalando/kube-ingress-aws-controller + heptio/contour.

Currently setting ingress.kubernetes.io/force-ssl-redirect on our ingress results in a redirect loop

Would there be a simple way to check for X-Forwarded-Proto header and not redirect if it's there?

Ideally, the logic of creating external LB and setting the ingress status remains de-coupled from contour to have maximum flexibility. I love how it works right now.

Here are some details why someone might want to use kube-ingress-aws-controller

  • Uses minimum AWS API calls to create ALB+TargetGroup (CloudFormation Stack)
  • Supports custom filters for (Spot) Instance / ASG tags dynamically added to TargetGroup (allowing us to dedicate Edge Nodes for ingress)
  • Fully automated ALB Listener Cert configuration with AWS Certificate Management (external TLS)

I do not think I can achieve the same with Kubernetes Service objects of type LoadBalancer (they would distribute traffic across all nodes instead of just edge nodes?

Looking forward to your thoughts and comments

@so0k
Copy link

so0k commented Jan 23, 2019

Switching to NLBs due to bugs in ALB, this is of lower priority for me now

@so0k
Copy link

so0k commented Feb 11, 2019

other ppl reported this bug here - envoyproxy/envoy#4496 (comment)

@davecheney davecheney added this to the 0.14.0 milestone Jun 18, 2019
@davecheney davecheney modified the milestones: 0.14.0, 0.15.0 Jul 19, 2019
@davecheney davecheney modified the milestones: 0.15.0, 1.0.0-beta.1 Aug 23, 2019
@davecheney davecheney modified the milestones: 1.0.0-beta.1, Backlog Sep 10, 2019
@ravilr ravilr mentioned this issue Apr 27, 2020
Merged
@jpeach jpeach added the area/tls Issues or PRs related to TLS support. label Aug 9, 2020
@skriss skriss removed this from the Backlog milestone Jul 25, 2022
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 30, 2024
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls Issues or PRs related to TLS support. blocked/needs-design Categorizes the issue or PR as blocked because it needs a design document. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davecheney @jpeach @so0k @skriss