Refactor ingress configuration to disable SSL redirect and force SSL …

…backend protocol
adamlahbib · Nov 17, 2024 · 28f08af · 28f08af
1 parent fcb9e14
commit 28f08af
Showing 1 changed file with 15 additions and 39 deletions.
diff --git a/terraform/ingress.tf b/terraform/ingress.tf
@@ -42,19 +42,12 @@ resource "kubernetes_ingress_v1" "dev-ingress" {
         name      = "dev-ingress"
         namespace = "dev"
         annotations = {
+            "kubernetes.io/ingress.class" = "nginx"
             "nginx.ingress.kubernetes.io/rewrite-target" = "/"
-            "nginx.ingress.kubernetes.io/ssl-redirect"    = "true"
-            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
-            "nginx.ingress.kubernetes.io/secure-backends"                 = "true"
-            "nginx.ingress.kubernetes.io/proxy-body-size"                 = "10m"
-            "nginx.ingress.kubernetes.io/ssl-protocols"                   = "TLSv1.2 TLSv1.3"
-            "nginx.ingress.kubernetes.io/ssl-ciphers"                     = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
-            "nginx.ingress.kubernetes.io/proxy-read-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/proxy-send-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/hsts"                            = "true"
-            "nginx.ingress.kubernetes.io/hsts-max-age"                    = "63072000"
-            "nginx.ingress.kubernetes.io/hsts-include-subdomains"         = "true"
-            "nginx.ingress.kubernetes.io/hsts-preload"                    = "true"        
+            "nginx.ingress.kubernetes.io/ssl-redirect"    = "false"
+            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "false"
+            "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
+            "nginx.ingress.kubernetes.io/configuration-snippet" = "if ($http_x_forwarded_proto = 'http') {return 301 https://$host$request_uri;}"
         }
     }
 
@@ -93,19 +86,12 @@ resource "kubernetes_ingress_v1" "prod-ingress" {
         name      = "prod-ingress"
         namespace = "prod"
         annotations = {
+            "kubernetes.io/ingress.class" = "nginx"
             "nginx.ingress.kubernetes.io/rewrite-target" = "/"
-            "nginx.ingress.kubernetes.io/ssl-redirect"    = "true"
-            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
-            "nginx.ingress.kubernetes.io/secure-backends"                 = "true"
-            "nginx.ingress.kubernetes.io/proxy-body-size"                 = "10m"
-            "nginx.ingress.kubernetes.io/ssl-protocols"                   = "TLSv1.2 TLSv1.3"
-            "nginx.ingress.kubernetes.io/ssl-ciphers"                     = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
-            "nginx.ingress.kubernetes.io/proxy-read-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/proxy-send-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/hsts"                            = "true"
-            "nginx.ingress.kubernetes.io/hsts-max-age"                    = "63072000"
-            "nginx.ingress.kubernetes.io/hsts-include-subdomains"         = "true"
-            "nginx.ingress.kubernetes.io/hsts-preload"                    = "true"        
+            "nginx.ingress.kubernetes.io/ssl-redirect"    = "false"
+            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "false"
+            "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
+            "nginx.ingress.kubernetes.io/configuration-snippet" = "if ($http_x_forwarded_proto = 'http') {return 301 https://$host$request_uri;}"
         }
     }
 
@@ -144,22 +130,12 @@ resource "kubernetes_ingress_v1" "monitoring-ingress" {
         name      = "monitoring-ingress"
         namespace = "monitoring"
         annotations = {
+            "kubernetes.io/ingress.class" = "nginx"
             "nginx.ingress.kubernetes.io/rewrite-target" = "/"
-            "nginx.ingress.kubernetes.io/ssl-redirect"    = "true"
-            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
-            "nginx.ingress.kubernetes.io/secure-backends"                 = "true"
-            "nginx.ingress.kubernetes.io/proxy-body-size"                 = "10m"
-            "nginx.ingress.kubernetes.io/ssl-protocols"                   = "TLSv1.2 TLSv1.3"
-            "nginx.ingress.kubernetes.io/ssl-ciphers"                     = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
-            "nginx.ingress.kubernetes.io/proxy-read-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/proxy-send-timeout"              = "30"
-            "nginx.ingress.kubernetes.io/hsts"                            = "true"
-            "nginx.ingress.kubernetes.io/hsts-max-age"                    = "63072000"
-            "nginx.ingress.kubernetes.io/hsts-include-subdomains"         = "true"
-            "nginx.ingress.kubernetes.io/hsts-preload"                    = "true"
-            "nginx.ingress.kubernetes.io/proxy-set-headers" = "configmap/custom-headers"
-            "nginx.ingress.kubernetes.io/proxy-buffer-size" = "16k"
-            "nginx.ingress.kubernetes.io/configuration-snippet" = "proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Uri $request_uri;"
+            "nginx.ingress.kubernetes.io/ssl-redirect"    = "false"
+            "nginx.ingress.kubernetes.io/force-ssl-redirect" = "false"
+            "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
+            "nginx.ingress.kubernetes.io/configuration-snippet" = "if ($http_x_forwarded_proto = 'http') {return 301 https://$host$request_uri;}"
         }
     }