diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml index 8783b1fd2..4aed810e2 100644 --- a/deploy/static/provider/aws/deploy-tls-termination.yaml +++ b/deploy/static/provider/aws/deploy-tls-termination.yaml @@ -36,7 +36,13 @@ metadata: name: ingress-nginx-controller namespace: ingress-nginx data: - force-ssl-redirect: 'true' + http-snippet: | + server { + listen 2443; + return 308 https://$host$request_uri; + } + proxy-real-ip-cidr: XXX.XXX.XXX/XX + use-forwarded-headers: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -263,9 +269,8 @@ metadata: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443' + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-type: elb labels: helm.sh/chart: ingress-nginx-2.0.0 @@ -283,7 +288,7 @@ spec: - name: http port: 80 protocol: TCP - targetPort: http + targetPort: tohttps - name: https port: 443 protocol: TCP @@ -382,7 +387,10 @@ spec: containerPort: 80 protocol: TCP - name: https - containerPort: 443 + containerPort: 80 + protocol: TCP + - name: tohttps + containerPort: 2443 protocol: TCP - name: webhook containerPort: 8443 diff --git a/hack/generate-deploy-scripts.sh b/hack/generate-deploy-scripts.sh index e119df782..b1531abec 100755 --- a/hack/generate-deploy-scripts.sh +++ b/hack/generate-deploy-scripts.sh @@ -46,10 +46,6 @@ controller: publishService: enabled: false - -rbac: - create: true - EOF echo "${NAMESPACE_VAR} @@ -62,10 +58,6 @@ controller: service: type: LoadBalancer externalTrafficPolicy: Local - -rbac: - create: true - EOF echo "${NAMESPACE_VAR} @@ -87,10 +79,6 @@ controller: # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be # increased to '3600' to avoid any potential issues. service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" - -rbac: - create: true - EOF echo "${NAMESPACE_VAR} @@ -107,9 +95,8 @@ controller: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" service.beta.kubernetes.io/aws-load-balancer-type: elb # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be @@ -117,21 +104,27 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" targetPorts: - http: http + http: tohttps https: http + tohttps: tohttps + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 80 + tohttps: 2443 config: - # Force 80 -> 443 - force-ssl-redirect: "true" - # use-forwarded-headers: "true" - # Obtain IP ranges from AWS and configure the defaults # curl https://ip-ranges.amazonaws.com/ip-ranges.json | cat ip-ranges.json | jq -r '.prefixes[] .ip_prefix'| paste -sd "," - - # proxy-real-ip-cidr: [] - -rbac: - create: true - + # DO NOT FORGET TO SET YOUR VPC CIDR + proxy-real-ip-cidr: XXX.XXX.XXX/XX + use-forwarded-headers: "true" + http-snippet: | + server { + listen 2443; + return 308 https://\$host\$request_uri; + } EOF echo "${NAMESPACE_VAR}