Kubernetes Nginx Ingress HTTP to HTTPS redirect via 301 instead of 308?

Question

We are running a couple of k8s clusters on Azure AKS. The service (ghost blog) is behind the Nginx ingress and secured with a cert from Letsencrypt. All of that works fine but the redirect behavior is what I am having trouble with.

The Ingress correctly re-directs from http://whatever.com to https://whatever.com — the issue is that it does so using a 308 redirect which strips all post/page Meta anytime a user shares a page from the site.

The issue results in users who share any page of the site on most social properties receiving a 'Preview Link' — where the title of the page and the page meta preview do not work and are instead replaced with '308 Permanent Redirect' text — which looks like this:

From the ingress-nginx docs over here I can see that this is the intended behavior (ie. 308 redirect) what I believe is not intended is the interaction with social sharing services when those services attempt to create a page preview.

While the issue would be solved by Facebook (or twitter, etc etc) pointing direct to the https site by default, I currently have no way to force those sites to look to https for the content that will be used to create the previews.

Setting Permanent Re-Direct Code

I can also see that it looks like I should be able to set the redirect code to whatever I want it to be (I believe a 301 redirect will allow Facebook et al. to correctly pull post/page snippet meta), docs on that found here.

The problem is that when I add the redirect-code annotation as specified:

nginx.ingress.kubernetes.io/permanent-redirect-code: "301"

I still get a 308 re-direct on my resources despite being able to see (from my kubectl proxy) that the redirect-code annotation correctly applied. For reference, my full list of annotations on my Ingress looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ghost-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/permanent-redirect-code: "301"

To reiterate — my question is; what is the correct way to force a redirect to https via a custom error code (in my case 301)?

Answer 1

My guess is the TLS redirect shadows the nginx.ingress.kubernetes.io/permanent-redirect-code annotation.

You can actually change the ConfigMap for your nginx-configuration so that the default redirect is 301. That's the configuration your nginx ingress controller uses for nginx itself. The ConfigMap looks like this:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-configuration
  namespace: ingress-nginx
data:
  use-proxy-protocol: "true"
  http-redirect-code: "301"

You can find more about the ConfigMap options here. Note that if you change the ConfigMap you'll have to restart your nginx-ingress-controller pod.

You can also shell into the nginx-ingress-controller pod and see the actual nginx configs that the controller creates:

kubectl -n ingress-nginx exec -it nginx-ingress-controller-xxxxxxxxxx-xxxxx bash
www-data@nginx-ingress-controller-xxxxxxxxx-xxxxx:/etc/nginx$ cat /etc/nginx/nginx.conf