Nginx ingress resource - Redirect from to www (SSL doesn't work)

Question

Use case

I deployed the nginx ingress controller in my Kubernetes cluster using this helm chart:

https://github.com/helm/charts/tree/master/stable/nginx-ingress

I created an ingress resource for my frontend serving webserver and it is supposed to redirect from non-www to the www version. I am using SSL as well.

The problem

When I visit the www version of my website everything is fine and nginx serves the page using my Lets Encrypt SSL certificate (which exists as secret in the right namespace). However when I visit the NON-www version of the website I get the failing SSL certificate page in my Browser (NET::ERR_CERT_AUTHORITY_INVALID) and one can see the page is served using the Kubernetes ingress fake certificate. I assume that's also the reason why the redirect to the www version does not work at all.

This is my ingress resource (actual hostnames have been redacted):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
  creationTimestamp: 2018-10-03T19:34:41Z
  generation: 3
  labels:
    app: nodejs
    chart: nodejs-1.0.1
    heritage: Tiller
    release: example-frontend
  name: example-frontend
  namespace: microservices
  resourceVersion: "5700380"
  selfLink: /apis/extensions/v1beta1/namespaces/microservices/ingresses/example-frontend
  uid: 5f6d6500-c743-11e8-8aaf-42010a8401fa
spec:
  rules:
  - host: www.example.io
    http:
      paths:
      - backend:
          serviceName: example-frontend
          servicePort: http
        path: /
  tls:
  - hosts:
    - example.io
    - www.example.io
    secretName: example-frontend-tls

The question

Why doesn't nginx use the provided certificate on the non-www version as well?

Answer 1

Looks like you fixed the issue for receiving an invalid certificate by adding an additional rule.

The issue with the redirect looks like it's related to this and it's not fixed as of this writing. However, there is a workaround as described on the same link:

nginx.ingress.kubernetes.io/configuration-snippet: |
  if ($host = 'foo.com' ) {
    rewrite ^ https://www.foo.com$request_uri permanent;
  }

Answer 2

I fixed it by adding the non www version to the rules. The redirect still doesn't work, but the page is served using the correct SSL certificate though.

  - host: example.io
    http:
      paths:
      - backend:
          serviceName: example-frontend
          servicePort: http
        path: /