feat: add tips for https redirection

2025-12-16 05:52:15 +11:00 · 2021-09-05 07:47:38 -04:00 · 2021-09-05 07:47:38 -04:00 · 3e54de4d2e
commit 3e54de4d2e
parent 45d5004f1e
3 changed files with 187 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -186,7 +186,9 @@ secret/awx-app-credentials          Opaque                                3
 secret/awx-token-6s7rj              kubernetes.io/service-account-token   3      4m22s
 ```
-Now AWX is available at `https://<awx-host>/`.
+Now your AWX is available at `https://awx.example.com/` or the hostname you specified.
 At this point, however, AWX can be accessed via HTTP as well as HTTPS. If you want to redirect HTTP to HTTPS, see [the additional tips](tips/https-redirection.md).
 ## Backing up and Restoring using AWX Operator
@ -257,6 +259,12 @@ total 736
 -rw-------. 1 systemd-coredump root 745302 Jun  6 06:51 tower.db
 ```
 Note that if you are using AWX Operator `0.12.0` or earlier, the contents of the Secret that passed through `ingress_tls_secret` parameter will not be included in this backup files. If necessary, get a dump of this Secret, or keep original certificate file and key file. In `0.13.0` or later, this secret is included in the backup file.
 ```bash
 kubectl get secret awx-secret-tls -n awx -o yaml > awx-secret-tls.yaml
 ```
 ### Restoring using AWX Operator
 #### Prepare for Restore
@ -335,6 +343,12 @@ NAME                    AGE
 awxrestore-2021-06-06   137m
 ```
 Note that if you are using AWX Operator `0.12.0` or earlier, the Secret for TLS should be manually restored (or create newly using original certificate and key file). This is not required for `0.13.0` or later.
 ```bash
 kubectl apply -f awx-secret-tls.yaml
 ```
 ## Additional Guides
 - [📁 **Deploy Private Git Repository on Kubernetes**](git)
@ -344,6 +358,11 @@ awxrestore-2021-06-06   137m
  - To use Execution Environments in AWX (AWX-EE), we have to push the container image built with `ansible-builder` to the container registry.
  - If we don't want to push our container images to Docker Hub or other cloud services, we can deploy a private container registry on K3s.
  - See [📝`registry/README.md`](registry) for instructions.
 - [📁 **Deploy Private Galaxy NG on Docker or Kubernetes** (Experimental)](galaxy)
  - Deploy our own Galaxy NG instance.
  - **Note that the containerized implementation of Galaxy NG is not supported at this time.**
  - **All information on the page is for development, testing and study purposes only.**
  - See [📝`galaxy/README.md`](galaxy) for instructions.
 - [📁 **Use Ansible Builder**](builder)
  - Use Ansible Builder to build our own Execution Environment.
  - See [📝`builder/README.md`](builder) for instructions.
@ -353,10 +372,6 @@ awxrestore-2021-06-06   137m
 - [📁 **Use Customized Pod Specification for your Execution Environment**](containergroup)
  - We can customize the specification of the Pod of the Execution Environment using **Container Group**.
  - See [📝`containergroup/README.md`](containergroup) for instructions.
 - [📁 **Deploy Private Galaxy NG on Docker or Kubernetes** (Experimental)](galaxy)
  - Deploy our own Galaxy NG instance.
  - **Note that the containerized implementation of Galaxy NG is not supported at this time.**
  - **All information on the page is for development, testing and study purposes only.**
  - See [📝`galaxy/README.md`](galaxy) for instructions.
 - [📁 **Tips**](tips)
  - [📝Expose `/etc/hosts` to Pods on K3s](tips/expose-hosts.md)
  - [📝Redirect HTTP to HTTPS](tips/https-redirection.md)
--- a/tips/README.md
+++ b/tips/README.md
@ -1,3 +1,4 @@
 # Tips
 - [📝Expose `/etc/hosts` to Pods on K3s](expose-hosts.md)
 - [📝Redirect HTTP to HTTPS](https-redirection.md)
--- a/tips/https-redirection.md
+++ b/tips/https-redirection.md
@ -0,0 +1,165 @@
 <!-- omit in toc -->
 # Redirect HTTP to HTTPS
 Traefik, the default Ingress controller for K3s, listens for access over both HTTP and HTTPS by default, but can be configured to redirect HTTP to HTTPS.
 <!-- omit in toc -->
 ## Table of Contents
 - [Procedure](#procedure)
  - [Prepare Traefik](#prepare-traefik)
  - [Patch your AWX to enable HTTPS redirection](#patch-your-awx-to-enable-https-redirection)
    - [Patch your AWX using Kustomize](#patch-your-awx-using-kustomize)
    - [Patch your AWX manually](#patch-your-awx-manually)
 - [Enable redirects for other services in this repository](#enable-redirects-for-other-services-in-this-repository)
 ## Procedure
 Note that the method described in this page is applicable only when Traefik is used as Ingress Controller.
 ### Prepare Traefik
 To enable redirection, you need to deploy a middleware with [redirectScheme](https://doc.traefik.io/traefik/v2.0/middlewares/redirectscheme/).
 Since this can be referenced from other namespaces, you will create it in the `default` namespace for ease of sharing.
 ```bash
 cat <<EOF > middleware.yaml
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: redirect
 spec:
  redirectScheme:
    scheme: https
    permanent: true
 EOF
 kubectl -n default apply -f middleware.yaml
 kubectl -n default get middleware
 ```
 ### Patch your AWX to enable HTTPS redirection
 To enable redirection, the Ingress resource must have the following annotation.
 ```bash
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd
 ```
 AWX Operator allows you to add any annotations to your Ingress by `ingress_annotations` parameter for AWX. Here are two ways to add `ingress_annotations` parameter.
 - Patch your AWX using Kustomize
 - Patch your AWX manually
 #### Patch your AWX using Kustomize
 In this repository, Kustomize was used to deploy AWX. If you still have the files you used for your first deployment, it is easy to use them again to modify AWX.
 Add these two lines to your `awx.yaml`,
 ```yaml
 spec:
  ...
  ingress_annotations: |     👈👈👈
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd     👈👈👈
 ```
 then invoke `apply` again. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
 ```bash
 $ kubectl apply -k base
 namespace/awx unchanged
 secret/awx-admin-password unchanged
 secret/awx-postgres-configuration unchanged
 secret/awx-secret-tls configured
 persistentvolume/awx-postgres-volume unchanged
 persistentvolume/awx-projects-volume unchanged
 persistentvolumeclaim/awx-projects-claim unchanged
 awx.awx.ansible.com/awx configured     👈👈👈
 ```
 Once this completed, the logs of `deployment/awx-operator` end with:
 ```txt
 $ kubectl logs -f deployment/awx-operator --tail=100
 ...
 --------------------------- Ansible Task Status Event StdOut  -----------------
 PLAY RECAP *********************************************************************
 localhost                  : ok=55   changed=0    unreachable=0    failed=0    skipped=37   rescued=0    ignored=0
 -------------------------------------------------------------------------------
 ```
 You can confirm that the annotations will be added to the Ingress resource.
 ```bash
 $ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
 {
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
 }
 ```
 Now the redirection should be working. Go to `http://awx.example.com/` or the hostname you specified and make sure you are redirected to `https://`.
 #### Patch your AWX manually
 You can patch the AWX resource with the following command. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.
 ```bash
 kubectl -n awx patch awx awx --type=merge \
 -p '{"spec": {"ingress_annotations": "traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd"}}'
 ```
 Once this completed, the logs of `deployment/awx-operator` end with:
 ```txt
 $ kubectl logs -f deployment/awx-operator --tail=100
 ...
 --------------------------- Ansible Task Status Event StdOut  -----------------
 PLAY RECAP *********************************************************************
 localhost                  : ok=55   changed=0    unreachable=0    failed=0    skipped=37   rescued=0    ignored=0
 -------------------------------------------------------------------------------
 ```
 You can confirm that the annotations will be added to the Ingress resource.
 ```bash
 $ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
 {
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"
 }
 ```
 Now the redirection should be working. Go to `http://awx.example.com/` and make sure you are redirected to `https://awx.example.com/`.
 ## Enable redirects for other services in this repository
 You can also enable HTTPS redirection for [Git Repository](../git/), [Container Registry](../registry) and [Galaxy NG](../galaxy), which are included in this repository, by configuring Ingress as well.
 Add the following lines to the `ingress.yaml` for each resource,
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: <resouce name>
  annotations:     👈👈👈
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect@kubernetescrd     👈👈👈
 ...
 ```
 and `apply` them by Kustomize as you did the first time you deployed it.
 ```bash
 kubectl apply -k <path>
 ```
 Or you can also patch Ingress resources directly.
 ```bash
 kubectl -n <namespace> patch ingress <resouce name> --type=merge \
 -p '{"metadata": {"annotations": {"traefik.ingress.kubernetes.io/router.middlewares": "default-redirect@kubernetescrd"}}}'
 ```