charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon bitnami

[bitnami/nginx] Change default Ingress port to http

Open lindhe opened this issue 1 year ago • 0 comments

Name and Version

bitnami/nginx 16.0.6

What architecture are you using?

None

What steps will reproduce the bug?

  1. Have Nginx Ingress Controller installed as the ingress controller in a cluster (NOTE: this is not the same has the bitnami/nginx chart!)
  2. Have cert-manager be configured with a Cluster Issuer to automatically create TLS certificates for Ingress objects.
  3. Have the values.yaml indicated below.
  4. Install the bitnami/nginx Helm chart: helm install www oci://registry-1.docker.io/bitnamicharts/nginx --version 16.0.6 -f values.yaml

Are you using any custom parameters or values?

values.yaml

service:
  type: ClusterIP

ingress:
  enabled: true
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
  hostname: foo.example.com
  ingressClassName: nginx
  tls: true

What is the expected behavior?

I would expect the Nginx web server to start serving requests via my Ingress controller, secured via the TLS certificate provided by cert-manager:

Welcome to Nginx

What do you see instead?

400 Bad Request: The plain HTTP request was sent to HTTPS port

Additional information

The reason for the app not serving correctly is that the backend port used by default is https:

$ helm template oci://registry-1.docker.io/bitnamicharts/nginx --version 16.0.6 -f values.yaml --show-only templates/ingress.yaml
Pulled: registry-1.docker.io/bitnamicharts/nginx:16.0.6
Digest: sha256:a47c2465ab440368df26b8bc84a9646659e20a4887311234f21f0e6ac758c744

---
# Source: nginx/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: release-name-nginx
  namespace: "debug"
  labels:
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: nginx
    app.kubernetes.io/version: 1.25.5
    helm.sh/chart: nginx-16.0.6
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
  ingressClassName: "nginx"
  rules:
    - host: "foo.example.com"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: release-name-nginx
                port:
                  name: https  # 👈 This port seems to be the default
  tls:
    - hosts:
        - "foo.example.com"
      secretName: foo.example.com-tls

And since the default backend protocol in Nginx Ingress Controller is HTTP, it cannot use the https port without further configuration of either the application or of the ingress controller. I don't think the bitnami/nginx application need to accommodate every single ingress controller out there, but Nginx is such a common choice that I think this new default setting will be an issue for many users.

This behavior may have been introduced in https://github.com/bitnami/charts/pull/20934 but I'm not sure.

I think we should either use http by default or set the nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" annotation when ingress.tls=true is set, so it works "out-of-the-box" for most people. There may be other solutions too, please pitch in.

lindhe avatar May 06 '24 12:05 lindhe