Search code examples
nginxkuberneteskubernetes-helmnginx-ingress

Disable HSTS for nginx-ingress using ConfigMap

I've tried other related solutions but I can't seem to get this working right and I'm sure it is just a namespacing issue or something because this is my first experience with using ConfigMaps, but can someone help me troubleshoot why this isn't working?

Here's my ingress:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: brushfire-ingress
  labels:
    helm.sh/chart: brushfire-0.1.0
    app.kubernetes.io/name: brushfire
    app.kubernetes.io/instance: brushfire
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    cert-manager.io/cluster-issuer: brushfire-issuer
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
    - hosts:
        - "brushfire.online"
        - "*.brushfire.online"
      secretName: tls-secret
  rules:
    - host: "brushfire.online"
      http:
        paths:
          - path: /(.*)
            backend:
              serviceName: brushfire
              servicePort: 80
    - host: "*.brushfire.online"
      http:
        paths:
          - path: /(.*)
            backend:
              serviceName: brushfire
              servicePort: 80

And this is installed as part of a helm chart that is installed with --namespace jorin-ssl

The ConfigMap I tried is:

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    app: brushfire-ingress
  name: nginx-configuration
  namespace: ingress-nginx # I've also tried `jorin-ssl`
data:
  hsts: "false"

But in the end, the HSTS always appears to be there:

$ curl -s -D- https://brushfire.online/ | grep -i Strict

returns

strict-transport-security: max-age=15724800; includeSubDomains

For simplicity, I'd love to do this without using a ConfigMap at all. Is there not a way to do this with the annotations like we do with force-ssl-redirect etc?

Solution

  • The name of the ConfigMap must match what the nginx-ingress controller process is looking up.

    The nginx-ingress process will use the --configmap argument on the command line to set the name. This option will be available in the container spec included in your deployment yaml.

    For example, the helm deployment uses the full name of the controller for the --configmap option.