SSL redirect for Dashboard Ingress doesn't create

[hartnickaus]

What is the bug?

When you put in relevant annotations for an AWS ALB that would on other helm charts create a path redirect this doesn't occur for Dashboards Ingress

How can one reproduce the bug?

Helm Chart values used

    ingress:
      dashboards:
        enabled: true
        annotations:
          alb.ingress.kubernetes.io/scheme: internal
          alb.ingress.kubernetes.io/target-type: ip
          alb.ingress.kubernetes.io/group.name: "eks-opensearch-alb"
          alb.ingress.kubernetes.io/group.order: "1"
          alb.ingress.kubernetes.io/healthcheck-path: /_cluster/health
          alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
          alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-2016-08"
          alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-2:<AWSAccount>:certificate/<AWSCertificate>
          alb.ingress.kubernetes.io/actions.ssl-redirect: |
            {"Type": "redirect", "RedirectConfig": {"Protocol": "HTTPS", "Port": "443", "Host": "#{host}", "Path": "/#{path}", "Query": "#{query}", "StatusCode": "HTTP_301"}}
          alb.ingress.kubernetes.io/action.use-ssl-redirect: ssl-redirect  # Ensure correct action
        className: alb
        hosts: 
          - host: os1-dashboard.mydomain.com
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: opensearch-dashboard
                    port:
                      number: 5601
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: ssl-redirect
                    port:
                      name: use-annotation

What is the expected behavior?

Have a redirect rule for port 80 to 443 for domain "os1-dashboard.mydomain.com"
What i get is 2 listener rules for port 80 to the AWS Target Group

What is your host/environment?

AWS EKS 1.31
opensearch-operator 2.7.0
opensearch-cluster 3.0.0
opensearch 2.11.1

Do you have any screenshots?

Do you have any additional context?

[swoehrl-mw]

Hi @hartnickaus.
Can you please verify if the annotations are added to the ingress object (kubectl describe ingress <clustername>-dashboards)?
Also, I imagine its just a copy-paste error but values for the ingress must be defined under cluster.ingress.dashboards (in your description the cluster level is missing).

[hartnickaus]

Hi @swoehrl-mw
yes the annotations are added to the ingress object, and yes it is a copy paste error for values in above, but i do define the values under "cluster.ingress.dashboards"

kubectl describe ingress -n opensearch opensearch-dashboard
Name:             opensearch-dashboards
Labels:           app.kubernetes.io/managed-by=Helm
                  app.kubernetes.io/version=2.7.0
                  argocd.argoproj.io/instance=opensearch-os1
                  helm.sh/chart=opensearch-cluster-3.0.0
Namespace:        opensearch
Address:          internal-k8s-eksopensearchalb-nn-nn.ap-southeast-2.elb.amazonaws.com
Ingress Class:    alb
Default backend:  <default>
Rules:
  Host                              Path  Backends
  ----                              ----  --------
  os1-dashboard.mydomain.com
                                    /   opensearch-dashboard:5601 (10.77.14.113:5601)
                                    /   opensearch-dashboard:5601 (10.77.14.113:5601)
Annotations:                        alb.ingress.kubernetes.io/action.use-ssl-redirect: ssl-redirect
                                    alb.ingress.kubernetes.io/actions.ssl-redirect:
                                      {"Type": "redirect", "RedirectConfig": {"Protocol": "HTTPS", "Port": "443", "Host": "#{host}", "Path": "/#{path}", "Query": "#{query}", "S...
                                    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-southeast-2:<AWSAccount>:certificate/<AWSCertificate>
                                    alb.ingress.kubernetes.io/group.name: eks-opensearch-alb
                                    alb.ingress.kubernetes.io/group.order: 1
                                    alb.ingress.kubernetes.io/healthcheck-path: /_cluster/health
                                    alb.ingress.kubernetes.io/listen-ports: [{"HTTP": 80}, {"HTTPS": 443}]
                                    alb.ingress.kubernetes.io/scheme: internal
                                    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
                                    alb.ingress.kubernetes.io/target-type: ip
Events:                             <none>

You will notice that it creates two paths exactly the same

[swoehrl-mw]

@hartnickaus It creates the same path twice because the cluster chart does not support specifying custom backends (https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/charts/opensearch-cluster/templates/ingress.yaml#L113). The backends for the paths you specify in the values are ignored and the dashboards service is always used (only host, path and pathType are used).

Please define the ingress as a separate manifest outside the helm chart to support your use case. Custom backends for the ingress is out-of-scope for the chart.

[dblock]

[Catch All Triage - 1, 2, 3, 4, 5, 6]