Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deactivated hsts by default #2591

Merged
merged 3 commits into from
Mar 12, 2018
Merged

deactivated hsts by default #2591

merged 3 commits into from
Mar 12, 2018

Conversation

lenalebt
Copy link
Contributor

@lenalebt lenalebt commented Mar 7, 2018

HSTS has been deactivated explicitly by default for the ingress controller in minikube, because it causes trouble for local development. Minikube is intended for local development (where e.g. getting let's-encrypt-certificates is not an option), so this feature should not be turned on by default.

HSTS has been deactivated explicitly by default for the ingress controller in minikube, because it causes trouble for local development. Minikube is intended for local development, so this feature should not be turned on by default.
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 7, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lenalebt
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: luxas

Assign the PR to them by writing /assign @luxas in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@dlorenc
Copy link
Contributor

dlorenc commented Mar 7, 2018

@minikube-bot ok to test

@dlorenc
Copy link
Contributor

dlorenc commented Mar 7, 2018

This makes sense, but could you also add a note about this somewhere to the docs? Maybe in addons.md?
https://github.com/kubernetes/minikube/blob/master/docs/addons.md

lenalebt added 2 commits March 8, 2018 10:14
Added note about where to find plugin configuration.
@lenalebt
Copy link
Contributor Author

lenalebt commented Mar 8, 2018

I added a note where to find the config, in addons.md and a link to the config map where all the options are described. Duplicating config options in the minikube docs will outdate soon, and this allows to find the real options that will be applied, even for the other addons where I did not change anything.

@r2d4 r2d4 merged commit e3194f6 into kubernetes:master Mar 12, 2018
@zhaytee
Copy link

zhaytee commented Mar 13, 2018

So I just ran into this problem with minikube v0.25.0. I've tried writing "hsts": "false" manually to the kube-system/nginx-load-balancer-conf configmap, but something keeps overwriting it after a few seconds and deletes that key.

Is there any way to disable HSTS now before this change makes it into an official minikube release? I can't use any of my local ingresses because my browsers have all suddenly become extremely strict.

@lenalebt
Copy link
Contributor Author

There is a workaround; you can add an annotation nginx.org/hsts with value false to your ingress. If you connected to the domain you are serving beforehand (it's enough to have tried connecting at the time no ingress has been provisioned yet, but the nginx-plugin has been activated!), your browser will almost certainly have activated for the domain (and all subdomains), so you need to first deactivate HSTS in your browser for the specific domain. Keep in mind that there are some domains where your browser might refuse to deactivate HSTS (e.g. Chrome will not deactivate HSTS on the .dev domain).

So:

  1. add annotation nginx.org/hsts: false to your ingress and deploy it
  2. delete HSTS setting for your browser for the domain (and subdomains!) your ingress is serving
  3. reconnect, should work now

Just make sure you don't connect to minikube with enabled ingress addon before the ingresses have been deployed.

@zhaytee
Copy link

zhaytee commented Mar 15, 2018

Thank you @lenalebt! I tried to implement your suggestion, but didn't have any success. After deleting and redeploying my ingress with the annotation you described, requests are still returning the Strict-Transport-Security header. I also tried restarting minikube, and disabling/enabling the ingress addon. Requests continue to return that header!

If you have any other suggestions, I'll gladly try to follow them. If not, I'll just have to wait for the next release of minikube with your patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants