I recently posted about my experience with k3s and how I’m now using it to run my blog. I also mentioned my blog’s new domain and how I’m keeping the old name working. That involved changing the Ingress resource for my blog, so I’ll show how I updated it to accept the old domains and automatically redirect to my preferred domain without needing to make WordPress itself do any redirecting.
The Ingress Controller installed by default by k3s (at least for now) is Traefik. It supports a couple of interesting features, including the ability to automatically redirect based on URL regular expressions via just two annotations. These annotations aren’t documented particularly well but I was able to figure them out through some trial and error. First, let me lay out my goals:
- Redirect requests for these domains to my preferred domain (therubyist.org):
- www.therubyist.org
- blog.gnagy.info
- gnagy.info
- Make the above redirection happen before WordPress is involved
- Ensure that HTTPS still works and is forced
- Also before WordPress itself is involved
- This redirect should be permanent (meaning an HTTP 301)
Given the above goals, the end result really was modifying the Ingress resource in my previous post from this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: blog namespace: blog labels: app.kubernetes.io/name: blog app.kubernetes.io/part-of: blog app.kubernetes.io/component: blog-ingress annotations: # Forces HTTPS ingress.kubernetes.io/ssl-redirect: "true" # Uses the right ingress class kubernetes.io/ingress.class: "traefik" # Tells this Ingress to issue a cert via our ClusterIssuer cert-manager.io/cluster-issuer: letsencrypt # Uses "http01" for ACME provisioning via Let's Encrypt cert-manager.io/acme-challenge-type: http01 spec: rules: - host: blog.gnagy.info http: paths: - backend: serviceName: blog servicePort: www tls: - hosts: - blog.gnagy.info secretName: blog-tls |
To this, which includes the required changes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: blog namespace: blog labels: app.kubernetes.io/name: blog app.kubernetes.io/part-of: blog app.kubernetes.io/component: blog-ingress annotations: # Forces HTTPS ingress.kubernetes.io/ssl-redirect: "true" # Forces a Permanent (301) redirect ingress.kubernetes.io/redirect-permanent: "true" # Specifies a regex for which URLs to redirect ingress.kubernetes.io/redirect-regex: "^https://(www.therubyist.org|(blog.)?gnagy.info)/?(.*)" # Here is where redirected URLs will end up # Notice the $3, which is the third capture # group from the above regex ingress.kubernetes.io/redirect-replacement: "https://therubyist.org/$3" # Uses the right ingress class kubernetes.io/ingress.class: "traefik" # Tells this Ingress to issue a cert via our ClusterIssuer cert-manager.io/cluster-issuer: letsencrypt # Uses "http01" for ACME provisioning via Let's Encrypt cert-manager.io/acme-challenge-type: http01 spec: # All four rules point to the same service rules: - host: blog.gnagy.info http: paths: - backend: serviceName: blog servicePort: www - host: gnagy.info http: paths: - backend: serviceName: blog servicePort: www - host: www.therubyist.org http: paths: - backend: serviceName: blog servicePort: www - host: therubyist.org http: paths: - backend: serviceName: blog servicePort: www # Notice how TLS now includes the additional domains tls: - hosts: - blog.gnagy.info - gnagy.info - therubyist.org - www.therubyist.org secretName: blog-tls |
The above changes amount to three additional annotations, one to specify a permanent redirect and the other two decide what to redirect and where it is redirected. Beyond that, I needed to inform the ingress itself that it is responsible for the additional domains (the rules portion of the spec) as well as updating tls.hosts to include the additional names (so Let’s Encrypt via cert-manager can do its thing).
Of course, this required that I did the prework of pointing those domains at my server ahead of time, but this wasn’t a problem.
If the above is still called blog-ingress.yaml, save it and run:
|
1 |
kubectl apply -f blog-ingress.yaml |
Once things are done applying, the redirects should be all set.