← Back to overview

Global HTTPS redirect with Envoy Gateway

Before the Gateway API in Kubernetes, you probably were used to create two Ingress manifests for your workloads. One for HTTP, issuing a redirect to HTTPS and one for HTTPS where all the actual request forwarding to the correspondig Services happens.

With Envoy Gateway and Kubernete’s (fairly) new Gateway API, you can use the new parentRefs field in the HTTPRoute objects to create a global HTTP to HTTPS redirect with a single manifest.

By applying the following HTTPRoute manifest, you get a global redirect of all requests towards HTTP on port 80 towards HTTPS on port 443.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: global-https-redirect
  namespace: envoy-gateway-system
spec:
  parentRefs:
  - kind: Gateway
    group: gateway.networking.k8s.io
    name: gateway
    namespace: envoy-gateway-system
    sectionName: http
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301
    matches:
        - path:
            type: PathPrefix
            value: /

The beauty of this approach is in the new parentRefs concept of the HTTPRoutes (or of many of the new Gateway API resources in common). In HTTPRoutes you can reference one (or more - which is awesome, too) Gateways that should pick up the routing rule and apply it to the underlying configuration.

What’s nice is that you can actually define an optional sectionName field and thereby targeting only a specific listener of a Gateway. In our case, we’re defining a HTTPRoute that should only be applied on the http section of the Gateway. Its definition looks like this:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: envoy-gateway-system
spec:
  gatewayClassName: envoy-gateway-class
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      namespaces:
        from: Same
  - name: https
    protocol: HTTPS
    port: 443
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - [...]

As you can see, with the HTTPRoute only referencing the http section of the Gateway, it will only be applied when a request is coming in via http on port 80.

By applying a simple RequestRedirect filter towards the https scheme, you can effectively redirect all requests to https, ensuring safe and encrypted communication with your webserver.

To prevent users from accidentally creating more-specific HTTPRoutes that apply to the http section as well, the allowedRoutes field is set to only accept routes from the same namespace as the Gateway. By then subsequently restricting user and developer access to the namespace, where Envoy Gateway is deployed in, you effectively prevent them from creating insecure HTTPRoutes, because they won’t be picked up from other Namespaces than the one, the Gateway itself is within.