How do I redirect "old.foo.com/foo" to "new.foo.com/foo" with a NGINX K8S ingress, without breaking cert-manager?

Question

In my K8S ingress config, I'm trying to redirect from (for example) old.mywebsite.com to new.mywebsite.com.

I can do this with the nginx.ingress.kubernetes.io/permanent-redirect annotation, but unfortunately this causes a redirect directly to the target URL. For example, "old.mywebsite.com/some/path?with=parameters" will redirect to "new.mywebsite.com/". The path and query arguments are lost. Since this website has lots of incoming links to the old domain, redirecting with the path and query intact is absolutely crucial.

I can use a config snippet to do what I want:

nginx.ingress.kubernetes.io/server-snippet: |
  if ($host ~ "old.mywebsite.com")
  {
      rewrite ^ https://new.mywebsite.com$request_uri? permanent;
  }

This works, but it breaks automatic renewal of certificates for the old subdomain, since any HTTP requests to the old domain are rewritten to the new domain.

Is there any way I can achieve both? For example a different annotation that preserves the full request path or different snippet config that can make an exception for certbot?

Answer 1

With plain nginx you would have a separate server block for HTTP:

server {
    listen 80;

    # Serve ACME verification requests via HTTP
    location /.well-known {
        try_files $uri =404;
    }

    location / {
        return 301 https://new.example.com$request_uri;
    }
}

I don't know how Kubernetes nginx-ingress configuration works in general, so I cannot give any details how to achieve this with their configuration system. However, the end result in actual nginx configuration file should look like above.

Also, I made the assumption that the renewal of certificates is performed via the /.well-known location.

Answer 2

After some blind experimentation, it actually seems to work to place $request_uri into the target URL in the "permanent-redirect" annotation. I'm guessing it's passed directly into the NGINX config:

nginx.ingress.kubernetes.io/permanent-redirect: https://new.mypage.com$request_uri

I don't think this annotation breaks cert-manager, so this might be the perfect solution.