deactivated hsts by default

[lenalebt]

HSTS has been deactivated explicitly by default for the ingress controller in minikube, because it causes trouble for local development. Minikube is intended for local development (where e.g. getting let's-encrypt-certificates is not an option), so this feature should not be turned on by default.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lenalebt
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: luxas

Assign the PR to them by writing /assign @luxas in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[minikube-bot]

Can one of the admins verify this patch?

[dlorenc]

@minikube-bot ok to test

[dlorenc]

This makes sense, but could you also add a note about this somewhere to the docs? Maybe in addons.md?
https://github.com/kubernetes/minikube/blob/master/docs/addons.md

[lenalebt]

I added a note where to find the config, in addons.md and a link to the config map where all the options are described. Duplicating config options in the minikube docs will outdate soon, and this allows to find the real options that will be applied, even for the other addons where I did not change anything.

[zhaytee]

So I just ran into this problem with minikube v0.25.0. I've tried writing "hsts": "false" manually to the kube-system/nginx-load-balancer-conf configmap, but something keeps overwriting it after a few seconds and deletes that key.

Is there any way to disable HSTS now before this change makes it into an official minikube release? I can't use any of my local ingresses because my browsers have all suddenly become extremely strict.

[lenalebt]

There is a workaround; you can add an annotation nginx.org/hsts with value false to your ingress. If you connected to the domain you are serving beforehand (it's enough to have tried connecting at the time no ingress has been provisioned yet, but the nginx-plugin has been activated!), your browser will almost certainly have activated for the domain (and all subdomains), so you need to first deactivate HSTS in your browser for the specific domain. Keep in mind that there are some domains where your browser might refuse to deactivate HSTS (e.g. Chrome will not deactivate HSTS on the .dev domain).

So:

1. add annotation nginx.org/hsts: false to your ingress and deploy it
2. delete HSTS setting for your browser for the domain (and subdomains!) your ingress is serving
3. reconnect, should work now

Just make sure you don't connect to minikube with enabled ingress addon before the ingresses have been deployed.

[zhaytee]

Thank you @lenalebt! I tried to implement your suggestion, but didn't have any success. After deleting and redeploying my ingress with the annotation you described, requests are still returning the Strict-Transport-Security header. I also tried restarting minikube, and disabling/enabling the ingress addon. Requests continue to return that header!

If you have any other suggestions, I'll gladly try to follow them. If not, I'll just have to wait for the next release of minikube with your patch.