# Ingress Domain Configuration ## Current Cluster Setup ### Ingress Controller - **Type**: Traefik - **Ingress Class**: `traefik` (default) - **Service**: `traefik` in `kube-system` namespace - **Port**: 80 (NodePort: 32080) ### Domain Pattern All services use the pattern: `*.bk.glpx.pro` ### Existing Domains | Service | Domain | Namespace | TLS | Notes | |---------|--------|-----------|-----|-------| | ArgoCD | `argocd.bk.glpx.pro` | argocd | ✅ (letsencrypt-prod) | Cert-manager managed | | Rancher | `rancher.bk.glpx.pro` | cattle-system | ✅ | Rancher managed | | Code Server | `code.bk.glpx.pro` | code-server | ✅ (letsencrypt-prod) | Cert-manager managed | | Redis Commander | `redis.bk.glpx.pro` | infra | ✅ (letsencrypt-prod) | Cert-manager managed | | Storage | `storage.bk.glpx.pro` | just-storage | ❌ | HTTP only | | OAuth2 Proxy | `login.bk.glpx.pro` | kube-system | ❌ | HTTP only | | OCR Service | `ocr.bk.glpx.pro` | kube-system | ❌ | HTTP only | | Woodpecker | `woodpecker.bk.glpx.pro` | woodpecker | ✅ (letsencrypt-prod) | Cert-manager managed | | **Turash API** | `turash-api.bk.glpx.pro` | turash | ✅ (letsencrypt-prod) | Planned | ### Turash Backend Domain **Current**: `turash-api.bk.glpx.pro` This follows the existing pattern while being specific about the service. Alternative options considered: - `api.turash.bk.glpx.pro` - `turash-api.bk.glpx.pro` ✅ - `backend.turash.bk.glpx.pro` ## TLS Configuration ### Cert-Manager - **Cluster Issuer**: `letsencrypt-prod` - **Automatic TLS**: Enabled via annotation `cert-manager.io/cluster-issuer: letsencrypt-prod` - **Certificate Secret**: Automatically created by cert-manager ### Ingress Annotations for Traefik ```yaml annotations: # Use secure entrypoint (HTTPS) traefik.ingress.kubernetes.io/router.entrypoints: websecure # Enable TLS with cert-manager cert-manager.io/cluster-issuer: letsencrypt-prod # Optional: Add middleware for CORS, rate limiting, etc. traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd ``` ## Traefik vs Nginx **Important**: The cluster uses **Traefik**, not nginx-ingress! ### Differences: 1. **Ingress Class**: Use `traefik` instead of `nginx` 2. **Annotations**: Use `traefik.ingress.kubernetes.io/*` instead of `nginx.ingress.kubernetes.io/*` 3. **Entrypoints**: Traefik uses `web` (HTTP) and `websecure` (HTTPS) 4. **Middleware**: Traefik uses Middleware CRDs for advanced features ### Common Traefik Annotations ```yaml # Entrypoints traefik.ingress.kubernetes.io/router.entrypoints: websecure # Middleware traefik.ingress.kubernetes.io/router.middlewares: namespace-middleware@kubernetescrd # TLS traefik.ingress.kubernetes.io/router.tls: "true" # Redirect to HTTPS traefik.ingress.kubernetes.io/redirect-entrypoint: websecure ``` ## DNS Configuration For local development or if DNS is not configured: 1. **Add to `/etc/hosts`** (Linux/macOS): ``` 10.10.10.2 turash-api.bk.glpx.pro ``` 2. **Or use NodePort directly**: ``` http://10.10.10.2:32080 ``` ## Testing Ingress ```bash # Check ingress status kubectl get ingress -n turash # Test with curl curl -H "Host: turash-api.bk.glpx.pro" http://10.10.10.2:32080/health # Test with proper domain (if DNS configured) curl https://turash-api.bk.glpx.pro/health ``` ## Troubleshooting ### Ingress not working? 1. Check ingress status: ```bash kubectl describe ingress turash-backend-ingress -n turash ``` 2. Check Traefik logs: ```bash kubectl logs -n kube-system -l app.kubernetes.io/name=traefik ``` 3. Verify service: ```bash kubectl get svc turash-backend -n turash ``` 4. Check certificate status: ```bash kubectl get certificate -n turash kubectl describe certificate turash-backend-tls -n turash ``` ### Certificate issues? 1. Check cert-manager: ```bash kubectl get clusterissuer letsencrypt-prod kubectl get certificaterequest -n turash ``` 2. Check certificate secret: ```bash kubectl get secret turash-backend-tls -n turash ```