mukimovd/turash
1
0
Fork 0
mirror of https://github.com/SamyRai/turash.git synced 2025-12-26 23:01:33 +00:00
Code Issues 1 Actions Packages Projects Releases Wiki Activity
561b0fae19
turash/k8s/ingress-domains.md
Damir Mukimov 78d87ae345
Configure CI/CD pipeline with Harbor registry
2025-12-24 19:17:14 +01:00

4.0 KiB
Raw Blame History

Ingress Domain Configuration

Current Cluster Setup

Ingress Controller

  • Type: Traefik
  • Ingress Class: traefik (default)
  • Service: traefik in kube-system namespace
  • Port: 80 (NodePort: 32080)

Domain Pattern

All services use the pattern: *.bk.glpx.pro

Existing Domains

Service Domain Namespace TLS Notes
ArgoCD argocd.bk.glpx.pro argocd (letsencrypt-prod) Cert-manager managed
Rancher rancher.bk.glpx.pro cattle-system Rancher managed
Code Server code.bk.glpx.pro code-server (letsencrypt-prod) Cert-manager managed
Redis Commander redis.bk.glpx.pro infra (letsencrypt-prod) Cert-manager managed
Storage storage.bk.glpx.pro just-storage HTTP only
OAuth2 Proxy login.bk.glpx.pro kube-system HTTP only
OCR Service ocr.bk.glpx.pro kube-system HTTP only
Woodpecker woodpecker.bk.glpx.pro woodpecker (letsencrypt-prod) Cert-manager managed
Turash API turash-api.bk.glpx.pro turash (letsencrypt-prod) Planned

Turash Backend Domain

Current: turash-api.bk.glpx.pro

This follows the existing pattern while being specific about the service. Alternative options considered:

  • api.turash.bk.glpx.pro
  • turash-api.bk.glpx.pro
  • backend.turash.bk.glpx.pro

TLS Configuration

Cert-Manager

  • Cluster Issuer: letsencrypt-prod
  • Automatic TLS: Enabled via annotation cert-manager.io/cluster-issuer: letsencrypt-prod
  • Certificate Secret: Automatically created by cert-manager

Ingress Annotations for Traefik

annotations:
  # Use secure entrypoint (HTTPS)
  traefik.ingress.kubernetes.io/router.entrypoints: websecure
  
  # Enable TLS with cert-manager
  cert-manager.io/cluster-issuer: letsencrypt-prod
  
  # Optional: Add middleware for CORS, rate limiting, etc.
  traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd

Traefik vs Nginx

Important: The cluster uses Traefik, not nginx-ingress!

Differences:

  1. Ingress Class: Use traefik instead of nginx
  2. Annotations: Use traefik.ingress.kubernetes.io/* instead of nginx.ingress.kubernetes.io/*
  3. Entrypoints: Traefik uses web (HTTP) and websecure (HTTPS)
  4. Middleware: Traefik uses Middleware CRDs for advanced features

Common Traefik Annotations

# Entrypoints
traefik.ingress.kubernetes.io/router.entrypoints: websecure

# Middleware
traefik.ingress.kubernetes.io/router.middlewares: namespace-middleware@kubernetescrd

# TLS
traefik.ingress.kubernetes.io/router.tls: "true"

# Redirect to HTTPS
traefik.ingress.kubernetes.io/redirect-entrypoint: websecure

DNS Configuration

For local development or if DNS is not configured:

  1. Add to /etc/hosts (Linux/macOS):

    10.10.10.2 turash-api.bk.glpx.pro

  2. Or use NodePort directly:

    http://10.10.10.2:32080

Testing Ingress

# Check ingress status
kubectl get ingress -n turash

# Test with curl
curl -H "Host: turash-api.bk.glpx.pro" http://10.10.10.2:32080/health

# Test with proper domain (if DNS configured)
curl https://turash-api.bk.glpx.pro/health

Troubleshooting

Ingress not working?

  1. Check ingress status:

    kubectl describe ingress turash-backend-ingress -n turash

  2. Check Traefik logs:

    kubectl logs -n kube-system -l app.kubernetes.io/name=traefik

  3. Verify service:

    kubectl get svc turash-backend -n turash

  4. Check certificate status:

    kubectl get certificate -n turash
kubectl describe certificate turash-backend-tls -n turash

Certificate issues?

  1. Check cert-manager:

    kubectl get clusterissuer letsencrypt-prod
kubectl get certificaterequest -n turash

  2. Check certificate secret:

    kubectl get secret turash-backend-tls -n turash