turash/k8s/ingress-domains.md

# Ingress Domain Configuration

## Current Cluster Setup

### Ingress Controller
- **Type**: Traefik
- **Ingress Class**: `traefik` (default)
- **Service**: `traefik` in `kube-system` namespace
- **Port**: 80 (NodePort: 32080)

### Domain Pattern
All services use the pattern: `*.bk.glpx.pro`

### Existing Domains

| Service | Domain | Namespace | TLS | Notes |
|---------|--------|-----------|-----|-------|
| ArgoCD | `argocd.bk.glpx.pro` | argocd | ✅ (letsencrypt-prod) | Cert-manager managed |
| Rancher | `rancher.bk.glpx.pro` | cattle-system | ✅ | Rancher managed |
| Code Server | `code.bk.glpx.pro` | code-server | ✅ (letsencrypt-prod) | Cert-manager managed |
| Redis Commander | `redis.bk.glpx.pro` | infra | ✅ (letsencrypt-prod) | Cert-manager managed |
| Storage | `storage.bk.glpx.pro` | just-storage | ❌ | HTTP only |
| OAuth2 Proxy | `login.bk.glpx.pro` | kube-system | ❌ | HTTP only |
| OCR Service | `ocr.bk.glpx.pro` | kube-system | ❌ | HTTP only |
| Woodpecker | `woodpecker.bk.glpx.pro` | woodpecker | ✅ (letsencrypt-prod) | Cert-manager managed |
| **Turash API** | `turash-api.bk.glpx.pro` | turash | ✅ (letsencrypt-prod) | Planned |

### Turash Backend Domain

**Current**: `turash-api.bk.glpx.pro`

This follows the existing pattern while being specific about the service. Alternative options considered:
- `api.turash.bk.glpx.pro`
- `turash-api.bk.glpx.pro` ✅
- `backend.turash.bk.glpx.pro`

## TLS Configuration

### Cert-Manager
- **Cluster Issuer**: `letsencrypt-prod`
- **Automatic TLS**: Enabled via annotation `cert-manager.io/cluster-issuer: letsencrypt-prod`
- **Certificate Secret**: Automatically created by cert-manager

### Ingress Annotations for Traefik

```yaml
annotations:
  # Use secure entrypoint (HTTPS)
  traefik.ingress.kubernetes.io/router.entrypoints: websecure
  
  # Enable TLS with cert-manager
  cert-manager.io/cluster-issuer: letsencrypt-prod
  
  # Optional: Add middleware for CORS, rate limiting, etc.
  traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd
```

## Traefik vs Nginx

**Important**: The cluster uses **Traefik**, not nginx-ingress!

### Differences:

1. **Ingress Class**: Use `traefik` instead of `nginx`
2. **Annotations**: Use `traefik.ingress.kubernetes.io/*` instead of `nginx.ingress.kubernetes.io/*`
3. **Entrypoints**: Traefik uses `web` (HTTP) and `websecure` (HTTPS)
4. **Middleware**: Traefik uses Middleware CRDs for advanced features

### Common Traefik Annotations

```yaml
# Entrypoints
traefik.ingress.kubernetes.io/router.entrypoints: websecure

# Middleware
traefik.ingress.kubernetes.io/router.middlewares: namespace-middleware@kubernetescrd

# TLS
traefik.ingress.kubernetes.io/router.tls: "true"

# Redirect to HTTPS
traefik.ingress.kubernetes.io/redirect-entrypoint: websecure
```

## DNS Configuration

For local development or if DNS is not configured:

1. **Add to `/etc/hosts`** (Linux/macOS):
   ```
   10.10.10.2 turash-api.bk.glpx.pro
   ```

2. **Or use NodePort directly**:
   ```
   http://10.10.10.2:32080
   ```

## Testing Ingress

```bash
# Check ingress status
kubectl get ingress -n turash

# Test with curl
curl -H "Host: turash-api.bk.glpx.pro" http://10.10.10.2:32080/health

# Test with proper domain (if DNS configured)
curl https://turash-api.bk.glpx.pro/health
```

## Troubleshooting

### Ingress not working?

1. Check ingress status:
   ```bash
   kubectl describe ingress turash-backend-ingress -n turash
   ```

2. Check Traefik logs:
   ```bash
   kubectl logs -n kube-system -l app.kubernetes.io/name=traefik
   ```

3. Verify service:
   ```bash
   kubectl get svc turash-backend -n turash
   ```

4. Check certificate status:
   ```bash
   kubectl get certificate -n turash
   kubectl describe certificate turash-backend-tls -n turash
   ```

### Certificate issues?

1. Check cert-manager:
   ```bash
   kubectl get clusterissuer letsencrypt-prod
   kubectl get certificaterequest -n turash
   ```

2. Check certificate secret:
   ```bash
   kubectl get secret turash-backend-tls -n turash
   ```