# Current Ingress Setup Analysis

## 🎯 **Overview**

This document analyzes your current Kubernetes ingress setup based on the codebase examination. It explains how your ingress infrastructure works, what components are involved, and how they interact.

---

## 📊 **Your Current Ingress Architecture**

```
┌─────────────────────────────────────────────────────────────────────────────┐
│                              INTERNET                                        │
│                                                                             │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐      │
│  │   Browser   │  │   Mobile    │  │   API       │  │   Other     │      │
│  │             │  │   App       │  │   Client    │  │   Clients   │      │
│  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘      │
│         │                │               │               │                │
│         └────────────────┼───────────────┼───────────────┘                │
│                          │               │                                │
│                          ▼               ▼                                │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                    AZURE LOAD BALANCER                              │   │
│  │  IP: 4.155.160.32 (prod-usw2-k8s-freeleaps-lb-fe-ip)              │   │
│  │  Port: 80/443                                                      │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                        │
│                                    ▼                                        │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                NGINX INGRESS CONTROLLER                             │   │
│  │  Namespace: freeleaps-controls-system                              │   │
│  │  ┌─────────────────────────────────────────────────────────────┐   │   │
│  │  │  Pod: ingress-nginx-controller-abc123                       │   │   │
│  │  │  Image: ingress-nginx/controller:v1.12.0                    │   │   │
│  │  │  IP: 10.0.1.100  Port: 80/443                                │   │   │
│  │  └─────────────────────────────────────────────────────────────┘   │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                        │
│                                    ▼                                        │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                        INGRESS RULES                                │   │
│  │                                                                     │   │
│  │  argo.mathmast.com        → argo-cd-server:80                      │   │
│  │  gitea.freeleaps.mathmast.com → gitea-http:3000                    │   │
│  │  magicleaps.mathmast.com  → magicleaps-frontend-service:80         │   │
│  │  alpha.magicleaps.mathmast.com → magicleaps-frontend-service:80   │   │
│  │                                                                     │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                        │
│                                    ▼                                        │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                        KUBERNETES SERVICES                          │   │
│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐   │   │
│  │  │argo-cd-svc  │  │gitea-http  │  │magic-front  │  │magic-api    │   │   │
│  │  │ClusterIP    │  │ClusterIP    │  │ClusterIP    │  │ClusterIP    │   │   │
│  │  │10.0.1.10    │  │10.0.1.11    │  │10.0.1.12    │  │10.0.1.13    │   │   │
│  │  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘   │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
│                                    │                                        │
│                                    ▼                                        │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                        APPLICATION PODS                              │   │
│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐   │   │
│  │  │argo-cd-pod  │  │gitea-pod    │  │magic-front  │  │magic-api    │   │   │
│  │  │10.0.1.101   │  │10.0.1.102   │  │10.0.1.103   │  │10.0.1.104   │   │   │
│  │  │argo-cd:v2.8 │  │gitea:1.20   │  │nginx:latest │  │api:v1.2     │   │   │
│  │  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘   │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────────────┘
```

---

## 🔧 **Components Analysis**

### **1. Nginx Ingress Controller**

**Location**: `freeleaps-ops/cluster/manifests/freeleaps-controls-system/ingress-nginx/values.yaml`

**Key Configuration**:
```yaml
# Controller Configuration
controller:
  name: controller
  image:
    image: ingress-nginx/controller
    tag: "v1.12.0"                    # ← Specific version for stability
    runAsNonRoot: true                 # ← Security: don't run as root
    runAsUser: 101                     # ← Security: run as nginx user
    allowPrivilegeEscalation: false    # ← Security: prevent privilege escalation
  
  # Ingress Class Configuration
  ingressClassResource:
    name: nginx                        # ← Ingress class name
    enabled: true                      # ← Create the IngressClass resource
    default: false                     # ← Not the default (allows multiple controllers)
    controllerValue: k8s.io/ingress-nginx  # ← Controller identifier
  
  # Service Configuration
  service:
    type: LoadBalancer                 # ← Azure Load Balancer for external access
    ports:
      http: 80                         # ← HTTP port
      https: 443                       # ← HTTPS port
```

**What this means**:
- You have a production-grade nginx-ingress-controller
- It's configured with security best practices
- It uses Azure Load Balancer for external access
- It's not the default ingress class (allows flexibility)

### **2. Cert-Manager Integration**

**Location**: `freeleaps-ops/cluster/manifests/freeleaps-controls-system/godaddy-webhook/cluster-issuer.yaml`

**Key Configuration**:
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: mathmast-dot-com
spec:
  acme:
    email: acme@mathmast.com
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            apiKeySecretRef:
              name: mathmast-godaddy-api-key
          groupName: acme.mathmast.com
          solverName: godaddy
      selector:
        dnsZones:
        - mathmast.com
```

**What this means**:
- You're using Let's Encrypt for SSL certificates
- DNS01 challenge for domain validation (more reliable than HTTP01)
- GoDaddy DNS API integration for automatic DNS record creation
- Certificates are automatically renewed

### **3. Custom Ingress Manager**

**Location**: `freeleaps-devops-reconciler/reconciler/controllers/ingress_resources/ingress_manager.py`

**Key Features**:
```python
# Automatic Ingress Creation
annotations = {
    "nginx.ingress.kubernetes.io/ssl-redirect": "true",
    "nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
    "cert-manager.io/cluster-issuer": "letsencrypt-prod",
    "nginx.ingress.kubernetes.io/proxy-body-size": "0",
    "nginx.ingress.kubernetes.io/proxy-read-timeout": "600",
    "nginx.ingress.kubernetes.io/proxy-send-timeout": "600"
}
```

**What this means**:
- You have a custom controller that automatically creates ingresses
- It enforces SSL redirect (HTTP → HTTPS)
- It integrates with cert-manager for automatic certificates
- It sets performance optimizations (timeouts, body size)

---

## 🔄 **Request Flow Analysis**

### **1. External Request Flow**
```
┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Browser   │  │ Azure Load  │  │ Nginx       │  │ Application │
│             │  │ Balancer    │  │ Ingress     │  │ Service     │
└─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘
       │                │                │                │
       │ HTTPS Request  │                │                │
       │───────────────▶│                │                │
       │                │ Forward to     │                │
       │                │ nginx          │                │
       │                │───────────────▶│                │
       │                │                │ Route based    │
       │                │                │ on host/path  │
       │                │                │───────────────▶│
       │                │                │                │ Return response
       │                │                │◀───────────────│
       │                │◀───────────────│                │
       │◀───────────────│                │                │
```

### **2. SSL Certificate Flow**
```
┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│   Ingress   │  │ cert-manager │  │ Let's       │  │ GoDaddy     │
│ Controller  │  │             │  │ Encrypt     │  │ DNS API     │
└─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘
       │                │                │                │
       │ Check cert     │                │                │
       │───────────────▶│                │                │
       │                │ Request cert   │                │
       │                │───────────────▶│                │
       │                │                │ DNS Challenge  │
       │                │                │───────────────▶│
       │                │                │                │ Create TXT record
       │                │                │                │◀───────────────│
       │                │                │ Cert Ready     │
       │                │                │◀───────────────│
       │                │ Cert Ready     │                │
       │                │◀───────────────│                │
       │ Cert Ready     │                │                │
       │◀───────────────│                │                │
```

---

## 🛠️ **Current Applications**

Based on your codebase, you have these applications exposed via ingress:

### **1. ArgoCD (GitOps)**
- **Domain**: `argo.mathmast.com`
- **Service**: `argo-cd-server`
- **Purpose**: GitOps deployment tool
- **Access**: Web UI for managing deployments
- **Namespace**: `freeleaps-devops-system`

### **2. Gitea (Git Repository)**
- **Domain**: `gitea.freeleaps.mathmast.com`
- **Service**: `gitea-http`
- **Purpose**: Git repository hosting
- **Access**: Web UI for code management
- **Namespace**: `freeleaps-prod`
- **Port**: 3000

### **3. Magicleaps (Main Application)**
- **Production Domain**: `magicleaps.mathmast.com`
- **Alpha Domain**: `alpha.magicleaps.mathmast.com`
- **Service**: `magicleaps-frontend-service`
- **Purpose**: Main business application
- **Namespace**: `magicleaps`
- **Port**: 80

---

## 🔒 **Security Features**

### **1. SSL/TLS Enforcement**
```yaml
# All traffic is forced to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
```

### **2. Automatic Certificate Management**
- Let's Encrypt certificates
- DNS01 challenge validation
- Automatic renewal
- GoDaddy DNS integration

### **3. Performance Optimizations**
```yaml
# Handle large requests
nginx.ingress.kubernetes.io/proxy-body-size: "0"

# Long-running requests
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
```

---

## 📊 **Monitoring and Debugging**

### **1. Check Ingress Status**
```bash
# Check all ingresses
kubectl get ingress --all-namespaces

# Check specific ingress
kubectl describe ingress <ingress-name> -n <namespace>

# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx
```

### **2. Check SSL Certificates**
```bash
# Check certificates
kubectl get certificates --all-namespaces

# Check certificate status
kubectl describe certificate <cert-name> -n <namespace>

# Check cert-manager
kubectl get pods -n cert-manager
```

### **3. Check DNS Resolution**
```bash
# Test DNS resolution
nslookup argo.mathmast.com
nslookup gitea.freeleaps.mathmast.com
nslookup magicleaps.mathmast.com
nslookup alpha.magicleaps.mathmast.com
```

### **4. Check Azure Load Balancer**
```bash
# Your actual load balancer IP
curl -I http://4.155.160.32

# Check if load balancer is responding
telnet 4.155.160.32 80
telnet 4.155.160.32 443
```

---

## 🚀 **How Your Setup Compares to Examples**

### **Your Current Setup vs Example**

| Feature | Your Setup | Example Setup | Notes |
|---------|------------|---------------|-------|
| **Ingress Controller** | nginx-ingress v1.12.0 | nginx-ingress | Same |
| **SSL Provider** | Let's Encrypt + GoDaddy | Let's Encrypt | You have DNS integration |
| **Certificate Validation** | DNS01 challenge | HTTP01 challenge | More reliable |
| **Automatic Creation** | Custom controller | Manual | You have automation |
| **Performance** | Optimized timeouts | Basic | You have better config |
| **Security** | SSL redirect enforced | SSL redirect | Same |

### **Advantages of Your Setup**

1. **Automation**: Custom controller automatically creates ingresses
2. **DNS Integration**: GoDaddy API for automatic DNS record creation
3. **Reliability**: DNS01 challenge is more reliable than HTTP01
4. **Performance**: Optimized timeouts and body size limits
5. **Security**: Enforced SSL redirects

---

## 🔧 **Troubleshooting Your Setup**

### **1. Certificate Issues**
```bash
# Check certificate status
kubectl get certificates --all-namespaces

# Check cert-manager logs
kubectl logs -n cert-manager deployment/cert-manager

# Check DNS records
dig TXT _acme-challenge.mathmast.com
```

### **2. Ingress Issues**
```bash
# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx

# Check ingress controller logs
kubectl logs -n freeleaps-controls-system deployment/ingress-nginx-controller

# Check ingress status
kubectl describe ingress <ingress-name> -n <namespace>
```

### **3. DNS Issues**
```bash
# Test DNS resolution
nslookup <your-domain>

# Check GoDaddy API key
kubectl get secret mathmast-godaddy-api-key -n cert-manager -o yaml
```

### **4. Load Balancer Issues**
```bash
# Check if your load balancer is accessible
curl -I http://4.155.160.32

# Check Azure load balancer health
az network lb show --name prod-usw2-k8s-freeleaps-lb --resource-group <resource-group>
```

---

## 📚 **Learn More**

### **Your Specific Components**
- [nginx-ingress](https://kubernetes.github.io/ingress-nginx/) - Your ingress controller
- [cert-manager](https://cert-manager.io/docs/) - Your certificate manager
- [GoDaddy DNS01](https://cert-manager.io/docs/configuration/acme/dns01/) - Your DNS provider (GoDaddy configuration)
- [Let's Encrypt](https://letsencrypt.org/docs/) - Your certificate authority

### **Related Documentation**
- [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- [SSL/TLS in Kubernetes](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
- [DNS01 Challenge](https://cert-manager.io/docs/configuration/acme/dns01/)

---

**Last Updated**: September 3, 2025
**Version**: 1.0
**Maintainer**: Infrastructure Team