20 KiB
20 KiB
Current Ingress Setup Analysis
🎯 Overview
This document analyzes your current Kubernetes ingress setup based on the codebase examination. It explains how your ingress infrastructure works, what components are involved, and how they interact.
📊 Your Current Ingress Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Browser │ │ Mobile │ │ API │ │ Other │ │
│ │ │ │ App │ │ Client │ │ Clients │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │ │
│ └────────────────┼───────────────┼───────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ AZURE LOAD BALANCER │ │
│ │ IP: 4.155.160.32 (prod-usw2-k8s-freeleaps-lb-fe-ip) │ │
│ │ Port: 80/443 │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ NGINX INGRESS CONTROLLER │ │
│ │ Namespace: freeleaps-controls-system │ │
│ │ ┌─────────────────────────────────────────────────────────────┐ │ │
│ │ │ Pod: ingress-nginx-controller-abc123 │ │ │
│ │ │ Image: ingress-nginx/controller:v1.12.0 │ │ │
│ │ │ IP: 10.0.1.100 Port: 80/443 │ │ │
│ │ └─────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ INGRESS RULES │ │
│ │ │ │
│ │ argo.mathmast.com → argo-cd-server:80 │ │
│ │ gitea.freeleaps.mathmast.com → gitea-http:3000 │ │
│ │ magicleaps.mathmast.com → magicleaps-frontend-service:80 │ │
│ │ alpha.magicleaps.mathmast.com → magicleaps-frontend-service:80 │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ KUBERNETES SERVICES │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │argo-cd-svc │ │gitea-http │ │magic-front │ │magic-api │ │ │
│ │ │ClusterIP │ │ClusterIP │ │ClusterIP │ │ClusterIP │ │ │
│ │ │10.0.1.10 │ │10.0.1.11 │ │10.0.1.12 │ │10.0.1.13 │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ APPLICATION PODS │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │argo-cd-pod │ │gitea-pod │ │magic-front │ │magic-api │ │ │
│ │ │10.0.1.101 │ │10.0.1.102 │ │10.0.1.103 │ │10.0.1.104 │ │ │
│ │ │argo-cd:v2.8 │ │gitea:1.20 │ │nginx:latest │ │api:v1.2 │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
🔧 Components Analysis
1. Nginx Ingress Controller
Location: freeleaps-ops/cluster/manifests/freeleaps-controls-system/ingress-nginx/values.yaml
Key Configuration:
# Controller Configuration
controller:
name: controller
image:
image: ingress-nginx/controller
tag: "v1.12.0" # ← Specific version for stability
runAsNonRoot: true # ← Security: don't run as root
runAsUser: 101 # ← Security: run as nginx user
allowPrivilegeEscalation: false # ← Security: prevent privilege escalation
# Ingress Class Configuration
ingressClassResource:
name: nginx # ← Ingress class name
enabled: true # ← Create the IngressClass resource
default: false # ← Not the default (allows multiple controllers)
controllerValue: k8s.io/ingress-nginx # ← Controller identifier
# Service Configuration
service:
type: LoadBalancer # ← Azure Load Balancer for external access
ports:
http: 80 # ← HTTP port
https: 443 # ← HTTPS port
What this means:
- You have a production-grade nginx-ingress-controller
- It's configured with security best practices
- It uses Azure Load Balancer for external access
- It's not the default ingress class (allows flexibility)
2. Cert-Manager Integration
Location: freeleaps-ops/cluster/manifests/freeleaps-controls-system/godaddy-webhook/cluster-issuer.yaml
Key Configuration:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: mathmast-dot-com
spec:
acme:
email: acme@mathmast.com
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
name: mathmast-godaddy-api-key
groupName: acme.mathmast.com
solverName: godaddy
selector:
dnsZones:
- mathmast.com
What this means:
- You're using Let's Encrypt for SSL certificates
- DNS01 challenge for domain validation (more reliable than HTTP01)
- GoDaddy DNS API integration for automatic DNS record creation
- Certificates are automatically renewed
3. Custom Ingress Manager
Location: freeleaps-devops-reconciler/reconciler/controllers/ingress_resources/ingress_manager.py
Key Features:
# Automatic Ingress Creation
annotations = {
"nginx.ingress.kubernetes.io/ssl-redirect": "true",
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
"nginx.ingress.kubernetes.io/proxy-read-timeout": "600",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "600"
}
What this means:
- You have a custom controller that automatically creates ingresses
- It enforces SSL redirect (HTTP → HTTPS)
- It integrates with cert-manager for automatic certificates
- It sets performance optimizations (timeouts, body size)
🔄 Request Flow Analysis
1. External Request Flow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Browser │ │ Azure Load │ │ Nginx │ │ Application │
│ │ │ Balancer │ │ Ingress │ │ Service │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
│ HTTPS Request │ │ │
│───────────────▶│ │ │
│ │ Forward to │ │
│ │ nginx │ │
│ │───────────────▶│ │
│ │ │ Route based │
│ │ │ on host/path │
│ │ │───────────────▶│
│ │ │ │ Return response
│ │ │◀───────────────│
│ │◀───────────────│ │
│◀───────────────│ │ │
2. SSL Certificate Flow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Ingress │ │ cert-manager │ │ Let's │ │ GoDaddy │
│ Controller │ │ │ │ Encrypt │ │ DNS API │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
│ Check cert │ │ │
│───────────────▶│ │ │
│ │ Request cert │ │
│ │───────────────▶│ │
│ │ │ DNS Challenge │
│ │ │───────────────▶│
│ │ │ │ Create TXT record
│ │ │ │◀───────────────│
│ │ │ Cert Ready │
│ │ │◀───────────────│
│ │ Cert Ready │ │
│ │◀───────────────│ │
│ Cert Ready │ │ │
│◀───────────────│ │ │
🛠️ Current Applications
Based on your codebase, you have these applications exposed via ingress:
1. ArgoCD (GitOps)
- Domain:
argo.mathmast.com - Service:
argo-cd-server - Purpose: GitOps deployment tool
- Access: Web UI for managing deployments
- Namespace:
freeleaps-devops-system
2. Gitea (Git Repository)
- Domain:
gitea.freeleaps.mathmast.com - Service:
gitea-http - Purpose: Git repository hosting
- Access: Web UI for code management
- Namespace:
freeleaps-prod - Port: 3000
3. Magicleaps (Main Application)
- Production Domain:
magicleaps.mathmast.com - Alpha Domain:
alpha.magicleaps.mathmast.com - Service:
magicleaps-frontend-service - Purpose: Main business application
- Namespace:
magicleaps - Port: 80
🔒 Security Features
1. SSL/TLS Enforcement
# All traffic is forced to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
2. Automatic Certificate Management
- Let's Encrypt certificates
- DNS01 challenge validation
- Automatic renewal
- GoDaddy DNS integration
3. Performance Optimizations
# Handle large requests
nginx.ingress.kubernetes.io/proxy-body-size: "0"
# Long-running requests
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
📊 Monitoring and Debugging
1. Check Ingress Status
# Check all ingresses
kubectl get ingress --all-namespaces
# Check specific ingress
kubectl describe ingress <ingress-name> -n <namespace>
# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx
2. Check SSL Certificates
# Check certificates
kubectl get certificates --all-namespaces
# Check certificate status
kubectl describe certificate <cert-name> -n <namespace>
# Check cert-manager
kubectl get pods -n cert-manager
3. Check DNS Resolution
# Test DNS resolution
nslookup argo.mathmast.com
nslookup gitea.freeleaps.mathmast.com
nslookup magicleaps.mathmast.com
nslookup alpha.magicleaps.mathmast.com
4. Check Azure Load Balancer
# Your actual load balancer IP
curl -I http://4.155.160.32
# Check if load balancer is responding
telnet 4.155.160.32 80
telnet 4.155.160.32 443
🚀 How Your Setup Compares to Examples
Your Current Setup vs Example
| Feature | Your Setup | Example Setup | Notes |
|---|---|---|---|
| Ingress Controller | nginx-ingress v1.12.0 | nginx-ingress | Same |
| SSL Provider | Let's Encrypt + GoDaddy | Let's Encrypt | You have DNS integration |
| Certificate Validation | DNS01 challenge | HTTP01 challenge | More reliable |
| Automatic Creation | Custom controller | Manual | You have automation |
| Performance | Optimized timeouts | Basic | You have better config |
| Security | SSL redirect enforced | SSL redirect | Same |
Advantages of Your Setup
- Automation: Custom controller automatically creates ingresses
- DNS Integration: GoDaddy API for automatic DNS record creation
- Reliability: DNS01 challenge is more reliable than HTTP01
- Performance: Optimized timeouts and body size limits
- Security: Enforced SSL redirects
🔧 Troubleshooting Your Setup
1. Certificate Issues
# Check certificate status
kubectl get certificates --all-namespaces
# Check cert-manager logs
kubectl logs -n cert-manager deployment/cert-manager
# Check DNS records
dig TXT _acme-challenge.mathmast.com
2. Ingress Issues
# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx
# Check ingress controller logs
kubectl logs -n freeleaps-controls-system deployment/ingress-nginx-controller
# Check ingress status
kubectl describe ingress <ingress-name> -n <namespace>
3. DNS Issues
# Test DNS resolution
nslookup <your-domain>
# Check GoDaddy API key
kubectl get secret mathmast-godaddy-api-key -n cert-manager -o yaml
4. Load Balancer Issues
# Check if your load balancer is accessible
curl -I http://4.155.160.32
# Check Azure load balancer health
az network lb show --name prod-usw2-k8s-freeleaps-lb --resource-group <resource-group>
📚 Learn More
Your Specific Components
- nginx-ingress - Your ingress controller
- cert-manager - Your certificate manager
- GoDaddy DNS01 - Your DNS provider
- Let's Encrypt - Your certificate authority
Related Documentation
Last Updated: September 3, 2025 Version: 1.0 Maintainer: Infrastructure Team