ingress.yaml

Download
yaml 188 lines 5.4 KB 
  1# Kubernetes Ingress for external HTTP/HTTPS access
  2# Requires an Ingress Controller (nginx, traefik, etc.)
  3
  4apiVersion: networking.k8s.io/v1
  5kind: Ingress
  6metadata:
  7  name: flask-app-ingress
  8  labels:
  9    app: flask-app
 10  annotations:
 11    # Ingress class (for multiple ingress controllers)
 12    kubernetes.io/ingress.class: "nginx"
 13
 14    # NGINX specific annotations
 15    nginx.ingress.kubernetes.io/rewrite-target: /
 16    nginx.ingress.kubernetes.io/ssl-redirect: "true"
 17    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 18
 19    # CORS configuration
 20    nginx.ingress.kubernetes.io/enable-cors: "true"
 21    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
 22    nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com"
 23
 24    # Rate limiting
 25    nginx.ingress.kubernetes.io/limit-rps: "100"
 26    nginx.ingress.kubernetes.io/limit-connections: "50"
 27
 28    # Timeouts
 29    nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
 30    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
 31    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
 32
 33    # Client body size limit
 34    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
 35
 36    # Connection upgrade (for WebSockets)
 37    nginx.ingress.kubernetes.io/proxy-upgrade: "true"
 38
 39    # Custom headers
 40    nginx.ingress.kubernetes.io/configuration-snippet: |
 41      more_set_headers "X-Frame-Options: DENY";
 42      more_set_headers "X-Content-Type-Options: nosniff";
 43      more_set_headers "X-XSS-Protection: 1; mode=block";
 44
 45    # cert-manager for automatic TLS certificate
 46    cert-manager.io/cluster-issuer: "letsencrypt-prod"
 47
 48    # Additional annotations for other ingress controllers:
 49    #
 50    # Traefik:
 51    # traefik.ingress.kubernetes.io/router.middlewares: default-compress@kubernetescrd
 52    #
 53    # AWS ALB:
 54    # alb.ingress.kubernetes.io/scheme: internet-facing
 55    # alb.ingress.kubernetes.io/target-type: ip
 56    # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account:certificate/xxx
 57    #
 58    # GCP:
 59    # kubernetes.io/ingress.global-static-ip-name: "web-static-ip"
 60
 61spec:
 62  # TLS configuration
 63  tls:
 64  - hosts:
 65    - flask-app.example.com
 66    - api.example.com
 67    secretName: flask-app-tls  # TLS certificate secret
 68
 69  # Routing rules
 70  rules:
 71  # -------------------------------------------------------------------------
 72  # Rule 1: Main domain
 73  # -------------------------------------------------------------------------
 74  - host: flask-app.example.com
 75    http:
 76      paths:
 77      # Default path
 78      - path: /
 79        pathType: Prefix
 80        backend:
 81          service:
 82            name: flask-app
 83            port:
 84              number: 80
 85
 86      # Health check endpoint
 87      - path: /health
 88        pathType: Exact
 89        backend:
 90          service:
 91            name: flask-app
 92            port:
 93              number: 80
 94
 95  # -------------------------------------------------------------------------
 96  # Rule 2: API subdomain with path-based routing
 97  # -------------------------------------------------------------------------
 98  - host: api.example.com
 99    http:
100      paths:
101      # API v1
102      - path: /v1
103        pathType: Prefix
104        backend:
105          service:
106            name: flask-app
107            port:
108              number: 80
109
110      # API v2 (example of routing to different service)
111      # - path: /v2
112      #   pathType: Prefix
113      #   backend:
114      #     service:
115      #       name: flask-app-v2
116      #       port:
117      #         number: 80
118
119  # -------------------------------------------------------------------------
120  # Rule 3: Catch-all for unmatched hosts (optional)
121  # -------------------------------------------------------------------------
122  # - http:
123  #     paths:
124  #     - path: /
125  #       pathType: Prefix
126  #       backend:
127  #         service:
128  #           name: default-backend
129  #           port:
130  #             number: 80
131
132---
133# TLS Secret (if not using cert-manager)
134# Create manually or use cert-manager for automatic certificate management
135#
136# apiVersion: v1
137# kind: Secret
138# metadata:
139#   name: flask-app-tls
140#   namespace: default
141# type: kubernetes.io/tls
142# data:
143#   tls.crt: <base64-encoded-certificate>
144#   tls.key: <base64-encoded-private-key>
145
146---
147# IngressClass (Kubernetes 1.18+)
148# Defines which ingress controller to use
149apiVersion: networking.k8s.io/v1
150kind: IngressClass
151metadata:
152  name: nginx
153  annotations:
154    ingressclass.kubernetes.io/is-default-class: "true"
155spec:
156  controller: k8s.io/ingress-nginx
157
158---
159# Usage Instructions:
160#
161# 1. Install NGINX Ingress Controller:
162#    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
163#
164# 2. Install cert-manager (for TLS):
165#    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
166#
167# 3. Create ClusterIssuer for Let's Encrypt:
168#    See: https://cert-manager.io/docs/configuration/acme/
169#
170# 4. Apply this ingress:
171#    kubectl apply -f ingress.yaml
172#
173# 5. Get ingress details:
174#    kubectl get ingress flask-app-ingress
175#    kubectl describe ingress flask-app-ingress
176#
177# 6. Test locally (update /etc/hosts):
178#    <INGRESS_IP> flask-app.example.com api.example.com
179#
180# 7. Verify TLS certificate:
181#    kubectl get certificate flask-app-tls
182#    kubectl describe certificate flask-app-tls
183#
184# Path types:
185# - Exact: Exact match only
186# - Prefix: Matches based on URL path prefix (most common)
187# - ImplementationSpecific: Ingress controller specific