jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/platform/templates/kubernetes/platform-ingress.yaml.ncl

160 lines
4.3 KiB
Plaintext
Raw Normal View History

chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00
# Platform Kubernetes Ingress
# Routes HTTP/HTTPS traffic to platform services
# Supports multiple deployment modes with different routing rules
#
# Requirements:
# - Nginx Ingress Controller or similar
# - TLS certificate (from Let's Encrypt or self-signed)
#
# Usage:
# nickel eval --format json platform-ingress.yaml.ncl | yq -P > platform-ingress.yaml
# kubectl apply -f platform-ingress.yaml
{
apiVersion = "networking.k8s.io/v1",
kind = "Ingress",
metadata = {
name = "platform-ingress",
labels = {
app = "platform",
component = "provisioning-platform",
},
annotations = {
# Nginx-specific annotations
"nginx.ingress.kubernetes.io/rewrite-target" = "/",
"nginx.ingress.kubernetes.io/enable-cors" = "true",
"nginx.ingress.kubernetes.io/cors-allow-origin" = "https://control-center:8080",
"nginx.ingress.kubernetes.io/cors-allow-methods" = "GET, POST, PUT, DELETE, OPTIONS",
"nginx.ingress.kubernetes.io/cors-allow-headers" = "Content-Type, Authorization",
# Rate limiting (enterprise mode)
"nginx.ingress.kubernetes.io/limit-rps" = "1000",
"nginx.ingress.kubernetes.io/limit-connections" = "100",
# Security headers (single line - no newlines in Nickel strings needed)
"nginx.ingress.kubernetes.io/configuration-snippet" = "more_set_headers \"Strict-Transport-Security: max-age=31536000; includeSubDomains\"; more_set_headers \"X-Frame-Options: DENY\"; more_set_headers \"X-Content-Type-Options: nosniff\"; more_set_headers \"X-XSS-Protection: 1; mode=block\";",
# SSL configuration
"cert-manager.io/cluster-issuer" = "letsencrypt-prod",
"nginx.ingress.kubernetes.io/ssl-protocols" = "TLSv1.2 TLSv1.3",
"nginx.ingress.kubernetes.io/ssl-ciphers" = "HIGH:!aNULL:!MD5",
},
},
spec = {
# TLS configuration
tls = [
{
hosts = [
"orchestrator.example.com",
"control-center.example.com",
"mcp.example.com",
"api.example.com",
],
secretName = "platform-tls-cert",
},
],
# Ingress rules
rules = [
# Orchestrator API
{
host = "api.example.com",
http = {
paths = [
{
path = "/orchestrator",
pathType = "Prefix",
backend = {
service = {
name = "orchestrator",
port = {
number = 9090,
},
},
},
},
],
},
},
# Control Center UI and API
{
host = "control-center.example.com",
http = {
paths = [
{
path = "/",
pathType = "Prefix",
backend = {
service = {
name = "control-center",
port = {
number = 8080,
},
},
},
},
],
},
},
# MCP Server
{
host = "mcp.example.com",
http = {
paths = [
{
path = "/",
pathType = "Prefix",
backend = {
service = {
name = "mcp-server",
port = {
number = 8888,
},
},
},
},
],
},
},
# Combined API gateway (orchestrator + control-center)
{
host = "orchestrator.example.com",
http = {
paths = [
{
path = "/api",
pathType = "Prefix",
backend = {
service = {
name = "orchestrator",
port = {
number = 9090,
},
},
},
},
{
path = "/policy",
pathType = "Prefix",
backend = {
service = {
name = "control-center",
port = {
number = 8080,
},
},
},
},
],
},
},
],
# Ingress class (nginx)
ingressClassName = "nginx",
},
}
Reference in New Issue Copy Permalink