# Platform Kubernetes Ingress # Routes HTTP/HTTPS traffic to platform services # Supports multiple deployment modes with different routing rules # # Requirements: # - Nginx Ingress Controller or similar # - TLS certificate (from Let's Encrypt or self-signed) # # Usage: # nickel eval --format json platform-ingress.yaml.ncl | yq -P > platform-ingress.yaml # kubectl apply -f platform-ingress.yaml { apiVersion = "networking.k8s.io/v1", kind = "Ingress", metadata = { name = "platform-ingress", labels = { app = "platform", component = "provisioning-platform", }, annotations = { # Nginx-specific annotations "nginx.ingress.kubernetes.io/rewrite-target" = "/", "nginx.ingress.kubernetes.io/enable-cors" = "true", "nginx.ingress.kubernetes.io/cors-allow-origin" = "https://control-center:8080", "nginx.ingress.kubernetes.io/cors-allow-methods" = "GET, POST, PUT, DELETE, OPTIONS", "nginx.ingress.kubernetes.io/cors-allow-headers" = "Content-Type, Authorization", # Rate limiting (enterprise mode) "nginx.ingress.kubernetes.io/limit-rps" = "1000", "nginx.ingress.kubernetes.io/limit-connections" = "100", # Security headers (single line - no newlines in Nickel strings needed) "nginx.ingress.kubernetes.io/configuration-snippet" = "more_set_headers \"Strict-Transport-Security: max-age=31536000; includeSubDomains\"; more_set_headers \"X-Frame-Options: DENY\"; more_set_headers \"X-Content-Type-Options: nosniff\"; more_set_headers \"X-XSS-Protection: 1; mode=block\";", # SSL configuration "cert-manager.io/cluster-issuer" = "letsencrypt-prod", "nginx.ingress.kubernetes.io/ssl-protocols" = "TLSv1.2 TLSv1.3", "nginx.ingress.kubernetes.io/ssl-ciphers" = "HIGH:!aNULL:!MD5", }, }, spec = { # TLS configuration tls = [ { hosts = [ "orchestrator.example.com", "control-center.example.com", "mcp.example.com", "api.example.com", ], secretName = "platform-tls-cert", }, ], # Ingress rules rules = [ # Orchestrator API { host = "api.example.com", http = { paths = [ { path = "/orchestrator", pathType = "Prefix", backend = { service = { name = "orchestrator", port = { number = 9090, }, }, }, }, ], }, }, # Control Center UI and API { host = "control-center.example.com", http = { paths = [ { path = "/", pathType = "Prefix", backend = { service = { name = "control-center", port = { number = 8080, }, }, }, }, ], }, }, # MCP Server { host = "mcp.example.com", http = { paths = [ { path = "/", pathType = "Prefix", backend = { service = { name = "mcp-server", port = { number = 8888, }, }, }, }, ], }, }, # Combined API gateway (orchestrator + control-center) { host = "orchestrator.example.com", http = { paths = [ { path = "/api", pathType = "Prefix", backend = { service = { name = "orchestrator", port = { number = 9090, }, }, }, }, { path = "/policy", pathType = "Prefix", backend = { service = { name = "control-center", port = { number = 8080, }, }, }, }, ], }, }, ], # Ingress class (nginx) ingressClassName = "nginx", }, }