Skip to content

Refactor Kubernetes ingress configuration and add HTTP to HTTPS redirection #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NiveditJain merged 2 commits into from
Aug 25, 2025
Merged

Refactor Kubernetes ingress configuration and add HTTP to HTTPS redirection #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
13e4928
Refactor Kubernetes ingress configuration and add HTTP to HTTPS redir…
NiveditJain Aug 25, 2025
6042779
Update IngressRoute names for API server and landing page to include …
NiveditJain Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/deploy-kubernetes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,7 @@ jobs:
echo "waiting 2 minutes for the A record to be updated"
sleep 1200

kubectl apply -f ./api-server-ingress.yaml
kubectl apply -f ./landing-page-ingress.yaml
kubectl apply -f ./ingress/.
Comment on lines 50 to +53
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Inconsistent wait message vs actual sleep; also simplify directory apply path.

  • Message says “2 minutes” but sleep is 1200s (20 minutes).
  • Prefer “./ingress/” over “./ingress/.” for readability.

Apply this diff:

-          echo "waiting 2 minutes for the A record to be updated"
-          sleep 1200
+          echo "waiting 20 minutes for the A record to be updated"
+          sleep 1200
@@
-          kubectl apply -f ./ingress/.
+          kubectl apply -f ./ingress/

If the intention was 2 minutes, change to:

-          echo "waiting 2 minutes for the A record to be updated"
-          sleep 1200
+          echo "waiting 2 minutes for the A record to be updated"
+          sleep 120
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "waiting 2 minutes for the A record to be updated"
sleep 1200
kubectl apply -f ./api-server-ingress.yaml
kubectl apply -f ./landing-page-ingress.yaml
kubectl apply -f ./ingress/.
echo "waiting 20 minutes for the A record to be updated"
sleep 1200
kubectl apply -f ./ingress/
🤖 Prompt for AI Agents 
.github/workflows/deploy-kubernetes.yml around lines 50 to 53: the echo message
says "waiting 2 minutes" but the script sleeps for 1200 seconds (20 minutes) and
the kubectl apply uses "./ingress/." which is awkward; to fix, make the sleep
duration match the intended wait (change sleep 1200 to sleep 120 or update the
echo to "waiting 20 minutes" if 20 minutes was intended) and simplify the apply
path to "./ingress/".


helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/

Expand Down
17 changes: 17 additions & 0 deletions k8s/ingress/api-server-ingress-http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# k8s/api-ingressroute.yaml
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Header comment path is incorrect.

The file header says “k8s/api-ingressroute.yaml” but the file lives at “k8s/ingress/api-server-ingress-http.yaml”.

Apply this diff:

-# k8s/api-ingressroute.yaml
+# k8s/ingress/api-server-ingress-http.yaml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# k8s/api-ingressroute.yaml
# k8s/ingress/api-server-ingress-http.yaml
🤖 Prompt for AI Agents 
In k8s/ingress/api-server-ingress-http.yaml around line 1, the header comment
incorrectly states "k8s/api-ingressroute.yaml"; update the first line to reflect
the actual file path by changing the header comment to "#
k8s/ingress/api-server-ingress-http.yaml".

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: exosphere-api-server-http
Comment on lines +4 to +5
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Be explicit about namespace to avoid surprises in CI contexts.

Unless your workflow sets the default namespace, add metadata.namespace: default to make placement explicit.

 kind: IngressRoute
 metadata:
   name: exosphere-api-server-http
+  namespace: default
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
metadata:
name: exosphere-api-server-http
kind: IngressRoute
metadata:
name: exosphere-api-server-http
namespace: default
🤖 Prompt for AI Agents 
In k8s/ingress/api-server-ingress-http.yaml around lines 4 to 5, the resource
metadata lacks an explicit namespace which can cause unpredictable placement in
CI; add a metadata.namespace field (e.g., namespace: default or the intended
namespace) under metadata to make placement explicit and avoid relying on
cluster/default contexts.

spec:
entryPoints:
- web
routes:
- match: Host(`api.exosphere.host`)
kind: Rule
Comment on lines +7 to +11
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Inconsistent IngressRoute: HTTP entryPoint with TLS enabled. Choose one of two valid patterns.

You’re binding to entryPoint “web” (HTTP) while enabling TLS. TLS will not terminate on a non-TLS entrypoint. Pick one:

  • Option A (preferred with global redirect): HTTP-only route, no tls, and rely on entrypoint redirect or attach the middleware.
  • Option B: HTTPS route only on “websecure” with tls enabled.

Option A (HTTP-only, attach middleware):

 spec:
   entryPoints:
-    - web
+    - web
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B (HTTPS-only on websecure):

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

Also ensure you actually have a separate HTTP IngressRoute only if you’re not using global redirection.

Also applies to: 16-17

🤖 Prompt for AI Agents 
In k8s/ingress/api-server-ingress-http.yaml around lines 7 to 11, the
IngressRoute is bound to the HTTP entryPoint "web" while TLS is being configured
— TLS cannot terminate on a non-TLS entrypoint. Fix by choosing one pattern:
Option A: make this an HTTP-only route by removing the TLS configuration and (if
needed) attach or rely on a global redirect middleware to forward traffic to
HTTPS; Option B: make this an HTTPS route by changing the entryPoint to
"websecure" and keeping the TLS section with a proper certResolver/secret so TLS
terminates on the secure entryPoint. Also ensure you have a separate HTTP
IngressRoute only if you opt for global redirection.

services:
- name: exosphere-api-server
namespace: default
port: 80
tls:
certResolver: letsencrypt
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Add missing newline at EOF to satisfy linters.

Apply this diff:

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
certResolver: letsencrypt
certResolver: letsencrypt
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
In k8s/ingress/api-server-ingress-http.yaml around line 17, the file is missing
a trailing newline at EOF which causes linter failures; open the file and add a
single newline character after the last line (after "certResolver: letsencrypt")
so the file ends with a newline, save and commit the change.

0 k8s/api-server-ingress.yaml → k8s/ingress/api-server-ingress.yaml
View file
Open in desktop
File renamed without changes.
9 changes: 9 additions & 0 deletions k8s/ingress/http-to-https-redirect-middleware.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: http-to-https-redirect
Comment on lines +3 to +4
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Make middleware namespace explicit.

If your IngressRoutes are in “default”, keeping the middleware in the same namespace is fine, but making it explicit avoids surprises when contexts change.

Apply this diff:

 kind: Middleware
 metadata:
-  name: http-to-https-redirect
+  name: http-to-https-redirect
+  namespace: default
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
metadata:
name: http-to-https-redirect
kind: Middleware
metadata:
name: http-to-https-redirect
namespace: default
🤖 Prompt for AI Agents 
In k8s/ingress/http-to-https-redirect-middleware.yaml around lines 3-4, the
middleware manifest omits an explicit namespace under metadata; add a
metadata.namespace field (e.g., namespace: default) so the middleware lives in
the same namespace as your IngressRoutes (or set it to whatever namespace your
IngressRoutes use) to avoid cross-namespace surprises.

spec:
redirectScheme:
scheme: https
port: "443"
permanent: true
Comment on lines +6 to +9
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Trailing space and missing newline; also consider wiring the middleware.

  • Clean up whitespace/newline to satisfy linters.
  • This middleware isn’t referenced by the IngressRoutes. If you retain it, attach it to the HTTP routes as in the Option A diffs.

Apply this diff:

 spec:
   redirectScheme:
     scheme: https
     port: "443"
-    permanent: true 
+    permanent: true
+
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
redirectScheme:
scheme: https
port: "443"
permanent: true
spec:
redirectScheme:
scheme: https
port: "443"
permanent: true
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

[error] 9-9: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents 
In k8s/ingress/http-to-https-redirect-middleware.yaml around lines 6 to 9,
remove the trailing space after "permanent: true" and ensure the file ends with
a newline to satisfy linters, and if you intend to keep this middleware also
wire it into your IngressRoute HTTP routes by adding this middleware's name to
the appropriate route(s) (e.g., under the route's middlewares list) so the
redirect is applied; update the IngressRoute manifests to reference this
middleware for the HTTP entrypoints or remove the middleware file if not used.

17 changes: 17 additions & 0 deletions k8s/ingress/landing-page-ingress-http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# k8s/api-ingressroute.yaml
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Header comment path is incorrect.

The file header says “k8s/api-ingressroute.yaml” but the file is “k8s/ingress/landing-page-ingress-http.yaml”.

Apply this diff:

-# k8s/api-ingressroute.yaml
+# k8s/ingress/landing-page-ingress-http.yaml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# k8s/api-ingressroute.yaml
# k8s/ingress/landing-page-ingress-http.yaml
🤖 Prompt for AI Agents 
In k8s/ingress/landing-page-ingress-http.yaml around lines 1 to 1, the header
comment references the wrong path ("k8s/api-ingressroute.yaml"); update the
top-of-file comment to the correct file path
("k8s/ingress/landing-page-ingress-http.yaml") so the header accurately reflects
the file location.

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: exosphere-landing-page-http
Comment on lines +4 to +5
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Be explicit about namespace to avoid default-namespace assumptions.

 kind: IngressRoute
 metadata:
   name: exosphere-landing-page-http
+  namespace: default
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
metadata:
name: exosphere-landing-page-http
kind: IngressRoute
metadata:
name: exosphere-landing-page-http
namespace: default
🤖 Prompt for AI Agents 
In k8s/ingress/landing-page-ingress-http.yaml around lines 4 to 5, metadata only
contains name which leaves the resource in the default namespace; add an
explicit metadata.namespace field (set to the intended namespace used by the
app, e.g., "exosphere" or the cluster-specific namespace) to the metadata block
so the ingress is created in the correct namespace and is consistent with other
manifests.

spec:
entryPoints:
- web
routes:
- match: Host(`exosphere.host`)
kind: Rule
Comment on lines +7 to +11
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Same inconsistency: HTTP entryPoint with TLS enabled. Align with one pattern.

Mirror the API ingress fix. Choose one:

  • Option A (HTTP-only + redirect middleware).
  • Option B (HTTPS-only on websecure + tls).

Option A:

 spec:
   entryPoints:
     - web
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B:

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

Also applies to: 16-17

🤖 Prompt for AI Agents 
In k8s/ingress/landing-page-ingress-http.yaml around lines 7 to 11 (also applies
to lines 16-17), the ingress declares the HTTP entryPoint "web" while TLS is
enabled—pick one consistent pattern: either Option A (HTTP-only): keep
entryPoint "web", remove any tls block, and attach a redirect-to-HTTPS
middleware (or ensure a global redirect) so HTTP endpoints don’t claim TLS; or
Option B (HTTPS-only): change entryPoint to "websecure", keep or add the tls
section with the certificate resolver, and remove any redirect middleware; apply
the same change to the other route at lines 16-17 so both routes follow the
chosen pattern.

services:
Comment on lines +7 to +12
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Security hardening: consider HSTS on HTTPS routes.

If you proceed with HTTPS-only, add a Headers middleware with STSSeconds, STSIncludeSubdomains, and STSPreload to enforce HSTS. Attach it to the HTTPS IngressRoutes.

Example (in a separate middleware manifest):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: default
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true

Then attach:

   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
-      services:
+      middlewares:
+        - name: security-headers
+      services:
         - name: exosphere-landing-page
🤖 Prompt for AI Agents 
In k8s/ingress/landing-page-ingress-http.yaml around lines 7 to 12, the
IngressRoute for exosphere.host lacks HSTS enforcement for HTTPS; add a Traefik
Headers Middleware resource (e.g., name security-headers) in the same namespace
with stsSeconds: 31536000, stsIncludeSubdomains: true, and stsPreload: true,
then attach that middleware to the HTTPS IngressRoute(s) via the middlewares
section so HSTS is applied only to HTTPS traffic.

- name: exosphere-landing-page
namespace: default
port: 80
tls:
certResolver: letsencrypt
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Add missing newline at EOF to satisfy linters.

Apply this diff:

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents 
In k8s/ingress/landing-page-ingress-http.yaml around line 17, the file is
missing a trailing newline at EOF which fails linters; fix by adding a single
newline character at the end of the file (ensure the file ends with a blank line
after the final line "certResolver: letsencrypt") and save.

0 k8s/landing-page-ingress.yaml → k8s/ingress/landing-page-ingress.yaml
View file
Open in desktop
File renamed without changes.
7 changes: 5 additions & 2 deletions k8s/traefik-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ deployment:

additionalArguments:
- "--entrypoints.web.address=:8081"
- "--entrypoints.web.http.redirections.entrypoint.to=:443"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entrypoints.websecure.address=:8443"

Comment on lines 6 to 12
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Avoid duplication: entrypoint-level redirect makes the middleware redundant unless explicitly used.

You added both an entrypoint-level redirect and a Middleware. If you keep the entrypoint-level redirect, you generally don't need an HTTP IngressRoute or the redirect middleware. Conversely, if you prefer per-route control using the middleware, remove the additionalArguments and attach the middleware to the HTTP IngressRoutes.

Would you like me to generate a minimal set of manifests for either approach (global vs per-route)?

🤖 Prompt for AI Agents 
In k8s/traefik-values.yaml around lines 6 to 12 you defined an entrypoint-level
redirect and also use a redirect Middleware elsewhere, causing duplicated
behavior; either remove the entrypoint-level redirect arguments (the
--entrypoints.web.http.redirections.* flags) to rely on per-route Middleware, or
remove the Middleware and keep the entrypoint-level redirect for global
HTTP->HTTPS redirection; if you choose per-route control, delete the three
redirection lines under additionalArguments and attach the Middleware to your
HTTP IngressRoutes; if you choose global redirection, remove any redirect
Middleware manifests to avoid redundancy.

ports:
Expand All @@ -19,12 +22,12 @@ ports:

ingressRoute:
dashboard:
enabled: false # turn on later if you want the UI
enabled: false

certificatesResolvers:
letsencrypt:
acme:
email: "nivedit@exosphere.host"
storage: /data/acme.json
httpChallenge:
entryPoint: web # solve the challenge on :80
entryPoint: web