icecheng/freeleaps-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
13acfccd77
freeleaps-ops/docs/Current_Ingress_Analysis.md

410 lines
20 KiB
Markdown
Raw Normal View History

(feat): Basic docs on Freeleaps Infra
2025-09-03 23:59:04 +00:00
# Current Ingress Setup Analysis
## 🎯 **Overview**
This document analyzes your current Kubernetes ingress setup based on the codebase examination. It explains how your ingress infrastructure works, what components are involved, and how they interact.
---
## 📊 **Your Current Ingress Architecture**
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Browser │ │ Mobile │ │ API │ │ Other │ │
│ │ │ │ App │ │ Client │ │ Clients │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │ │
│ └────────────────┼───────────────┼───────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ AZURE LOAD BALANCER │ │
│ │ IP: 4.155.160.32 (prod-usw2-k8s-freeleaps-lb-fe-ip) │ │
│ │ Port: 80/443 │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ NGINX INGRESS CONTROLLER │ │
│ │ Namespace: freeleaps-controls-system │ │
│ │ ┌─────────────────────────────────────────────────────────────┐ │ │
│ │ │ Pod: ingress-nginx-controller-abc123 │ │ │
│ │ │ Image: ingress-nginx/controller:v1.12.0 │ │ │
│ │ │ IP: 10.0.1.100 Port: 80/443 │ │ │
│ │ └─────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ INGRESS RULES │ │
│ │ │ │
│ │ argo.mathmast.com → argo-cd-server:80 │ │
│ │ gitea.freeleaps.mathmast.com → gitea-http:3000 │ │
│ │ magicleaps.mathmast.com → magicleaps-frontend-service:80 │ │
│ │ alpha.magicleaps.mathmast.com → magicleaps-frontend-service:80 │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ KUBERNETES SERVICES │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │argo-cd-svc │ │gitea-http │ │magic-front │ │magic-api │ │ │
│ │ │ClusterIP │ │ClusterIP │ │ClusterIP │ │ClusterIP │ │ │
│ │ │10.0.1.10 │ │10.0.1.11 │ │10.0.1.12 │ │10.0.1.13 │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ APPLICATION PODS │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │argo-cd-pod │ │gitea-pod │ │magic-front │ │magic-api │ │ │
│ │ │10.0.1.101 │ │10.0.1.102 │ │10.0.1.103 │ │10.0.1.104 │ │ │
│ │ │argo-cd:v2.8 │ │gitea:1.20 │ │nginx:latest │ │api:v1.2 │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
```
---
## 🔧 **Components Analysis**
### **1. Nginx Ingress Controller**
**Location**: `freeleaps-ops/cluster/manifests/freeleaps-controls-system/ingress-nginx/values.yaml`
**Key Configuration**:
```yaml
# Controller Configuration
controller:
name: controller
image:
image: ingress-nginx/controller
tag: "v1.12.0" # ← Specific version for stability
runAsNonRoot: true # ← Security: don't run as root
runAsUser: 101 # ← Security: run as nginx user
allowPrivilegeEscalation: false # ← Security: prevent privilege escalation
# Ingress Class Configuration
ingressClassResource:
name: nginx # ← Ingress class name
enabled: true # ← Create the IngressClass resource
default: false # ← Not the default (allows multiple controllers)
controllerValue: k8s.io/ingress-nginx # ← Controller identifier
# Service Configuration
service:
type: LoadBalancer # ← Azure Load Balancer for external access
ports:
http: 80 # ← HTTP port
https: 443 # ← HTTPS port
```
**What this means**:
- You have a production-grade nginx-ingress-controller
- It's configured with security best practices
- It uses Azure Load Balancer for external access
- It's not the default ingress class (allows flexibility)
### **2. Cert-Manager Integration**
**Location**: `freeleaps-ops/cluster/manifests/freeleaps-controls-system/godaddy-webhook/cluster-issuer.yaml`
**Key Configuration**:
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: mathmast-dot-com
spec:
acme:
email: acme@mathmast.com
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
name: mathmast-godaddy-api-key
groupName: acme.mathmast.com
solverName: godaddy
selector:
dnsZones:
- mathmast.com
```
**What this means**:
- You're using Let's Encrypt for SSL certificates
- DNS01 challenge for domain validation (more reliable than HTTP01)
- GoDaddy DNS API integration for automatic DNS record creation
- Certificates are automatically renewed
### **3. Custom Ingress Manager**
**Location**: `freeleaps-devops-reconciler/reconciler/controllers/ingress_resources/ingress_manager.py`
**Key Features**:
```python
# Automatic Ingress Creation
annotations = {
"nginx.ingress.kubernetes.io/ssl-redirect": "true",
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
"cert-manager.io/cluster-issuer": "letsencrypt-prod",
"nginx.ingress.kubernetes.io/proxy-body-size": "0",
"nginx.ingress.kubernetes.io/proxy-read-timeout": "600",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "600"
}
```
**What this means**:
- You have a custom controller that automatically creates ingresses
- It enforces SSL redirect (HTTP → HTTPS)
- It integrates with cert-manager for automatic certificates
- It sets performance optimizations (timeouts, body size)
---
## 🔄 **Request Flow Analysis**
### **1. External Request Flow**
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Browser │ │ Azure Load │ │ Nginx │ │ Application │
│ │ │ Balancer │ │ Ingress │ │ Service │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
│ HTTPS Request │ │ │
│───────────────▶│ │ │
│ │ Forward to │ │
│ │ nginx │ │
│ │───────────────▶│ │
│ │ │ Route based │
│ │ │ on host/path │
│ │ │───────────────▶│
│ │ │ │ Return response
│ │ │◀───────────────│
│ │◀───────────────│ │
│◀───────────────│ │ │
```
### **2. SSL Certificate Flow**
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Ingress │ │ cert-manager │ │ Let's │ │ GoDaddy │
│ Controller │ │ │ │ Encrypt │ │ DNS API │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
│ Check cert │ │ │
│───────────────▶│ │ │
│ │ Request cert │ │
│ │───────────────▶│ │
│ │ │ DNS Challenge │
│ │ │───────────────▶│
│ │ │ │ Create TXT record
│ │ │ │◀───────────────│
│ │ │ Cert Ready │
│ │ │◀───────────────│
│ │ Cert Ready │ │
│ │◀───────────────│ │
│ Cert Ready │ │ │
│◀───────────────│ │ │
```
---
## 🛠️ **Current Applications**
Based on your codebase, you have these applications exposed via ingress:
### **1. ArgoCD (GitOps)**
- **Domain**: `argo.mathmast.com`
- **Service**: `argo-cd-server`
- **Purpose**: GitOps deployment tool
- **Access**: Web UI for managing deployments
- **Namespace**: `freeleaps-devops-system`
### **2. Gitea (Git Repository)**
- **Domain**: `gitea.freeleaps.mathmast.com`
- **Service**: `gitea-http`
- **Purpose**: Git repository hosting
- **Access**: Web UI for code management
- **Namespace**: `freeleaps-prod`
- **Port**: 3000
### **3. Magicleaps (Main Application)**
- **Production Domain**: `magicleaps.mathmast.com`
- **Alpha Domain**: `alpha.magicleaps.mathmast.com`
- **Service**: `magicleaps-frontend-service`
- **Purpose**: Main business application
- **Namespace**: `magicleaps`
- **Port**: 80
---
## 🔒 **Security Features**
### **1. SSL/TLS Enforcement**
```yaml
# All traffic is forced to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
```
### **2. Automatic Certificate Management**
- Let's Encrypt certificates
- DNS01 challenge validation
- Automatic renewal
- GoDaddy DNS integration
### **3. Performance Optimizations**
```yaml
# Handle large requests
nginx.ingress.kubernetes.io/proxy-body-size: "0"
# Long-running requests
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
```
---
## 📊 **Monitoring and Debugging**
### **1. Check Ingress Status**
```bash
# Check all ingresses
kubectl get ingress --all-namespaces
# Check specific ingress
kubectl describe ingress <ingress-name> -n <namespace>
# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx
```
### **2. Check SSL Certificates**
```bash
# Check certificates
kubectl get certificates --all-namespaces
# Check certificate status
kubectl describe certificate <cert-name> -n <namespace>
# Check cert-manager
kubectl get pods -n cert-manager
```
### **3. Check DNS Resolution**
```bash
# Test DNS resolution
nslookup argo.mathmast.com
nslookup gitea.freeleaps.mathmast.com
nslookup magicleaps.mathmast.com
nslookup alpha.magicleaps.mathmast.com
```
### **4. Check Azure Load Balancer**
```bash
# Your actual load balancer IP
curl -I http://4.155.160.32
# Check if load balancer is responding
telnet 4.155.160.32 80
telnet 4.155.160.32 443
```
---
## 🚀 **How Your Setup Compares to Examples**
### **Your Current Setup vs Example**
| Feature | Your Setup | Example Setup | Notes |
|---------|------------|---------------|-------|
| **Ingress Controller** | nginx-ingress v1.12.0 | nginx-ingress | Same |
| **SSL Provider** | Let's Encrypt + GoDaddy | Let's Encrypt | You have DNS integration |
| **Certificate Validation** | DNS01 challenge | HTTP01 challenge | More reliable |
| **Automatic Creation** | Custom controller | Manual | You have automation |
| **Performance** | Optimized timeouts | Basic | You have better config |
| **Security** | SSL redirect enforced | SSL redirect | Same |
### **Advantages of Your Setup**
1. **Automation**: Custom controller automatically creates ingresses
2. **DNS Integration**: GoDaddy API for automatic DNS record creation
3. **Reliability**: DNS01 challenge is more reliable than HTTP01
4. **Performance**: Optimized timeouts and body size limits
5. **Security**: Enforced SSL redirects
---
## 🔧 **Troubleshooting Your Setup**
### **1. Certificate Issues**
```bash
# Check certificate status
kubectl get certificates --all-namespaces
# Check cert-manager logs
kubectl logs -n cert-manager deployment/cert-manager
# Check DNS records
dig TXT _acme-challenge.mathmast.com
```
### **2. Ingress Issues**
```bash
# Check ingress controller
kubectl get pods -n freeleaps-controls-system -l app.kubernetes.io/name=ingress-nginx
# Check ingress controller logs
kubectl logs -n freeleaps-controls-system deployment/ingress-nginx-controller
# Check ingress status
kubectl describe ingress <ingress-name> -n <namespace>
```
### **3. DNS Issues**
```bash
# Test DNS resolution
nslookup <your-domain>
# Check GoDaddy API key
kubectl get secret mathmast-godaddy-api-key -n cert-manager -o yaml
```
### **4. Load Balancer Issues**
```bash
# Check if your load balancer is accessible
curl -I http://4.155.160.32
# Check Azure load balancer health
az network lb show --name prod-usw2-k8s-freeleaps-lb --resource-group <resource-group>
```
---
## 📚 **Learn More**
### **Your Specific Components**
- [nginx-ingress](https://kubernetes.github.io/ingress-nginx/) - Your ingress controller
- [cert-manager](https://cert-manager.io/docs/) - Your certificate manager
- [GoDaddy DNS01](https://cert-manager.io/docs/configuration/acme/dns01/godaddy/) - Your DNS provider
- [Let's Encrypt](https://letsencrypt.org/docs/) - Your certificate authority
### **Related Documentation**
- [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- [SSL/TLS in Kubernetes](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
- [DNS01 Challenge](https://cert-manager.io/docs/configuration/acme/dns01/)
---
**Last Updated**: September 3, 2025
**Version**: 1.0
**Maintainer**: Infrastructure Team
Reference in New Issue Copy Permalink