bakery-ia/infrastructure/platform/networking/ingress/base/ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bakery-ingress
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: bakery-ia
    app.kubernetes.io/component: ingress
  annotations:
    # Nginx ingress controller annotations
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    # SSE and WebSocket configuration for long-lived connections
    nginx.ingress.kubernetes.io/proxy-buffering: "off"
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/upstream-keepalive-timeout: "3600"
    # WebSocket upgrade support
    nginx.ingress.kubernetes.io/websocket-services: "gateway-service"
    # CORS configuration
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
    nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"


spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    secretName: TLS_SECRET_PLACEHOLDER  # To be replaced by kustomize
  rules:
  # Main application routes
  - host: DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend-service
            port:
              number: 3000
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: gateway-service
            port:
              number: 8000
  # NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart
  # See infrastructure/cicd/gitea/values.yaml for ingress configuration
  # NOTE: Mail ingress is deployed separately via mailu-helm resource
  # to avoid 503 errors when Mailu is not running
Add base kubernetes support final fix 2 2025-09-28 19:48:05 +02:00			`apiVersion: networking.k8s.io/v1`
			`kind: Ingress`
			`metadata:`
			`name: bakery-ingress`
			`namespace: bakery-ia`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`labels:`
			`app.kubernetes.io/name: bakery-ia`
			`app.kubernetes.io/component: ingress`
Add base kubernetes support final fix 2 2025-09-28 19:48:05 +02:00			`annotations:`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`# Nginx ingress controller annotations`
Enable HTTPS by default in development environment This commit enables HTTPS in the development environment using self-signed certificates to further improve dev-prod parity and catch SSL-related issues early. Changes made: 1. Created self-signed certificate for localhost - File: infrastructure/kubernetes/overlays/dev/dev-certificate.yaml - Type: Self-signed via cert-manager - Validity: 90 days (auto-renewed) - Valid for: localhost, bakery-ia.local, .bakery-ia.local, 127.0.0.1 - Issuer: selfsigned-issuer ClusterIssuer 2. Updated dev ingress to enable HTTPS - File: infrastructure/kubernetes/overlays/dev/dev-ingress.yaml - Enabled SSL redirect: ssl-redirect: false → true - Added TLS configuration with certificate - Updated CORS origins to prefer HTTPS (HTTPS URLs first, HTTP fallback) - Access: https://localhost (instead of http://localhost) 3. Added cert-manager resources to dev overlay - File: infrastructure/kubernetes/overlays/dev/kustomization.yaml - Added dev-certificate.yaml - Added selfsigned-issuer ClusterIssuer 4. Created comprehensive HTTPS setup guide - File: docs/DEV-HTTPS-SETUP.md - Includes certificate trust instructions for macOS, Linux, Windows - Testing procedures with curl and browsers - Troubleshooting guide - FAQ section 5. Updated dev-prod parity documentation - File: docs/DEV-PROD-PARITY-CHANGES.md - Added HTTPS as 4th improvement - Updated "What Stays Different" table (SSL/TLS → Certificates) - Added HTTPS benefits section Benefits: ✓ Matches production HTTPS-only behavior ✓ Tests SSL/TLS configurations in development ✓ Catches mixed content warnings early ✓ Tests secure cookie handling (Secure, SameSite attributes) ✓ Validates cert-manager integration ✓ Tests certificate auto-renewal ✓ Better security testing capabilities Impact: - Browser will show certificate warning (self-signed) - Users can trust certificate or click "Proceed" - No additional resource usage - Access via https://localhost (was http://localhost) Certificate details: - Type: Self-signed - Algorithm: RSA 2048-bit - Validity: 90 days - Auto-renewal: 15 days before expiration - Common Name: localhost - DNS Names: localhost, bakery-ia.local, .bakery-ia.local - IP Addresses: 127.0.0.1, ::1 Setup required: - Optional: Trust certificate in system/browser (see DEV-HTTPS-SETUP.md) - Required: cert-manager must be installed in cluster - Access at: https://localhost What stays different from production: - Certificate type: Self-signed (dev) vs Let's Encrypt (prod) - Trust: Manual (dev) vs Automatic (prod) - Domain: localhost (dev) vs real domain (prod) This completes the dev-prod parity improvements, bringing development environment much closer to production with: 1. 2 replicas for critical services ✓ 2. Rate limiting enabled ✓ 3. Specific CORS origins ✓ 4. HTTPS enabled ✓ See docs/DEV-HTTPS-SETUP.md for complete setup and testing instructions. 2026-01-02 19:25:45 +00:00			`nginx.ingress.kubernetes.io/ssl-redirect: "true"`
			`nginx.ingress.kubernetes.io/force-ssl-redirect: "true"`
Add new infra architecture 9 2026-01-20 07:20:56 +01:00			`nginx.ingress.kubernetes.io/proxy-body-size: "500m"`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"`
Add fixes to procurement logic and fix rel-time connections 2025-10-02 13:20:30 +02:00			`nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"`
			`# SSE and WebSocket configuration for long-lived connections`
Add fixes to procurement logic and fix rel-time connections 2025-10-02 13:20:30 +02:00			`nginx.ingress.kubernetes.io/proxy-buffering: "off"`
			`nginx.ingress.kubernetes.io/proxy-http-version: "1.1"`
			`nginx.ingress.kubernetes.io/upstream-keepalive-timeout: "3600"`
REFACTOR ALL APIs fix 1 2025-10-07 07:15:07 +02:00			`# WebSocket upgrade support`
			`nginx.ingress.kubernetes.io/websocket-services: "gateway-service"`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`# CORS configuration`
			`nginx.ingress.kubernetes.io/enable-cors: "true"`
			`nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"`
			`nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin, Cache-Control"`
			`nginx.ingress.kubernetes.io/cors-allow-credentials: "true"`


Add base kubernetes support final fix 2 2025-09-28 19:48:05 +02:00			`spec:`
			`ingressClassName: nginx`
Enable HTTPS by default in development environment This commit enables HTTPS in the development environment using self-signed certificates to further improve dev-prod parity and catch SSL-related issues early. Changes made: 1. Created self-signed certificate for localhost - File: infrastructure/kubernetes/overlays/dev/dev-certificate.yaml - Type: Self-signed via cert-manager - Validity: 90 days (auto-renewed) - Valid for: localhost, bakery-ia.local, .bakery-ia.local, 127.0.0.1 - Issuer: selfsigned-issuer ClusterIssuer 2. Updated dev ingress to enable HTTPS - File: infrastructure/kubernetes/overlays/dev/dev-ingress.yaml - Enabled SSL redirect: ssl-redirect: false → true - Added TLS configuration with certificate - Updated CORS origins to prefer HTTPS (HTTPS URLs first, HTTP fallback) - Access: https://localhost (instead of http://localhost) 3. Added cert-manager resources to dev overlay - File: infrastructure/kubernetes/overlays/dev/kustomization.yaml - Added dev-certificate.yaml - Added selfsigned-issuer ClusterIssuer 4. Created comprehensive HTTPS setup guide - File: docs/DEV-HTTPS-SETUP.md - Includes certificate trust instructions for macOS, Linux, Windows - Testing procedures with curl and browsers - Troubleshooting guide - FAQ section 5. Updated dev-prod parity documentation - File: docs/DEV-PROD-PARITY-CHANGES.md - Added HTTPS as 4th improvement - Updated "What Stays Different" table (SSL/TLS → Certificates) - Added HTTPS benefits section Benefits: ✓ Matches production HTTPS-only behavior ✓ Tests SSL/TLS configurations in development ✓ Catches mixed content warnings early ✓ Tests secure cookie handling (Secure, SameSite attributes) ✓ Validates cert-manager integration ✓ Tests certificate auto-renewal ✓ Better security testing capabilities Impact: - Browser will show certificate warning (self-signed) - Users can trust certificate or click "Proceed" - No additional resource usage - Access via https://localhost (was http://localhost) Certificate details: - Type: Self-signed - Algorithm: RSA 2048-bit - Validity: 90 days - Auto-renewal: 15 days before expiration - Common Name: localhost - DNS Names: localhost, bakery-ia.local, .bakery-ia.local - IP Addresses: 127.0.0.1, ::1 Setup required: - Optional: Trust certificate in system/browser (see DEV-HTTPS-SETUP.md) - Required: cert-manager must be installed in cluster - Access at: https://localhost What stays different from production: - Certificate type: Self-signed (dev) vs Let's Encrypt (prod) - Trust: Manual (dev) vs Automatic (prod) - Domain: localhost (dev) vs real domain (prod) This completes the dev-prod parity improvements, bringing development environment much closer to production with: 1. 2 replicas for critical services ✓ 2. Rate limiting enabled ✓ 3. Specific CORS origins ✓ 4. HTTPS enabled ✓ See docs/DEV-HTTPS-SETUP.md for complete setup and testing instructions. 2026-01-02 19:25:45 +00:00			`tls:`
			`- hosts:`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`- DOMAIN_PLACEHOLDER # To be replaced by kustomize`
			`secretName: TLS_SECRET_PLACEHOLDER # To be replaced by kustomize`
Add base kubernetes support final fix 2 2025-09-28 19:48:05 +02:00			`rules:`
Add new infra architecture 2026-01-19 11:55:17 +01:00			`# Main application routes`
			`- host: DOMAIN_PLACEHOLDER # To be replaced by kustomize`
Add base kubernetes support final fix 2 2025-09-28 19:48:05 +02:00			`http:`
			`paths:`
			`- path: /`
			`pathType: Prefix`
			`backend:`
			`service:`
			`name: frontend-service`
			`port:`
			`number: 3000`
			`- path: /api`
			`pathType: Prefix`
			`backend:`
			`service:`
			`name: gateway-service`
			`port:`
Update monitoring packages to latest versions - Updated all OpenTelemetry packages to latest versions: - opentelemetry-api: 1.27.0 → 1.39.1 - opentelemetry-sdk: 1.27.0 → 1.39.1 - opentelemetry-exporter-otlp-proto-grpc: 1.27.0 → 1.39.1 - opentelemetry-exporter-otlp-proto-http: 1.27.0 → 1.39.1 - opentelemetry-instrumentation-fastapi: 0.48b0 → 0.60b1 - opentelemetry-instrumentation-httpx: 0.48b0 → 0.60b1 - opentelemetry-instrumentation-redis: 0.48b0 → 0.60b1 - opentelemetry-instrumentation-sqlalchemy: 0.48b0 → 0.60b1 - Removed prometheus-client==0.23.1 from all services - Unified all services to use the same monitoring package versions Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai> 2026-01-08 19:25:52 +01:00			`number: 8000`
Fix: align ingress base and overlays - single host per environment 2026-01-20 21:42:05 +01:00			`# NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart`
			`# See infrastructure/cicd/gitea/values.yaml for ingress configuration`
			`# NOTE: Mail ingress is deployed separately via mailu-helm resource`
			`# to avoid 503 errors when Mailu is not running`