Ingress Setup

Each tenant receives a dedicated NGINX ingress controller deployed into their namespace, providing an isolated LoadBalancer IP and TLS termination via cert-manager.

Architecture

Internet --> Azure Load Balancer (per-tenant IP)
               --> NGINX Ingress Controller (tenant namespace)
                     --> K8s Services (ai-service, query-engine, etc.)

Deployment Process

Deploy NGINX: Helm install ingress-nginx into the tenant namespace with tenant-specific values
Wait for IP: Poll the Service until the LoadBalancer external IP is assigned
Store IP: Save the IP to tenant.ingressIp
Create Ingress: Create K8s Ingress resource with routing rules for all deployed services
Provision TLS: cert-manager creates a Certificate using DNS01 challenge via Azure DNS

TLS Configuration

TLS certificates are provisioned using cert-manager with DNS01 challenge:

Issuer: letsencrypt-staging-dns01 (dev) or letsencrypt-prod-dns01 (production)
Challenge Type: DNS01 via Azure DNS
Workload Identity: cert-manager uses Azure workload identity for DNS record management

Source Files

File	Path
TenantIngressService	`control-plane/tenant-service/src/main/java/com/matih/tenant/service/TenantIngressService.java`
Ingress NGINX values	`infrastructure/helm/ingress-nginx/values-tenant.yaml`

DNS Zone Management Observability Setup