Ingress Management

The IngressController and IngressManagementService manage per-tenant ingress configuration including NGINX ingress controllers, DNS zones, TLS certificates, and routing rules. Each tenant can have a dedicated ingress controller with its own LoadBalancer IP for isolation.

Ingress Architecture

Internet
    |
    v
Azure DNS (matih.ai)
    |
    +-- acme.matih.ai --> Tenant Ingress Controller (LoadBalancer IP)
    |                         |
    |                         +--> ai-service
    |                         +--> bi-service
    |                         +--> query-engine
    |
    +-- beta.matih.ai --> Another Tenant Ingress

Ingress Endpoints

Deploy Ingress Controller

Endpoint: POST /api/v1/infrastructure/ingress/tenants/:tenantId/controller

Deploys a dedicated NGINX ingress controller in the tenant namespace via Helm.

curl -X POST http://localhost:8089/api/v1/infrastructure/ingress/tenants/550e8400/controller \
  -H "Authorization: Bearer ${TOKEN}"

Create DNS Zone

Endpoint: POST /api/v1/infrastructure/ingress/tenants/:tenantId/dns

Creates a child DNS zone (e.g., acme.matih.ai) with NS delegation from the platform zone and A records pointing to the tenant's LoadBalancer IP.

Create Tenant Ingress

Endpoint: POST /api/v1/infrastructure/ingress/tenants/:tenantId/ingress

Creates the Kubernetes Ingress resource and cert-manager Certificate for TLS.

Get Ingress Status

Endpoint: GET /api/v1/infrastructure/ingress/tenants/:tenantId

Returns the current ingress configuration and status including LoadBalancer IP, DNS records, and TLS certificate status.

Provisioning Flow

The ingress provisioning follows a three-phase sequence (Phase 5.5 of tenant provisioning):

TLS Configuration

TLS certificates are managed automatically by cert-manager using DNS01 challenge validation:

The DNS01 challenge uses Azure DNS with workload identity for authentication.

Dev vs Production