Ingress Namespace

The matih-ingress namespace hosts the NGINX Ingress Controller that routes external traffic to platform services. For multi-tenant production deployments, per-tenant ingress controllers are deployed in their respective tenant namespaces.

Platform Ingress Controller

The central NGINX Ingress Controller handles all platform API traffic:

# Deployed in matih-ingress namespace
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-nginx-controller
  namespace: matih-ingress
spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: controller
          image: registry.k8s.io/ingress-nginx/controller:v1.9.6
          ports:
            - containerPort: 80
              name: http
            - containerPort: 443
              name: https

Ingress Routing Rules

API traffic is routed to backend services based on path prefixes:

Path	Backend Service	Namespace	Port
/api/v1/auth	iam-service	matih-control-plane	8080
/api/v1/tenants	tenant-service	matih-control-plane	8080
/api/v1/config	config-service	matih-control-plane	8080
/api/v1/audit	audit-service	matih-control-plane	8080
/api/v1/ai	ai-service	matih-data-plane	8000
/api/v1/query	query-engine	matih-data-plane	8080
/api/v1/catalog	catalog-service	matih-data-plane	8086
/api/v1/bi	bi-service	matih-data-plane	8084

Ingress Annotations

MATIH services use standard NGINX Ingress annotations:

# From ai-service ingress configuration
annotations:
  nginx.ingress.kubernetes.io/proxy-body-size: "50m"
  nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
  nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
  nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
  nginx.ingress.kubernetes.io/proxy-buffering: "off"
  # WebSocket support for AI streaming
  nginx.ingress.kubernetes.io/websocket-services: "ai-service"

For the data plane umbrella chart:

# From matih-data-plane ingress
annotations:
  nginx.ingress.kubernetes.io/proxy-body-size: "100m"
  nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
  nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
  nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"

TLS Termination

TLS is terminated at the ingress controller using cert-manager issued certificates:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod-dns01"
spec:
  tls:
    - hosts:
        - api.matih.ai
      secretName: api-matih-ai-tls
  rules:
    - host: api.matih.ai
      http:
        paths:
          - path: /api/v1/ai
            pathType: Prefix
            backend:
              service:
                name: ai-service
                port:
                  number: 8000

Per-Tenant Ingress

Each tenant receives a dedicated ingress controller when the tenant tier supports it:

# From infrastructure/helm/ingress-nginx/values-tenant.yaml
controller:
  ingressClassResource:
    name: "nginx-tenant-${TENANT_SLUG}"
    controllerValue: "k8s.io/ingress-nginx-tenant-${TENANT_SLUG}"
  service:
    type: LoadBalancer
  replicaCount: 2

This provides complete traffic isolation between tenants at the network level.

Monitoring Helm Charts