Ingress Tools
The ingress tools validate and deploy per-tenant ingress configurations, DNS zones, TLS certificates, and routing rules. They ensure that each tenant's ingress is correctly provisioned and accessible.
validate-tenant-ingress.sh
Source: scripts/tools/validate-tenant-ingress.sh
Validates DNS zones, A records, ingress controllers, TLS certificates, and routing for active tenants.
Usage
# Validate all tenants
./scripts/tools/validate-tenant-ingress.sh
# Validate a specific tenant
./scripts/tools/validate-tenant-ingress.sh --tenant acme
# Verbose output
./scripts/tools/validate-tenant-ingress.sh --verboseValidation Checks
| Check | Description |
|---|---|
| DNS zone exists | Azure DNS zone for {tenant}.matih.ai exists |
| NS delegation | Parent zone has NS records pointing to child zone |
| A records | A record points to tenant LoadBalancer IP |
| Ingress controller | NGINX pod is running in tenant namespace |
| TLS certificate | cert-manager Certificate is Ready |
| Ingress resource | Kubernetes Ingress is configured with correct rules |
DNS Zone Check
az network dns zone show \
--name "$domain" \
--resource-group "$resource_group" \
--output jsontenant-ingress-deploy.sh
Source: scripts/tools/tenant-ingress-deploy.sh
Deploys the per-tenant ingress stack: NGINX controller, DNS zone, and TLS certificate.
Usage
./scripts/tools/tenant-ingress-deploy.sh --tenant acme --domain acme.matih.aiDeployment Steps
| Step | Description |
|---|---|
| 1. Deploy NGINX | Helm install NGINX ingress controller in tenant namespace |
| 2. Wait for IP | Wait for LoadBalancer to receive an external IP |
| 3. Create DNS zone | Create Azure DNS child zone with NS delegation |
| 4. Create A records | Point A records to LoadBalancer IP |
| 5. Create Certificate | cert-manager Certificate with DNS01 challenge |
| 6. Create Ingress | Kubernetes Ingress with TLS termination |
Dev vs Production
| Aspect | Dev | Production |
|---|---|---|
| Domain | nip.io or custom dev domain | {tenant}.matih.ai |
| TLS issuer | letsencrypt-staging-dns01 | letsencrypt-prod-dns01 |
| Dedicated NGINX | Disabled by default | Enabled per tenant |
| DNS zones | Disabled by default | Child zone per tenant |
Libraries Used
| Library | Purpose |
|---|---|
core/logging.sh | Unified logging |
core/utils.sh | Utility functions |
Related Pages
- Stage 06: Ingress -- Platform ingress deployment
- DNS and Ingress Architecture -- Architecture overview
- Platform Status -- Cluster diagnostics