# BZZZ SLURP Ingress Configuration apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: slurp-ingress namespace: bzzz-slurp labels: app.kubernetes.io/name: bzzz-slurp app.kubernetes.io/component: ingress annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" # Rate limiting nginx.ingress.kubernetes.io/rate-limit-requests-per-second: "100" nginx.ingress.kubernetes.io/rate-limit-window-size: "1m" # Connection limits nginx.ingress.kubernetes.io/limit-connections: "20" # Request size limits nginx.ingress.kubernetes.io/proxy-body-size: "100m" # Timeouts nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" # CORS nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/cors-allow-origin: "https://admin.bzzz.local, https://dashboard.bzzz.local" nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS" nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization" # Security headers nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Frame-Options: DENY"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-XSS-Protection: 1; mode=block"; more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains"; more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"; # Load balancing nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr" nginx.ingress.kubernetes.io/load-balance: "round_robin" # Health checks nginx.ingress.kubernetes.io/health-check-path: "/health" nginx.ingress.kubernetes.io/health-check-timeout: "10s" # Monitoring nginx.ingress.kubernetes.io/enable-access-log: "true" nginx.ingress.kubernetes.io/enable-rewrite-log: "true" spec: tls: - hosts: - api.slurp.bzzz.local - coordinator.slurp.bzzz.local - distributor.slurp.bzzz.local - monitoring.slurp.bzzz.local secretName: slurp-tls-cert rules: # Main API Gateway - host: api.slurp.bzzz.local http: paths: - path: /coordinator pathType: Prefix backend: service: name: slurp-coordinator port: number: 8080 - path: /distributor pathType: Prefix backend: service: name: slurp-distributor port: number: 8080 - path: /health pathType: Exact backend: service: name: slurp-coordinator port: number: 8080 - path: /metrics pathType: Exact backend: service: name: slurp-coordinator port: number: 9090 # Coordinator Service - host: coordinator.slurp.bzzz.local http: paths: - path: / pathType: Prefix backend: service: name: slurp-coordinator port: number: 8080 # Distributor Service (read-only access) - host: distributor.slurp.bzzz.local http: paths: - path: / pathType: Prefix backend: service: name: slurp-distributor port: number: 8080 # Monitoring Dashboard - host: monitoring.slurp.bzzz.local http: paths: - path: / pathType: Prefix backend: service: name: slurp-coordinator port: number: 8080 --- # Internal Ingress for cluster communication apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: slurp-internal-ingress namespace: bzzz-slurp labels: app.kubernetes.io/name: bzzz-slurp app.kubernetes.io/component: internal-ingress annotations: kubernetes.io/ingress.class: "nginx-internal" nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" # Internal network only nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" # Higher limits for internal communication nginx.ingress.kubernetes.io/rate-limit-requests-per-second: "1000" nginx.ingress.kubernetes.io/limit-connections: "100" nginx.ingress.kubernetes.io/proxy-body-size: "1g" # Optimized for internal communication nginx.ingress.kubernetes.io/proxy-buffering: "on" nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" nginx.ingress.kubernetes.io/proxy-buffers: "4 256k" nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k" spec: rules: # Internal API for service-to-service communication - host: internal.slurp.bzzz.local http: paths: - path: /api/v1/coordinator pathType: Prefix backend: service: name: slurp-coordinator port: number: 8080 - path: /api/v1/distributor pathType: Prefix backend: service: name: slurp-distributor port: number: 8080 - path: /metrics pathType: Prefix backend: service: name: slurp-coordinator port: number: 9090 --- # TCP Ingress for DHT P2P Communication (if using TCP ingress controller) apiVersion: v1 kind: ConfigMap metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/component: controller data: # Map external port to internal service 11434: "bzzz-slurp/slurp-distributor-p2p:11434" --- # Certificate for TLS apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: slurp-tls-cert namespace: bzzz-slurp labels: app.kubernetes.io/name: bzzz-slurp app.kubernetes.io/component: certificate spec: secretName: slurp-tls-cert issuerRef: name: letsencrypt-prod kind: ClusterIssuer commonName: api.slurp.bzzz.local dnsNames: - api.slurp.bzzz.local - coordinator.slurp.bzzz.local - distributor.slurp.bzzz.local - monitoring.slurp.bzzz.local --- # Network Policy for Ingress apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: slurp-ingress-policy namespace: bzzz-slurp labels: app.kubernetes.io/name: bzzz-slurp app.kubernetes.io/component: network-policy spec: podSelector: matchLabels: app.kubernetes.io/part-of: bzzz-slurp policyTypes: - Ingress ingress: # Allow ingress controller - from: - namespaceSelector: matchLabels: name: ingress-nginx # Allow monitoring namespace - from: - namespaceSelector: matchLabels: name: monitoring # Allow same namespace - from: - namespaceSelector: matchLabels: name: bzzz-slurp ports: - protocol: TCP port: 8080 - protocol: TCP port: 9090 - protocol: TCP port: 11434