- eveai_app adapted to handle removal of complex rewrite rules in nginx.conf, which cannot be achieved in Ingress

2025-09-06 16:53:51 +02:00
parent b812aedb81
commit 5c20e6c1f9
28 changed files with 341 additions and 336 deletions
--- a/scaleway/manifests/base/networking/README-ROUTING.md
+++ b/scaleway/manifests/base/networking/README-ROUTING.md
@@ -0,0 +1,23 @@
+Routing alignment notes (staging/prod)
+
+Summary
+- Root (/) issues a 301 redirect to /admin/ via server-snippet on the apps ingress.
+- Prefixes /admin, /api, /chat-client are stripped at the edge and forwarded to their backends on /. The applications do not need to be prefix-aware.
+- /verify remains available (Prefix) without any rewrite in a separate Ingress.
+- No CORS annotations at ingress. Static assets are served by Bunny CDN; API CORS is not handled here.
+- /flower is intentionally NOT exposed on k8s.
+
+Files
+- ingress-https.yaml: NGINX Ingress (apps) with regex paths and rewrite-target to strip prefixes; includes server-snippet to 301 redirect root to /admin/.
+- ingress-verify.yaml: Separate Ingress for /verify without regex/rewrite.
+
+Paths behavior
+- / -> 301 /admin/
+- /admin/<...> -> eveai-app-service:80, backend receives /<...>
+- /api/<...> -> eveai-api-service:80, backend receives /<...>
+- /chat-client/<...> -> eveai-chat-client-service:80, backend receives /<...>
+- /verify[/**] -> verify-service:80, path preserved.
+
+Notes
+- The rewrite-target is global per Ingress. To avoid affecting /verify, we split it into its own Ingress. Keep this structure when adding/removing services.
+- If you need temporary legacy redirects (e.g., /client -> /chat-client), add an additional Ingress with nginx.ingress.kubernetes.io/permanent-redirect and regex matching, or handle it at the app/CDN layer.
--- a/scaleway/manifests/base/networking/ingress-https.yaml
+++ b/scaleway/manifests/base/networking/ingress-https.yaml
@@ -14,6 +14,12 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    cert-manager.io/cluster-issuer: letsencrypt-staging
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: "/$2"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location = / {
+        return 301 /admin/;
+      }
 spec:
  ingressClassName: nginx
  tls:
@@ -24,54 +30,28 @@ spec:
  - host: evie-staging.askeveai.com
    http:
      paths:
-      # Verification service paths
-      - path: /verify
-        pathType: Prefix
-        backend:
-          service:
-            name: verify-service
-            port:
-              number: 80
-      
-      # Application services
-      - path: /admin
-        pathType: Prefix
+      # Application services (strip prefix)
+      - path: /admin(/|$)(.*)
+        pathType: ImplementationSpecific
        backend:
          service:
            name: eveai-app-service
            port:
              number: 80
      
-      - path: /api
-        pathType: Prefix
+      - path: /api(/|$)(.*)
+        pathType: ImplementationSpecific
        backend:
          service:
            name: eveai-api-service
            port:
              number: 80
      
-      - path: /client
-        pathType: Prefix
+      - path: /chat-client(/|$)(.*)
+        pathType: ImplementationSpecific
        backend:
          service:
            name: eveai-chat-client-service
            port:
              number: 80
-      
-      # Monitoring (when deployed)
-      # - path: /monitoring
-      #   pathType: Prefix
-      #   backend:
-      #     service:
-      #       name: monitoring-grafana
-      #       port:
-      #         number: 80
-      
-      # Default: root path to verification service
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: verify-service
-            port:
-              number: 80
+      
--- a/scaleway/manifests/base/networking/ingress-verify.yaml
+++ b/scaleway/manifests/base/networking/ingress-verify.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: eveai-staging-ingress-verify
+  namespace: eveai-staging
+  labels:
+    app: eveai
+    environment: staging
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - evie-staging.askeveai.com
+    secretName: evie-staging-tls
+  rules:
+  - host: evie-staging.askeveai.com
+    http:
+      paths:
+      - path: /verify
+        pathType: Prefix
+        backend:
+          service:
+            name: verify-service
+            port:
+              number: 80