improvement(helm): add internal ingress support and same-host path consolidation

waleedlatif1 · waleedlatif1 · commit 13d28e72c889 · 2026-01-23T18:13:41.000-08:00
diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml
@@ -173,28 +173,62 @@ ollama:
     OLLAMA_DEBUG: "1"
 
 # Ingress configuration (NGINX ingress controller on Azure AKS)
+# Option 1: Separate subdomains (default)
 ingress:
   enabled: true
   className: nginx
-  
+
   annotations:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-  
+
   # Main application
   app:
     host: simstudio.acme.com
     paths:
       - path: /
         pathType: Prefix
-  
-  # Realtime service
+
+  # Realtime service (separate subdomain)
+  # For same-domain setup, use host: simstudio.acme.com with path: /socket.io
   realtime:
     host: simstudio-ws.acme.com
     paths:
       - path: /
         pathType: Prefix
-  
+
   # TLS configuration
   tls:
     enabled: true
-    secretName: simstudio-tls-secret
+    secretName: simstudio-tls-secret
+
+# Internal Ingress configuration (for private access via internal load balancer)
+# Use this when you need access from within your VNet without going through the public internet
+# Supports Azure Application Gateway with private IP or NGINX with internal load balancer
+ingressInternal:
+  enabled: false  # Set to true to enable internal ingress
+  className: azure-application-gateway  # or nginx for internal NGINX
+
+  annotations:
+    # For Azure Application Gateway with private IP:
+    appgw.ingress.kubernetes.io/use-private-ip: "true"
+    # For NGINX with internal Azure Load Balancer:
+    # service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+
+  # Main application (internal hostname)
+  app:
+    host: simstudio-internal.acme.local
+    paths:
+      - path: /
+        pathType: Prefix
+
+  # Realtime service (same host with /socket.io path for consolidated routing)
+  realtime:
+    host: simstudio-internal.acme.local
+    paths:
+      - path: /socket.io
+        pathType: Prefix
+
+  # TLS configuration (use internal CA cert if needed)
+  tls:
+    enabled: true
+    secretName: simstudio-internal-tls-secret
diff --git a/helm/sim/templates/ingress-internal.yaml b/helm/sim/templates/ingress-internal.yaml
@@ -0,0 +1,104 @@
+{{- if .Values.ingressInternal.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "sim.fullname" . }}-ingress-internal
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "sim.labels" . | nindent 4 }}
+  {{- with .Values.ingressInternal.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingressInternal.className }}
+  ingressClassName: {{ .Values.ingressInternal.className }}
+  {{- end }}
+  {{- if .Values.ingressInternal.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingressInternal.app.host | quote }}
+        {{- /* Add Realtime host only if enabled and unique */ -}}
+        {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }}
+        - {{ .Values.ingressInternal.realtime.host | quote }}
+        {{- end }}
+        {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}}
+        {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot }}
+          {{- if and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) }}
+        - {{ .Values.ingressInternal.copilot.host | quote }}
+          {{- end }}
+        {{- end }}
+      secretName: {{ .Values.ingressInternal.tls.secretName }}
+  {{- end }}
+  rules:
+    # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) ---
+    - host: {{ .Values.ingressInternal.app.host | quote }}
+      http:
+        paths:
+          {{- /* Consolidate Realtime paths here if host matches App */ -}}
+          {{- if and .Values.realtime.enabled (eq .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }}
+          {{- range .Values.ingressInternal.realtime.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-realtime
+                port:
+                  number: {{ $.Values.realtime.service.port }}
+          {{- end }}
+          {{- end }}
+          {{- /* Consolidate Copilot paths here if host matches App */ -}}
+          {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) }}
+          {{- range .Values.ingressInternal.copilot.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-copilot
+                port:
+                  number: {{ $.Values.copilot.server.service.port }}
+          {{- end }}
+          {{- end }}
+          {{- /* App paths are always included in this first rule */ -}}
+          {{- range .Values.ingressInternal.app.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-app
+                port:
+                  number: {{ $.Values.app.service.port }}
+          {{- end }}
+
+    # --- Realtime Rule (Only if host is unique) ---
+    {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }}
+    - host: {{ .Values.ingressInternal.realtime.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingressInternal.realtime.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-realtime
+                port:
+                  number: {{ $.Values.realtime.service.port }}
+          {{- end }}
+    {{- end }}
+
+    # --- Copilot Rule (Only if host is unique from both App and Realtime) ---
+    {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host)) }}
+    - host: {{ .Values.ingressInternal.copilot.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingressInternal.copilot.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-copilot
+                port:
+                  number: {{ $.Values.copilot.server.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/helm/sim/templates/ingress.yaml b/helm/sim/templates/ingress.yaml
@@ -17,20 +17,49 @@ spec:
   {{- if .Values.ingress.tls.enabled }}
   tls:
     - hosts:
-        - {{ .Values.ingress.app.host }}
-        {{- if .Values.realtime.enabled }}
-        - {{ .Values.ingress.realtime.host }}
+        - {{ .Values.ingress.app.host | quote }}
+        {{- /* Add Realtime host only if enabled and unique */ -}}
+        {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }}
+        - {{ .Values.ingress.realtime.host | quote }}
         {{- end }}
+        {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}}
         {{- if and .Values.copilot.enabled .Values.ingress.copilot }}
-        - {{ .Values.ingress.copilot.host }}
+          {{- if and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host) }}
+        - {{ .Values.ingress.copilot.host | quote }}
+          {{- end }}
         {{- end }}
       secretName: {{ .Values.ingress.tls.secretName }}
   {{- end }}
   rules:
-    # Main application ingress rule
-    - host: {{ .Values.ingress.app.host }}
+    # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) ---
+    - host: {{ .Values.ingress.app.host | quote }}
       http:
         paths:
+          {{- /* Consolidate Realtime paths here if host matches App */ -}}
+          {{- if and .Values.realtime.enabled (eq .Values.ingress.realtime.host .Values.ingress.app.host) }}
+          {{- range .Values.ingress.realtime.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-realtime
+                port:
+                  number: {{ $.Values.realtime.service.port }}
+          {{- end }}
+          {{- end }}
+          {{- /* Consolidate Copilot paths here if host matches App */ -}}
+          {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.app.host) }}
+          {{- range .Values.ingress.copilot.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "sim.fullname" $ }}-copilot
+                port:
+                  number: {{ $.Values.copilot.server.service.port }}
+          {{- end }}
+          {{- end }}
+          {{- /* App paths are always included in this first rule */ -}}
           {{- range .Values.ingress.app.paths }}
           - path: {{ .path }}
             pathType: {{ .pathType }}
@@ -40,9 +69,10 @@ spec:
                 port:
                   number: {{ $.Values.app.service.port }}
           {{- end }}
-    {{- if .Values.realtime.enabled }}
-    # Realtime service ingress rule
-    - host: {{ .Values.ingress.realtime.host }}
+
+    # --- Realtime Rule (Only if host is unique) ---
+    {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }}
+    - host: {{ .Values.ingress.realtime.host | quote }}
       http:
         paths:
           {{- range .Values.ingress.realtime.paths }}
@@ -55,9 +85,10 @@ spec:
                   number: {{ $.Values.realtime.service.port }}
           {{- end }}
     {{- end }}
-    {{- if and .Values.copilot.enabled .Values.ingress.copilot }}
-    # Copilot service ingress rule
-    - host: {{ .Values.ingress.copilot.host }}
+
+    # --- Copilot Rule (Only if host is unique from both App and Realtime) ---
+    {{- if and .Values.copilot.enabled .Values.ingress.copilot (and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host)) }}
+    - host: {{ .Values.ingress.copilot.host | quote }}
       http:
         paths:
           {{- range .Values.ingress.copilot.paths }}
@@ -70,4 +101,4 @@ spec:
                   number: {{ $.Values.copilot.server.service.port }}
           {{- end }}
     {{- end }}
-{{- end }}
+{{- end }}
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -582,6 +582,54 @@ ingress:
     enabled: false
     secretName: sim-tls-secret
 
+# Internal Ingress configuration (for private/internal access)
+# Use this when you need a separate ingress for internal traffic
+# (e.g., internal load balancer with private IP)
+ingressInternal:
+  # Enable/disable internal ingress
+  enabled: false
+
+  # Ingress class name (e.g., nginx-internal, azure-application-gateway-internal)
+  className: nginx
+
+  # Annotations (typically includes internal load balancer annotations)
+  # Example for Azure:
+  #   kubernetes.io/ingress.class: azure/application-gateway
+  #   appgw.ingress.kubernetes.io/use-private-ip: "true"
+  # Example for AWS:
+  #   alb.ingress.kubernetes.io/scheme: internal
+  # Example for GCP:
+  #   kubernetes.io/ingress.class: "gce-internal"
+  annotations: {}
+
+  # Main application host configuration
+  app:
+    host: sim-internal.local
+    paths:
+      - path: /
+        pathType: Prefix
+
+  # Realtime service host configuration
+  # Set to same host as app.host to consolidate paths under one rule
+  # Use /socket.io path when sharing the same host
+  realtime:
+    host: sim-internal.local
+    paths:
+      - path: /socket.io
+        pathType: Prefix
+
+  # Copilot service host configuration (optional)
+  # copilot:
+  #   host: sim-internal.local
+  #   paths:
+  #     - path: /copilot
+  #       pathType: Prefix
+
+  # TLS configuration
+  tls:
+    enabled: false
+    secretName: sim-internal-tls-secret
+
 # Service Account configuration
 serviceAccount:
   # Specifies whether a service account should be created
