From 13d28e72c8899889e2226447e60c4d484f7f0e5f Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 23 Jan 2026 18:13:41 -0800 Subject: [PATCH 1/4] improvement(helm): add internal ingress support and same-host path consolidation --- helm/sim/examples/values-azure.yaml | 46 ++++++++-- helm/sim/templates/ingress-internal.yaml | 104 +++++++++++++++++++++++ helm/sim/templates/ingress.yaml | 57 ++++++++++--- helm/sim/values.yaml | 48 +++++++++++ 4 files changed, 236 insertions(+), 19 deletions(-) create mode 100644 helm/sim/templates/ingress-internal.yaml diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml index 1bf8e4f0f2..ce7e912abc 100644 --- a/helm/sim/examples/values-azure.yaml +++ b/helm/sim/examples/values-azure.yaml @@ -173,28 +173,62 @@ ollama: OLLAMA_DEBUG: "1" # Ingress configuration (NGINX ingress controller on Azure AKS) +# Option 1: Separate subdomains (default) ingress: enabled: true className: nginx - + annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - + # Main application app: host: simstudio.acme.com paths: - path: / pathType: Prefix - - # Realtime service + + # Realtime service (separate subdomain) + # For same-domain setup, use host: simstudio.acme.com with path: /socket.io realtime: host: simstudio-ws.acme.com paths: - path: / pathType: Prefix - + # TLS configuration tls: enabled: true - secretName: simstudio-tls-secret \ No newline at end of file + secretName: simstudio-tls-secret + +# Internal Ingress configuration (for private access via internal load balancer) +# Use this when you need access from within your VNet without going through the public internet +# Supports Azure Application Gateway with private IP or NGINX with internal load balancer +ingressInternal: + enabled: false # Set to true to enable internal ingress + className: azure-application-gateway # or nginx for internal NGINX + + annotations: + # For Azure Application Gateway with private IP: + appgw.ingress.kubernetes.io/use-private-ip: "true" + # For NGINX with internal Azure Load Balancer: + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + + # Main application (internal hostname) + app: + host: simstudio-internal.acme.local + paths: + - path: / + pathType: Prefix + + # Realtime service (same host with /socket.io path for consolidated routing) + realtime: + host: simstudio-internal.acme.local + paths: + - path: /socket.io + pathType: Prefix + + # TLS configuration (use internal CA cert if needed) + tls: + enabled: true + secretName: simstudio-internal-tls-secret \ No newline at end of file diff --git a/helm/sim/templates/ingress-internal.yaml b/helm/sim/templates/ingress-internal.yaml new file mode 100644 index 0000000000..2f662f0d5f --- /dev/null +++ b/helm/sim/templates/ingress-internal.yaml @@ -0,0 +1,104 @@ +{{- if .Values.ingressInternal.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "sim.fullname" . }}-ingress-internal + namespace: {{ .Release.Namespace }} + labels: + {{- include "sim.labels" . | nindent 4 }} + {{- with .Values.ingressInternal.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingressInternal.className }} + ingressClassName: {{ .Values.ingressInternal.className }} + {{- end }} + {{- if .Values.ingressInternal.tls.enabled }} + tls: + - hosts: + - {{ .Values.ingressInternal.app.host | quote }} + {{- /* Add Realtime host only if enabled and unique */ -}} + {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} + - {{ .Values.ingressInternal.realtime.host | quote }} + {{- end }} + {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}} + {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot }} + {{- if and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) }} + - {{ .Values.ingressInternal.copilot.host | quote }} + {{- end }} + {{- end }} + secretName: {{ .Values.ingressInternal.tls.secretName }} + {{- end }} + rules: + # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) --- + - host: {{ .Values.ingressInternal.app.host | quote }} + http: + paths: + {{- /* Consolidate Realtime paths here if host matches App */ -}} + {{- if and .Values.realtime.enabled (eq .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} + {{- range .Values.ingressInternal.realtime.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-realtime + port: + number: {{ $.Values.realtime.service.port }} + {{- end }} + {{- end }} + {{- /* Consolidate Copilot paths here if host matches App */ -}} + {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) }} + {{- range .Values.ingressInternal.copilot.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-copilot + port: + number: {{ $.Values.copilot.server.service.port }} + {{- end }} + {{- end }} + {{- /* App paths are always included in this first rule */ -}} + {{- range .Values.ingressInternal.app.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-app + port: + number: {{ $.Values.app.service.port }} + {{- end }} + + # --- Realtime Rule (Only if host is unique) --- + {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} + - host: {{ .Values.ingressInternal.realtime.host | quote }} + http: + paths: + {{- range .Values.ingressInternal.realtime.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-realtime + port: + number: {{ $.Values.realtime.service.port }} + {{- end }} + {{- end }} + + # --- Copilot Rule (Only if host is unique from both App and Realtime) --- + {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host)) }} + - host: {{ .Values.ingressInternal.copilot.host | quote }} + http: + paths: + {{- range .Values.ingressInternal.copilot.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-copilot + port: + number: {{ $.Values.copilot.server.service.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/sim/templates/ingress.yaml b/helm/sim/templates/ingress.yaml index 7981141224..2a4bfcc5fd 100644 --- a/helm/sim/templates/ingress.yaml +++ b/helm/sim/templates/ingress.yaml @@ -17,20 +17,49 @@ spec: {{- if .Values.ingress.tls.enabled }} tls: - hosts: - - {{ .Values.ingress.app.host }} - {{- if .Values.realtime.enabled }} - - {{ .Values.ingress.realtime.host }} + - {{ .Values.ingress.app.host | quote }} + {{- /* Add Realtime host only if enabled and unique */ -}} + {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }} + - {{ .Values.ingress.realtime.host | quote }} {{- end }} + {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}} {{- if and .Values.copilot.enabled .Values.ingress.copilot }} - - {{ .Values.ingress.copilot.host }} + {{- if and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host) }} + - {{ .Values.ingress.copilot.host | quote }} + {{- end }} {{- end }} secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: - # Main application ingress rule - - host: {{ .Values.ingress.app.host }} + # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) --- + - host: {{ .Values.ingress.app.host | quote }} http: paths: + {{- /* Consolidate Realtime paths here if host matches App */ -}} + {{- if and .Values.realtime.enabled (eq .Values.ingress.realtime.host .Values.ingress.app.host) }} + {{- range .Values.ingress.realtime.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-realtime + port: + number: {{ $.Values.realtime.service.port }} + {{- end }} + {{- end }} + {{- /* Consolidate Copilot paths here if host matches App */ -}} + {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.app.host) }} + {{- range .Values.ingress.copilot.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-copilot + port: + number: {{ $.Values.copilot.server.service.port }} + {{- end }} + {{- end }} + {{- /* App paths are always included in this first rule */ -}} {{- range .Values.ingress.app.paths }} - path: {{ .path }} pathType: {{ .pathType }} @@ -40,9 +69,10 @@ spec: port: number: {{ $.Values.app.service.port }} {{- end }} - {{- if .Values.realtime.enabled }} - # Realtime service ingress rule - - host: {{ .Values.ingress.realtime.host }} + + # --- Realtime Rule (Only if host is unique) --- + {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }} + - host: {{ .Values.ingress.realtime.host | quote }} http: paths: {{- range .Values.ingress.realtime.paths }} @@ -55,9 +85,10 @@ spec: number: {{ $.Values.realtime.service.port }} {{- end }} {{- end }} - {{- if and .Values.copilot.enabled .Values.ingress.copilot }} - # Copilot service ingress rule - - host: {{ .Values.ingress.copilot.host }} + + # --- Copilot Rule (Only if host is unique from both App and Realtime) --- + {{- if and .Values.copilot.enabled .Values.ingress.copilot (and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host)) }} + - host: {{ .Values.ingress.copilot.host | quote }} http: paths: {{- range .Values.ingress.copilot.paths }} @@ -70,4 +101,4 @@ spec: number: {{ $.Values.copilot.server.service.port }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 92db160dfa..9140678e29 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -582,6 +582,54 @@ ingress: enabled: false secretName: sim-tls-secret +# Internal Ingress configuration (for private/internal access) +# Use this when you need a separate ingress for internal traffic +# (e.g., internal load balancer with private IP) +ingressInternal: + # Enable/disable internal ingress + enabled: false + + # Ingress class name (e.g., nginx-internal, azure-application-gateway-internal) + className: nginx + + # Annotations (typically includes internal load balancer annotations) + # Example for Azure: + # kubernetes.io/ingress.class: azure/application-gateway + # appgw.ingress.kubernetes.io/use-private-ip: "true" + # Example for AWS: + # alb.ingress.kubernetes.io/scheme: internal + # Example for GCP: + # kubernetes.io/ingress.class: "gce-internal" + annotations: {} + + # Main application host configuration + app: + host: sim-internal.local + paths: + - path: / + pathType: Prefix + + # Realtime service host configuration + # Set to same host as app.host to consolidate paths under one rule + # Use /socket.io path when sharing the same host + realtime: + host: sim-internal.local + paths: + - path: /socket.io + pathType: Prefix + + # Copilot service host configuration (optional) + # copilot: + # host: sim-internal.local + # paths: + # - path: /copilot + # pathType: Prefix + + # TLS configuration + tls: + enabled: false + secretName: sim-internal-tls-secret + # Service Account configuration serviceAccount: # Specifies whether a service account should be created From b96078b161fc7b3eff5a02c6d427fc0271ab4abc Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 23 Jan 2026 18:21:09 -0800 Subject: [PATCH 2/4] improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 --- helm/sim/examples/values-azure.yaml | 23 ++++++++--------------- helm/sim/templates/ingress-internal.yaml | 11 +++-------- helm/sim/templates/ingress.yaml | 11 +++-------- helm/sim/values.yaml | 24 ++++-------------------- 4 files changed, 18 insertions(+), 51 deletions(-) diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml index ce7e912abc..982605fa7b 100644 --- a/helm/sim/examples/values-azure.yaml +++ b/helm/sim/examples/values-azure.yaml @@ -172,8 +172,7 @@ ollama: OLLAMA_KEEP_ALIVE: "-1" OLLAMA_DEBUG: "1" -# Ingress configuration (NGINX ingress controller on Azure AKS) -# Option 1: Separate subdomains (default) +# Ingress configuration ingress: enabled: true className: nginx @@ -188,8 +187,7 @@ ingress: - path: / pathType: Prefix - # Realtime service (separate subdomain) - # For same-domain setup, use host: simstudio.acme.com with path: /socket.io + # Realtime service realtime: host: simstudio-ws.acme.com paths: @@ -201,34 +199,29 @@ ingress: enabled: true secretName: simstudio-tls-secret -# Internal Ingress configuration (for private access via internal load balancer) -# Use this when you need access from within your VNet without going through the public internet -# Supports Azure Application Gateway with private IP or NGINX with internal load balancer +# Internal Ingress configuration ingressInternal: - enabled: false # Set to true to enable internal ingress - className: azure-application-gateway # or nginx for internal NGINX + enabled: false + className: azure-application-gateway annotations: - # For Azure Application Gateway with private IP: appgw.ingress.kubernetes.io/use-private-ip: "true" - # For NGINX with internal Azure Load Balancer: - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # Main application (internal hostname) + # Main application app: host: simstudio-internal.acme.local paths: - path: / pathType: Prefix - # Realtime service (same host with /socket.io path for consolidated routing) + # Realtime service realtime: host: simstudio-internal.acme.local paths: - path: /socket.io pathType: Prefix - # TLS configuration (use internal CA cert if needed) + # TLS configuration tls: enabled: true secretName: simstudio-internal-tls-secret \ No newline at end of file diff --git a/helm/sim/templates/ingress-internal.yaml b/helm/sim/templates/ingress-internal.yaml index 2f662f0d5f..47934fdd49 100644 --- a/helm/sim/templates/ingress-internal.yaml +++ b/helm/sim/templates/ingress-internal.yaml @@ -18,11 +18,9 @@ spec: tls: - hosts: - {{ .Values.ingressInternal.app.host | quote }} - {{- /* Add Realtime host only if enabled and unique */ -}} {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} - {{ .Values.ingressInternal.realtime.host | quote }} {{- end }} - {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}} {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot }} {{- if and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) }} - {{ .Values.ingressInternal.copilot.host | quote }} @@ -31,11 +29,10 @@ spec: secretName: {{ .Values.ingressInternal.tls.secretName }} {{- end }} rules: - # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) --- + # Main application - host: {{ .Values.ingressInternal.app.host | quote }} http: paths: - {{- /* Consolidate Realtime paths here if host matches App */ -}} {{- if and .Values.realtime.enabled (eq .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} {{- range .Values.ingressInternal.realtime.paths }} - path: {{ .path }} @@ -47,7 +44,6 @@ spec: number: {{ $.Values.realtime.service.port }} {{- end }} {{- end }} - {{- /* Consolidate Copilot paths here if host matches App */ -}} {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) }} {{- range .Values.ingressInternal.copilot.paths }} - path: {{ .path }} @@ -59,7 +55,6 @@ spec: number: {{ $.Values.copilot.server.service.port }} {{- end }} {{- end }} - {{- /* App paths are always included in this first rule */ -}} {{- range .Values.ingressInternal.app.paths }} - path: {{ .path }} pathType: {{ .pathType }} @@ -70,7 +65,7 @@ spec: number: {{ $.Values.app.service.port }} {{- end }} - # --- Realtime Rule (Only if host is unique) --- + # Realtime service {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} - host: {{ .Values.ingressInternal.realtime.host | quote }} http: @@ -86,7 +81,7 @@ spec: {{- end }} {{- end }} - # --- Copilot Rule (Only if host is unique from both App and Realtime) --- + # Copilot service {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host)) }} - host: {{ .Values.ingressInternal.copilot.host | quote }} http: diff --git a/helm/sim/templates/ingress.yaml b/helm/sim/templates/ingress.yaml index 2a4bfcc5fd..6bc4a77cca 100644 --- a/helm/sim/templates/ingress.yaml +++ b/helm/sim/templates/ingress.yaml @@ -18,11 +18,9 @@ spec: tls: - hosts: - {{ .Values.ingress.app.host | quote }} - {{- /* Add Realtime host only if enabled and unique */ -}} {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }} - {{ .Values.ingress.realtime.host | quote }} {{- end }} - {{- /* Add Copilot host only if enabled, exists, and unique from both App and Realtime */ -}} {{- if and .Values.copilot.enabled .Values.ingress.copilot }} {{- if and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host) }} - {{ .Values.ingress.copilot.host | quote }} @@ -31,11 +29,10 @@ spec: secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: - # --- Main Rule: App (plus consolidated Realtime/Copilot if hosts match) --- + # Main application - host: {{ .Values.ingress.app.host | quote }} http: paths: - {{- /* Consolidate Realtime paths here if host matches App */ -}} {{- if and .Values.realtime.enabled (eq .Values.ingress.realtime.host .Values.ingress.app.host) }} {{- range .Values.ingress.realtime.paths }} - path: {{ .path }} @@ -47,7 +44,6 @@ spec: number: {{ $.Values.realtime.service.port }} {{- end }} {{- end }} - {{- /* Consolidate Copilot paths here if host matches App */ -}} {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.app.host) }} {{- range .Values.ingress.copilot.paths }} - path: {{ .path }} @@ -59,7 +55,6 @@ spec: number: {{ $.Values.copilot.server.service.port }} {{- end }} {{- end }} - {{- /* App paths are always included in this first rule */ -}} {{- range .Values.ingress.app.paths }} - path: {{ .path }} pathType: {{ .pathType }} @@ -70,7 +65,7 @@ spec: number: {{ $.Values.app.service.port }} {{- end }} - # --- Realtime Rule (Only if host is unique) --- + # Realtime service {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }} - host: {{ .Values.ingress.realtime.host | quote }} http: @@ -86,7 +81,7 @@ spec: {{- end }} {{- end }} - # --- Copilot Rule (Only if host is unique from both App and Realtime) --- + # Copilot service {{- if and .Values.copilot.enabled .Values.ingress.copilot (and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host)) }} - host: {{ .Values.ingress.copilot.host | quote }} http: diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 9140678e29..03f41e580a 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -582,43 +582,27 @@ ingress: enabled: false secretName: sim-tls-secret -# Internal Ingress configuration (for private/internal access) -# Use this when you need a separate ingress for internal traffic -# (e.g., internal load balancer with private IP) +# Internal Ingress configuration ingressInternal: - # Enable/disable internal ingress enabled: false - - # Ingress class name (e.g., nginx-internal, azure-application-gateway-internal) className: nginx - - # Annotations (typically includes internal load balancer annotations) - # Example for Azure: - # kubernetes.io/ingress.class: azure/application-gateway - # appgw.ingress.kubernetes.io/use-private-ip: "true" - # Example for AWS: - # alb.ingress.kubernetes.io/scheme: internal - # Example for GCP: - # kubernetes.io/ingress.class: "gce-internal" annotations: {} - # Main application host configuration + # Main application app: host: sim-internal.local paths: - path: / pathType: Prefix - # Realtime service host configuration - # Set to same host as app.host to consolidate paths under one rule - # Use /socket.io path when sharing the same host + # Realtime service realtime: host: sim-internal.local paths: - path: /socket.io pathType: Prefix - # Copilot service host configuration (optional) + # Copilot service (optional) # copilot: # host: sim-internal.local # paths: From 317738bc364bb4d85bc16d72f836c74e925801f2 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 23 Jan 2026 18:26:16 -0800 Subject: [PATCH 3/4] fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 --- helm/sim/templates/ingress-internal.yaml | 11 +++++++++++ helm/sim/templates/ingress.yaml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/helm/sim/templates/ingress-internal.yaml b/helm/sim/templates/ingress-internal.yaml index 47934fdd49..ab46ae0f24 100644 --- a/helm/sim/templates/ingress-internal.yaml +++ b/helm/sim/templates/ingress-internal.yaml @@ -79,6 +79,17 @@ spec: port: number: {{ $.Values.realtime.service.port }} {{- end }} + {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) }} + {{- range .Values.ingressInternal.copilot.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-copilot + port: + number: {{ $.Values.copilot.server.service.port }} + {{- end }} + {{- end }} {{- end }} # Copilot service diff --git a/helm/sim/templates/ingress.yaml b/helm/sim/templates/ingress.yaml index 6bc4a77cca..a44e16edc5 100644 --- a/helm/sim/templates/ingress.yaml +++ b/helm/sim/templates/ingress.yaml @@ -79,6 +79,17 @@ spec: port: number: {{ $.Values.realtime.service.port }} {{- end }} + {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.realtime.host) (ne .Values.ingress.copilot.host .Values.ingress.app.host) }} + {{- range .Values.ingress.copilot.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "sim.fullname" $ }}-copilot + port: + number: {{ $.Values.copilot.server.service.port }} + {{- end }} + {{- end }} {{- end }} # Copilot service From 285a4c4bebb4905331051385f673a3e3848b1b29 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 23 Jan 2026 18:37:59 -0800 Subject: [PATCH 4/4] improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --- helm/sim/templates/ingress-internal.yaml | 7 +----- helm/sim/templates/ingress.yaml | 7 +----- helm/sim/values.yaml | 32 +++++++++++++----------- 3 files changed, 19 insertions(+), 27 deletions(-) diff --git a/helm/sim/templates/ingress-internal.yaml b/helm/sim/templates/ingress-internal.yaml index ab46ae0f24..9cceb6d641 100644 --- a/helm/sim/templates/ingress-internal.yaml +++ b/helm/sim/templates/ingress-internal.yaml @@ -29,7 +29,6 @@ spec: secretName: {{ .Values.ingressInternal.tls.secretName }} {{- end }} rules: - # Main application - host: {{ .Values.ingressInternal.app.host | quote }} http: paths: @@ -64,8 +63,6 @@ spec: port: number: {{ $.Values.app.service.port }} {{- end }} - - # Realtime service {{- if and .Values.realtime.enabled (ne .Values.ingressInternal.realtime.host .Values.ingressInternal.app.host) }} - host: {{ .Values.ingressInternal.realtime.host | quote }} http: @@ -79,7 +76,7 @@ spec: port: number: {{ $.Values.realtime.service.port }} {{- end }} - {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) }} + {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (eq .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host) }} {{- range .Values.ingressInternal.copilot.paths }} - path: {{ .path }} pathType: {{ .pathType }} @@ -91,8 +88,6 @@ spec: {{- end }} {{- end }} {{- end }} - - # Copilot service {{- if and .Values.copilot.enabled .Values.ingressInternal.copilot (and (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.app.host) (ne .Values.ingressInternal.copilot.host .Values.ingressInternal.realtime.host)) }} - host: {{ .Values.ingressInternal.copilot.host | quote }} http: diff --git a/helm/sim/templates/ingress.yaml b/helm/sim/templates/ingress.yaml index a44e16edc5..1a327101a9 100644 --- a/helm/sim/templates/ingress.yaml +++ b/helm/sim/templates/ingress.yaml @@ -29,7 +29,6 @@ spec: secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: - # Main application - host: {{ .Values.ingress.app.host | quote }} http: paths: @@ -64,8 +63,6 @@ spec: port: number: {{ $.Values.app.service.port }} {{- end }} - - # Realtime service {{- if and .Values.realtime.enabled (ne .Values.ingress.realtime.host .Values.ingress.app.host) }} - host: {{ .Values.ingress.realtime.host | quote }} http: @@ -79,7 +76,7 @@ spec: port: number: {{ $.Values.realtime.service.port }} {{- end }} - {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.realtime.host) (ne .Values.ingress.copilot.host .Values.ingress.app.host) }} + {{- if and .Values.copilot.enabled .Values.ingress.copilot (eq .Values.ingress.copilot.host .Values.ingress.realtime.host) }} {{- range .Values.ingress.copilot.paths }} - path: {{ .path }} pathType: {{ .pathType }} @@ -91,8 +88,6 @@ spec: {{- end }} {{- end }} {{- end }} - - # Copilot service {{- if and .Values.copilot.enabled .Values.ingress.copilot (and (ne .Values.ingress.copilot.host .Values.ingress.app.host) (ne .Values.ingress.copilot.host .Values.ingress.realtime.host)) }} - host: {{ .Values.ingress.copilot.host | quote }} http: diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 03f41e580a..c182c27728 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -552,64 +552,66 @@ ollama: extraVolumeMounts: [] # Ingress configuration +# When services share the same host, paths are consolidated into a single rule. +# Path order: realtime paths, copilot paths, then app paths (most specific first). +# Ensure specific paths (e.g., /socket.io, /copilot) come before catch-all paths (/). ingress: - # Enable/disable ingress enabled: false - - # Ingress class name className: nginx - - # Annotations + annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - - # Main application host configuration + + # Main application (use / as catch-all) app: host: sim.local paths: - path: / pathType: Prefix - - # Realtime service host configuration + + # Realtime service (use /socket.io when sharing host with app) realtime: host: sim-ws.local paths: - path: / pathType: Prefix - - # TLS configuration + + # Copilot service (optional, use /copilot when sharing host) + # copilot: + # host: sim.local + # paths: + # - path: /copilot + # pathType: Prefix + tls: enabled: false secretName: sim-tls-secret # Internal Ingress configuration +# Same path ordering rules apply as above. ingressInternal: enabled: false className: nginx annotations: {} - # Main application app: host: sim-internal.local paths: - path: / pathType: Prefix - # Realtime service realtime: host: sim-internal.local paths: - path: /socket.io pathType: Prefix - # Copilot service (optional) # copilot: # host: sim-internal.local # paths: # - path: /copilot # pathType: Prefix - # TLS configuration tls: enabled: false secretName: sim-internal-tls-secret