major(security): add https

Author: karimzakzouk

backend/helm-chart/templates/ingress.yaml

@@ -12,9 +12,20 @@ metadata:
   {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+  - hosts:
+    {{- range .hosts }}
+    - {{ . | quote }}
+    {{- end }}
+    secretName: {{ .secretName }}
+  {{- end }}
+  {{- end }}
   rules:
   {{- range .Values.ingress.hosts }}
-  - http:
+  - host: {{ .host | quote }}
+    http:
       paths:
       {{- range .paths }}
       - path: {{ .path }}

backend/helm-chart/values-dev.yaml

@@ -6,20 +6,27 @@ image:
 
 env:
   NODE_ENV: "dev"
-  FRONTEND_URL: "frontend-code.duckdns.org"
-  REDIS_HOST: "redis-code.duckdns.org"
+  FRONTEND_URL: "https://hankers-frontend.myaddr.tools"
+  REDIS_HOST: "hankers-redis.myaddr.tools"
   REDIS_PORT: "6379"
 
 secrets:
   name: hankers-secrets
 
 ingress:
   enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
   hosts:
-    - host: ""
+    - host: "hankers-backend.myaddr.tools"
       paths:
-        - path: /dev(/|$)(.*)
-          pathType: ImplementationSpecific
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: backend-tls
+      hosts:
+        - hankers-backend.myaddr.tools
 
 migration:
   enabled: true

backend/helm-chart/values.yaml

@@ -16,8 +16,7 @@ service:
 ingress:
   enabled: true
   className: nginx
-  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
+  annotations: {}
   hosts:
     - host: ""
       paths:

frontend/helm-chart/templates/ingress.yaml

@@ -12,9 +12,20 @@ metadata:
   {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+  - hosts:
+    {{- range .hosts }}
+    - {{ . | quote }}
+    {{- end }}
+    secretName: {{ .secretName }}
+  {{- end }}
+  {{- end }}
   rules:
   {{- range .Values.ingress.hosts }}
-  - http:
+  - host: {{ .host | quote }}
+    http:
       paths:
       {{- range .paths }}
       - path: {{ .path }}

frontend/helm-chart/values-dev.yaml

@@ -13,8 +13,15 @@ secrets:
 
 ingress:
   enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
   hosts:
-    - host: ""
+    - host: "hankers-frontend.myaddr.tools"
       paths:
-        - path: /()(.*)
-          pathType: ImplementationSpecific
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: frontend-tls
+      hosts:
+        - hankers-frontend.myaddr.tools

frontend/helm-chart/values.yaml

@@ -16,9 +16,7 @@ service:
 ingress:
   enabled: true
   className: nginx
-  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+  annotations: {}
   hosts:
     - host: ""
       paths:

infra/install-cert-manager.sh

@@ -1,24 +1,102 @@
 #!/bin/bash
 set -e
 
-echo "Installing Nginx Ingress Controller..."
+echo "========================================"
+echo "Hankers Infrastructure Setup"
+echo "========================================"
+echo ""
 
-# Apply the official nginx ingress controller manifest
+# ============================================
+# 1. Install Nginx Ingress Controller
+# ============================================
+echo "[1/5] Installing Nginx Ingress Controller..."
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml
 
-echo ""
 echo "Waiting for controller to be ready..."
 kubectl wait --namespace ingress-nginx \
   --for=condition=ready pod \
   --selector=app.kubernetes.io/component=controller \
   --timeout=120s
 
+echo "✅ Nginx Ingress Controller installed!"
+echo ""
+
+# ============================================
+# 2. Install Cert-Manager
+# ============================================
+echo "[2/5] Installing Cert-Manager..."
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+
+echo "Waiting for cert-manager to be ready..."
+kubectl wait --namespace cert-manager \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/instance=cert-manager \
+  --timeout=120s
+
+echo "✅ Cert-Manager installed!"
+echo ""
+
+# ============================================
+# 3. Create Let's Encrypt ClusterIssuer
+# ============================================
+echo "[3/5] Creating Let's Encrypt ClusterIssuer..."
+kubectl apply -f setup/letsencrypt-issuer.yaml
+
+echo "✅ Let's Encrypt ClusterIssuer created!"
 echo ""
-echo "✅ Nginx Ingress Controller installed successfully!"
+
+# ============================================
+# 4. Configure TCP Services for Redis
+# ============================================
+echo "[4/5] Configuring TCP Services for Redis..."
+kubectl apply -f setup/tcp-services.yaml
+
+echo "✅ TCP Services ConfigMap created!"
+echo ""
+
+# ============================================
+# 5. Patch Ingress Controller for TCP
+# ============================================
+echo "[5/5] Patching Ingress Controller..."
+
+# Add TCP services argument if not already present
+if ! kubectl get deployment ingress-nginx-controller -n ingress-nginx -o yaml | grep -q "tcp-services-configmap"; then
+  echo "Adding TCP services configuration..."
+  kubectl patch deployment ingress-nginx-controller -n ingress-nginx --type='json' -p='[
+    {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--tcp-services-configmap=ingress-nginx/tcp-services"}
+  ]'
+else
+  echo "TCP services already configured"
+fi
+
+# Add port 6379 to ingress controller service if not already present
+if ! kubectl get svc ingress-nginx-controller -n ingress-nginx -o yaml | grep -q "port: 6379"; then
+  echo "Adding Redis port to ingress controller..."
+  kubectl patch svc ingress-nginx-controller -n ingress-nginx --type='json' -p='[
+    {"op": "add", "path": "/spec/ports/-", "value": {"name": "redis", "port": 6379, "protocol": "TCP", "targetPort": 6379}}
+  ]'
+else
+  echo "Redis port already configured"
+fi
+
+echo "✅ Ingress Controller patched!"
 echo ""
-echo "Getting external IP..."
-kubectl get svc ingress-nginx-controller -n ingress-nginx
 
+# ============================================
+# Summary
+# ============================================
+echo "========================================"
+echo "✅ Infrastructure Setup Complete!"
+echo "========================================"
+echo ""
+echo "Ingress Controller External IP:"
+kubectl get svc ingress-nginx-controller -n ingress-nginx | grep ingress-nginx-controller
+echo ""
+echo "Next steps:"
+echo "1. Update your DNS records to point to the external IP above"
+echo "2. Deploy your backend: helm install/upgrade hankers-backend-dev"
+echo "3. Deploy your frontend: helm install/upgrade hankers-frontend-dev"
+echo "4. Deploy Redis if not already deployed"
 echo ""
 echo "To watch for IP assignment:"
 echo "kubectl get svc ingress-nginx-controller -n ingress-nginx -w"

infra/setup.sh

@@ -0,0 +1,19 @@
+# Setup Files
+
+This directory contains all the Kubernetes manifests needed for initial infrastructure setup.
+
+## Files
+
+- **letsencrypt-issuer.yaml** - Let's Encrypt production ClusterIssuer for SSL certificates
+- **tcp-services.yaml** - ConfigMap for exposing Redis on port 6379 through nginx ingress
+
+## Usage
+
+These files are automatically applied by the `../setup.sh` script. You don't need to apply them manually.
+
+## Manual Application (if needed)
+
+```bash
+kubectl apply -f letsencrypt-issuer.yaml
+kubectl apply -f tcp-services.yaml
+```