apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rxminder-ingress annotations: # Enable SSL redirect for production nginx.ingress.kubernetes.io/ssl-redirect: 'true' # Use production certificate issuer cert-manager.io/cluster-issuer: 'letsencrypt-prod' # Security headers for production nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Frame-Options: DENY"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-XSS-Protection: 1; mode=block"; more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; # Rate limiting for production nginx.ingress.kubernetes.io/rate-limit: '100' nginx.ingress.kubernetes.io/rate-limit-window: '1m' # Enable CORS for production API access nginx.ingress.kubernetes.io/enable-cors: 'true' nginx.ingress.kubernetes.io/cors-allow-origin: 'https://rxminder.yourdomain.com' # Compression for better performance nginx.ingress.kubernetes.io/compression: 'gzip' # Client body size limit nginx.ingress.kubernetes.io/proxy-body-size: '10m' # Connection and read timeouts nginx.ingress.kubernetes.io/proxy-connect-timeout: '60' nginx.ingress.kubernetes.io/proxy-read-timeout: '60' # Enable modsecurity WAF for production nginx.ingress.kubernetes.io/enable-modsecurity: 'true' nginx.ingress.kubernetes.io/modsecurity-snippet: | SecRuleEngine On SecAuditEngine RelevantOnly spec: ingressClassName: nginx # Production TLS configuration tls: - hosts: - rxminder.yourdomain.com - api.rxminder.yourdomain.com secretName: rxminder-tls-prod rules: # Main application domain - host: rxminder.yourdomain.com http: paths: - path: / pathType: Prefix backend: service: name: rxminder-frontend-service port: number: 80 # API subdomain for direct database access (if needed) - host: api.rxminder.yourdomain.com http: paths: - path: / pathType: Prefix backend: service: name: rxminder-couchdb-service port: number: 5984