# Ingress Configuration This guide demonstrates how to configure [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below. {% hint style="info" %} **Kubernetes namespace** The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`. {% endhint %} The Immuta web service listens on the following ports: | Port | Protocol | Description | Optional | | ---- | -------- | ------------------------- | -------- | | 443 | TCP | HTTPS | False | | 80 | TCP | HTTP (redirects to HTTPS) | True | ## [Ingress NGINX Controller](https://kubernetes.github.io/ingress-nginx/) {% hint style="warning" %} **Deprecation notice** Kubernetes is ending support for Ingress NGINX. See the official [Kubernetes announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/) for details. {% endhint %} {% hint style="info" %} **Ingress hostname** This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to `immuta.local`. {% endhint %} 1. Edit the `immuta-values.yaml` file to include the following Helm values. ```yaml secure: ingress: hostname: ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' nginx.ingress.kubernetes.io/proxy-body-size: '64m' ``` 2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [Ingress-Nginx Controller documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) for further assistance. ## [GKE Ingress Controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) 1. Edit `immuta-values.yaml` to include the following Helm values. ```yaml secure: ingress: hostname: annotations: # Determines which type of load balancer is provisioned # gce-internal # gce kubernetes.io/ingress.class: gce # Listen on both 80 and 443 kubernetes.io/ingress.allow-http: 'true' # Redirect traffic from 80 to 443 cloud.google.com/frontend-config: immuta ``` 2. Create a file named `frontendconfig.yaml` with the following content. ```yaml apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: immuta spec: redirectToHttps: enabled: true responseCodeName: RESPONSE_CODE ``` 3. Apply the `FrontendConfig` CRD. ```shell kubectl apply -f frontendconfig.yaml ``` 4. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [Google Cloud documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress#summary_of_external_ingress_annotations) for further assistance. ## [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) 1. Edit `immuta-values.yaml` to include the following Helm values. ```yaml secure: ingress: hostname: ingressClassName: alb annotations: # Determines which type of load balancer is provisioned # internal # internet-facing alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip # Listen on both 80 and 443 alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' # Redirect traffic from 80 to 443 alb.ingress.kubernetes.io/ssl-redirect: '443' ``` 2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [AWS Load Balancer Controller documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/) for further assistance. ## [AKS Application Gateway Ingress Controller](https://azure.github.io/application-gateway-kubernetes-ingress/) 1. Edit `immuta-values.yaml` to include the following Helm values. ```yaml secure: ingress: hostname: ingressClassName: webapprouting.kubernetes.azure.com # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ annotations: appgw.ingress.kubernetes.io/ssl-redirect: 'true' ``` 2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [Application Gateway Ingress Controller documentation](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/) for further assistance. ## [Traefik](https://traefik.io/traefik/) 1. Edit `immuta-values.yaml` to include the following Helm values. ```yaml secure: ingress: hostname: ingressClassName: traefik annotations: # Listen on ports 80 and 443 traefik.ingress.kubernetes.io/router.entrypoints: web,websecure # Redirect HTTP to HTTPS # When referencing middleware you must prefix the name with its namespace # -@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd ``` 2. Create a file named `middleware.yaml` with the following content. ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: https-redirectscheme spec: redirectScheme: scheme: https permanent: true ``` 3. Apply the `Middleware` CRD. ```shell kubectl apply -f middleware.yaml ``` 4. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [Traefik documentation](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/) for further assistance. ## [OpenShift Ingress Operator](https://docs.openshift.com/dedicated/networking/ingress-operator.html) 1. Edit `immuta-values.yaml` to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, `ingress` is set to `false` below. ```yaml secure: ingress: enabled: false ``` 2. Get the service name for Secure. ```shell oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}' ``` 3. Create a file named `route.yaml` with the following content. Update all [placeholder values](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions) with your own values. ```yaml apiVersion: route.openshift.io/v1 kind: Route metadata: name: immuta spec: host: to: kind: Service name: immuta-secure port: targetPort: http tls: termination: edge insecureEdgeTerminationPolicy: Redirect ``` 4. Apply the `Route` CRD. ```shell oc apply -f route.yaml ``` 5. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20 ``` Refer to the [Red Hat OpenShift documentation](https://docs.openshift.com/dedicated/networking/ingress-operator.html) for further assistance.