# Ingress Configuration

This guide demonstrates how to configure [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below.

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

The Immuta web service listens on the following ports:

| Port | Protocol | Description               | Optional |
| ---- | -------- | ------------------------- | -------- |
| 443  | TCP      | HTTPS                     | False    |
| 80   | TCP      | HTTP (redirects to HTTPS) | True     |

## [Ingress NGINX Controller](https://kubernetes.github.io/ingress-nginx/)

{% hint style="warning" %}
**Deprecation notice**

Kubernetes is ending support for Ingress NGINX. See the official [Kubernetes announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/) for details.
{% endhint %}

{% hint style="info" %}
**Ingress hostname**

This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to `immuta.local`.
{% endhint %}

1. Edit the `immuta-values.yaml` file to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: nginx
       annotations:
         nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
         nginx.ingress.kubernetes.io/proxy-body-size: '64m'
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Ingress-Nginx Controller documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) for further assistance.

## [GKE Ingress Controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         # Determines which type of load balancer is provisioned
         #   gce-internal
         #   gce
         kubernetes.io/ingress.class: gce
         # Listen on both 80 and 443
         kubernetes.io/ingress.allow-http: 'true'
         # Redirect traffic from 80 to 443
         cloud.google.com/frontend-config: immuta
   ```
2. Create a file named `frontendconfig.yaml` with the following content.

   ```yaml
   apiVersion: networking.gke.io/v1beta1
   kind: FrontendConfig
   metadata:
     name: immuta
   spec:
     redirectToHttps:
       enabled: true
       responseCodeName: RESPONSE_CODE
   ```
3. Apply the `FrontendConfig` CRD.

   ```shell
   kubectl apply -f frontendconfig.yaml
   ```
4. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Google Cloud documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress#summary_of_external_ingress_annotations) for further assistance.

## [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: alb
       annotations:
         # Determines which type of load balancer is provisioned
         #   internal
         #   internet-facing
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/target-type: ip
         # Listen on both 80 and 443
         alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
         # Redirect traffic from 80 to 443
         alb.ingress.kubernetes.io/ssl-redirect: '443'
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [AWS Load Balancer Controller documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/) for further assistance.

## [AKS Application Gateway Ingress Controller](https://azure.github.io/application-gateway-kubernetes-ingress/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: webapprouting.kubernetes.azure.com
       # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/
       annotations:
         appgw.ingress.kubernetes.io/ssl-redirect: 'true'
   ```
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Application Gateway Ingress Controller documentation](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/) for further assistance.

## [Traefik](https://traefik.io/traefik/)

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: traefik
       annotations:
         # Listen on ports 80 and 443
         traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
         # Redirect HTTP to HTTPS
         # When referencing middleware you must prefix the name with its namespace
         # <namespace>-<middleware-name>@kubernetescrd
         traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd
   ```
2. Create a file named `middleware.yaml` with the following content.

   ```yaml
   apiVersion: traefik.containo.us/v1alpha1
   kind: Middleware
   metadata:
     name: https-redirectscheme
   spec:
     redirectScheme:
       scheme: https
       permanent: true
   ```
3. Apply the `Middleware` CRD.

   ```shell
   kubectl apply -f middleware.yaml
   ```
4. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Traefik documentation](https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/) for further assistance.

## [OpenShift Ingress Operator](https://docs.openshift.com/dedicated/networking/ingress-operator.html)

1. Edit `immuta-values.yaml` to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, `ingress` is set to `false` below.

   ```yaml
   secure:
     ingress:
       enabled: false
   ```
2. Get the service name for Secure.

   ```shell
   oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'
   ```
3. Create a file named `route.yaml` with the following content. Update all [placeholder values](/2024.2/self-managed-deployment/conventions.md) with your own values.

   ```yaml
   apiVersion: route.openshift.io/v1
   kind: Route
   metadata:
     name: immuta
   spec:
     host: <immuta-fqdn>
     to:
       kind: Service
       name: immuta-secure
     port:
       targetPort: http
     tls:
       termination: edge
       insecureEdgeTerminationPolicy: Redirect
   ```
4. Apply the `Route` CRD.

   ```shell
   oc apply -f route.yaml
   ```
5. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```

Refer to the [Red Hat OpenShift documentation](https://docs.openshift.com/dedicated/networking/ingress-operator.html) for further assistance.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/2024.2/self-managed-deployment/configure/ingress-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.