Create an Ingress via Infrastructure as Code
Instead of creating ingresses through the Cockpit, you can manage them as code in your deployment pipeline. This approach allows you to version control your Ingress configurations and deploy them automatically.
| Where possible, we recommend using the Cockpit to Add an Ingress. |
When you deploy ingresses via your CI/CD pipeline, they appear in the Cockpit with Origin: PIPELINE.
You can optionally claim them later for centralized management in the Cockpit as this is the recommended approach.
This guide shows you how to create the same Ingress configurations using Kubernetes manifests that you would normally configure through the Add an Ingress Cockpit process. There is embedded help available directly in Cockpit for adding Ingresses.
Manifest structure
Magnolia uses a custom Kubernetes resource called MgnlIngress that provides the same functionality as the Cockpit:
apiVersion: magnolia.info/v1alpha1
kind: MgnlIngress (1)
metadata:
name: your-ingress-name
namespace: your-namespace
labels:
app.kubernetes.io/managed-by: pipeline (2)
spec:
# Configuration matching Cockpit UI options| 1 | kind must be MgnlIngress. |
| 2 | The value for app.kubernetes.io/managed-by must be pipeline. |
Basic example
Here’s a simple Ingress manifest that matches what you’d create in the Cockpit:
apiVersion: magnolia.info/v1alpha1
kind: MgnlIngress
metadata:
name: company-author (1)
namespace: production
labels:
app.kubernetes.io/component: app
app.kubernetes.io/managed-by: pipeline (2)
app.kubernetes.io/name: company-author (1)
app.kubernetes.io/part-of: magnolia
spec:
# General settings (corresponds to "General settings" in UI)
description: "Company Author Environment - Production"
# Access control (corresponds to "Access control" in UI)
whitelistIps: []
blacklistIps: []
# NGINX options (corresponds to "NGINX options" in UI)
nginxOptions:
enableWaf: true
forceSslRedirect: true
proxyBodySize: "512m"
rateLimiting:
enabled: true
limitPerMinute: 1000
limitPerSecond: 20
# CDN options (corresponds to "CDN options" in UI)
cdnOptions:
enabled: false
# Rules (corresponds to "Rules" in UI)
allowRegex: false
rules:
- host: "author.company.com"
paths:
- path: "/"
pathType: "Prefix"
backendName: "production-magnolia-author-svc"
backendPort: 443
# TLS (corresponds to "TLS certificates" in UI)
acquireCertificate: true
tls:
- hosts:
- "author.company.com"
secretName: "company-author-le-tls"| 1 | The metadata.name.labels.app.kubernetes.io/name label name should be the same as the Ingress name (metadata.name) as shown here. |
| 2 | The value for app.kubernetes.io/managed-by must be pipeline. |
Map UI Fields to Manifest
The manifest fields correspond directly to the Cockpit sections:
-
description→ Description field
-
whitelistIps→ Allow List IPs -
blacklistIps→ Deny List IPs -
nginxOptions.disableRobots→ Disable robots header -
nginxOptions.deniedLocations→ Denied locations
-
nginxOptions.proxyBodySize→ Max body size -
nginxOptions.enableWaf→ Enable Ingress firewall (OWASP) -
nginxOptions.forceSslRedirect→ Force SSL redirect -
nginxOptions.rateLimiting→ Rate limiting section
-
cdnOptions.enabled→ Enabled checkbox
-
allowRegex→ Allow regular expressions -
rules[].host→ Host dropdown selection -
rules[].paths[].pathType→ Path type selection -
rules[].paths[].path→ Path field -
rules[].paths[].backendName→ Service dropdown selection -
rules[].paths[].backendPort→ Backend port field
-
acquireCertificate: true→ Acquire certificates automatically, using Let’s Encrypt (HTTP-01) -
tls[].secretName→ Secret name selection (when using custom certificates)
Deploy via pipeline
-
Add the manifest to your repository:
infrastructure/ ├── ingresses/ │ └── production-author-ingress.yaml └── .github/workflows/ └── deploy.yml -
Deploy using
kubectlin your CI/CD pipeline:- name: Deploy Ingress run: | kubectl apply -f infrastructure/ingresses/production-author-ingress.yaml (1)1 Location of the manifest file; in this case, it is production-author-ingress.yaml. -
After deployment, the Ingress should appear in Networking > Ingresses with Origin:
PIPELINE.
Configuration reference
For a full example with all available options, see the comprehensive manifest structure that includes all fields available in the Cockpit.
| For detailed explanations of each field, refer to Ingress terms. |
apiVersion: magnolia.info/v1alpha1
kind: MgnlIngress
metadata:
name: full-example
namespace: production
labels:
app.kubernetes.io/managed-by: pipeline (1)
spec:
description: "Full configuration example"
acquireCertificate: true
allowRegex: false
errorPages: false
whitelistIps: []
blacklistIps: []
nginxOptions:
# Security
enableWaf: true
disableRobots: false
forceSslRedirect: true
fromToWwwRedirect: false
deniedLocations: []
# Performance
proxyBodySize: "1024m"
proxyBufferSize: "4k"
proxyBuffersNumber: 4
proxyRequestBuffering: true
proxyBuffering: true
proxyConnectTimeout: 300
proxyReadTimeout: 300
proxySendTimeout: 300
# Headers
headersToClear: []
headersToSet: {}
# Features
rateLimiting:
enabled: true
limitPerMinute: 3000
limitPerSecond: 50
whitelistIps: []
basicAuth:
enabled: false
cors:
enabled: false
certificateAuthentication:
enabled: false
stickySession:
enabled: false
errorPage:
enabled: false
permanentRedirect:
enabled: false
cdnOptions:
enabled: false
rules:
- host: "app.company.com"
paths:
- path: "/"
pathType: "Prefix"
backendName: "production-app-service"
backendPort: 80
tls:
- hosts:
- "app.company.com"
secretName: "app-company-tls"| 1 | The value for app.kubernetes.io/managed-by must be pipeline. |
Manage pipeline Ingresses
After deploying via pipeline:
-
Ingresses appear with Origin:
PIPELINE -
You can view and monitor them in the Cockpit
-
Optionally claim them using the Claim option to bring them under Cockpit management
-
Use Synchronize to update the Cockpit view if you make external changes
| Once an Ingress is claimed in the Cockpit, external pipeline changes are ignored. |