Refactor Kubernetes ingress configuration and add HTTP to HTTPS redirection

[NiveditJain]

• Updated the deploy-kubernetes.yml workflow to apply ingress configurations from a directory instead of individual files.
• Added new IngressRoute configurations for the API server and landing page, supporting both HTTP and HTTPS.
• Introduced a middleware for redirecting HTTP traffic to HTTPS.
• Enhanced traefik-values.yaml with additional arguments for HTTP to HTTPS redirection.

These changes improve the deployment process and enhance security by enforcing HTTPS.

Fixes #287

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Introduced Traefik-based ingress routes for the API and landing page with automatic TLS via Let’s Encrypt.
  • Enforced HTTP-to-HTTPS redirection for all traffic, improving security and consistency.
• Chores
  • Simplified the deployment workflow to apply all ingress manifests from a single directory, streamlining ingress updates.

Walkthrough

Replaces two explicit kubectl ingress applies with a single directory apply, adds Traefik IngressRoute manifests for API and landing page, introduces an HTTP→HTTPS redirect middleware, and updates Traefik Helm values to enable entrypoint-level HTTP→HTTPS redirection.

Changes

Cohort / File(s)	Summary
CI workflow: ingress apply method .github/workflows/deploy-kubernetes.yml	Replace two explicit kubectl apply -f calls for specific ingress files with a single kubectl apply -f ./ingress/ directory apply.
IngressRoute manifests k8s/ingress/api-server-ingress-http.yaml, k8s/ingress/landing-page-ingress-http.yaml	Add Traefik IngressRoute resources for api.exosphere.host and exosphere.host, each routing on web entryPoint to their services and specifying TLS via certResolver letsencrypt.
Traefik middleware k8s/ingress/http-to-https-redirect-middleware.yaml	Add Traefik Middleware http-to-https-redirect configured to permanently redirect scheme to https (port 443).
Traefik Helm values k8s/traefik-values.yaml	Add additionalArguments to enable entrypoint-level HTTP→HTTPS redirection and remove minor inline comments; no other value changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant B as Browser
  participant T as Traefik (web)
  participant TS as Traefik (websecure)
  participant LP as Landing Page Service
  participant API as API Service

  rect rgba(220,235,255,0.25)
  Note over B,T: HTTP request
  B->>T: GET http://exosphere.host/...
  alt Entrypoint redirect or middleware present
    T-->>B: 301 → https://exosphere.host/...
  end
  end

  rect rgba(220,255,230,0.25)
  Note over B,TS: HTTPS request served
  B->>TS: GET https://exosphere.host/...
  TS->>LP: Route via IngressRoute → service: exosphere-landing-page:80
  LP-->>TS: 200 OK
  TS-->>B: 200 OK
  end

  rect rgba(255,245,220,0.25)
  Note over B,TS: API host flow
  B->>T: GET http://api.exosphere.host/...
  T-->>B: 301 → https://api.exosphere.host/...
  B->>TS: GET https://api.exosphere.host/...
  TS->>API: Route via IngressRoute → service: exosphere-api-server:80
  API-->>TS: 200 OK
  TS-->>B: 200 OK
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Fix landing page SSL not working on iPhone/Firefox (#287)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Add API server IngressRoute (k8s/ingress/api-server-ingress-http.yaml)	API routing changes are unrelated to the landing-page SSL issue #287.
Add HTTP→HTTPS redirect middleware (k8s/ingress/http-to-https-redirect-middleware.yaml)	Middleware is a broader infrastructural addition not explicitly required by #287.
Update Traefik values to enable entrypoint redirects (k8s/traefik-values.yaml)	Global Traefik entrypoint redirect affects all hosts; #287 focuses on landing-page SSL specifics.
CI change to apply entire ingress directory (.github/workflows/deploy-kubernetes.yml)	Expands deployment scope/order beyond the single-issue intent of fixing landing-page SSL.

Poem

A rabbit hopped by moonlit code,
“Secure the hosts!” it softly crowed. 🐇
Traefik bends the paths to safe,
Let’s Encrypt wraps each tiny waif.
Hops and certs in joyful mode—secure the road.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @NiveditJain, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors Kubernetes ingress configurations to improve deployment and enhance security. It introduces new IngressRoute definitions for the API server and landing page, enabling both HTTP and HTTPS access, and implements a mechanism to redirect all HTTP traffic to HTTPS, ensuring secure communication.

Highlights

• Refactored Ingress Configuration: The deployment workflow now applies ingress configurations from a dedicated directory, streamlining the management of Kubernetes ingress resources.
• New IngressRoutes for API and Landing Page: New Traefik IngressRoute resources have been added for the API server and landing page, supporting both HTTP and HTTPS entry points.
• HTTP to HTTPS Redirection: A new Traefik Middleware is introduced to permanently redirect all incoming HTTP traffic to HTTPS, enhancing security.
• Traefik Configuration Update: The "traefik-values.yaml" file has been updated to include additional arguments that enable and configure the HTTP to HTTPS redirection at the Traefik entrypoint level.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the Kubernetes ingress configuration to use a directory-based approach and adds HTTP to HTTPS redirection. The changes are a good step towards improving security and deployment structure. However, I've found a few critical issues that need to be addressed. There are conflicting resource names in the new IngressRoute definitions which will prevent them from being applied correctly. The configuration for the global HTTP-to-HTTPS redirection in traefik-values.yaml appears to be incorrect and needs to be fixed. I've also pointed out a redundancy in the redirection implementation (a global config vs. an unused middleware) and some minor issues with comments and file formatting. Please review the detailed comments below.

[coderabbitai]

Actionable comments posted: 10

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3be966e and 13e4928.

📒 Files selected for processing (5)

• .github/workflows/deploy-kubernetes.yml (1 hunks)
• k8s/ingress/api-server-ingress-http.yaml (1 hunks)
• k8s/ingress/http-to-https-redirect-middleware.yaml (1 hunks)
• k8s/ingress/landing-page-ingress-http.yaml (1 hunks)
• k8s/traefik-values.yaml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

k8s/ingress/http-to-https-redirect-middleware.yaml

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 9-9: trailing spaces

(trailing-spaces)

k8s/ingress/api-server-ingress-http.yaml

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

k8s/ingress/landing-page-ingress-http.yaml

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (3)

k8s/traefik-values.yaml (2)

8-10: Fix Traefik redirect target: use entrypoint name, not port literal.

For entrypoint redirection, Traefik expects the target entrypoint name (e.g., websecure), not a port string. Using ":443" is likely ignored or misinterpreted.

Apply this diff:

-  - "--entrypoints.web.http.redirections.entrypoint.to=:443"
+  - "--entrypoints.web.http.redirections.entrypoint.to=websecure"

Likely an incorrect or invalid review comment.

---

33-33: ACME HTTP-01 Challenge Verified with Global HTTP→HTTPS Redirect

Documentation confirms that HTTP redirections on the web entryPoint remain fully compatible with the ACME HTTP-01 challenge when httpChallenge.entryPoint: web is configured (doc.traefik.io).

Configuration requiring no change:

• k8s/traefik-values.yaml (line 33): entryPoint: web is correctly set.

.github/workflows/deploy-kubernetes.yml (1)

53-53: LGTM: switching to directory apply will pick up all ingress resources in one go.

This reduces drift and missed applies as new manifests are added.

[coderabbitai]

🧹 Nitpick (assertive)

Inconsistent wait message vs actual sleep; also simplify directory apply path.

• Message says “2 minutes” but sleep is 1200s (20 minutes).
• Prefer “./ingress/” over “./ingress/.” for readability.

Apply this diff:

-          echo "waiting 2 minutes for the A record to be updated"
-          sleep 1200
+          echo "waiting 20 minutes for the A record to be updated"
+          sleep 1200
@@
-          kubectl apply -f ./ingress/.
+          kubectl apply -f ./ingress/

If the intention was 2 minutes, change to:

-          echo "waiting 2 minutes for the A record to be updated"
-          sleep 1200
+          echo "waiting 2 minutes for the A record to be updated"
+          sleep 120

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "waiting 2 minutes for the A record to be updated"
	sleep 1200
	kubectl apply -f ./api-server-ingress.yaml
	kubectl apply -f ./landing-page-ingress.yaml
	kubectl apply -f ./ingress/.
	echo "waiting 20 minutes for the A record to be updated"
	sleep 1200
	kubectl apply -f ./ingress/

🤖 Prompt for AI Agents

.github/workflows/deploy-kubernetes.yml around lines 50 to 53: the echo message
says "waiting 2 minutes" but the script sleeps for 1200 seconds (20 minutes) and
the kubectl apply uses "./ingress/." which is awkward; to fix, make the sleep
duration match the intended wait (change sleep 1200 to sleep 120 or update the
echo to "waiting 20 minutes" if 20 minutes was intended) and simplify the apply
path to "./ingress/".

[coderabbitai]

🧹 Nitpick (assertive)

Header comment path is incorrect.

The file header says “k8s/api-ingressroute.yaml” but the file lives at “k8s/ingress/api-server-ingress-http.yaml”.

Apply this diff:

-# k8s/api-ingressroute.yaml
+# k8s/ingress/api-server-ingress-http.yaml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# k8s/api-ingressroute.yaml
	# k8s/ingress/api-server-ingress-http.yaml

🤖 Prompt for AI Agents

In k8s/ingress/api-server-ingress-http.yaml around line 1, the header comment
incorrectly states "k8s/api-ingressroute.yaml"; update the first line to reflect
the actual file path by changing the header comment to "#
k8s/ingress/api-server-ingress-http.yaml".

[coderabbitai]

🛠️ Refactor suggestion

Inconsistent IngressRoute: HTTP entryPoint with TLS enabled. Choose one of two valid patterns.

You’re binding to entryPoint “web” (HTTP) while enabling TLS. TLS will not terminate on a non-TLS entrypoint. Pick one:

• Option A (preferred with global redirect): HTTP-only route, no tls, and rely on entrypoint redirect or attach the middleware.
• Option B: HTTPS route only on “websecure” with tls enabled.

Option A (HTTP-only, attach middleware):

 spec:
   entryPoints:
-    - web
+    - web
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B (HTTPS-only on websecure):

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

Also ensure you actually have a separate HTTP IngressRoute only if you’re not using global redirection.

Also applies to: 16-17

🤖 Prompt for AI Agents

In k8s/ingress/api-server-ingress-http.yaml around lines 7 to 11, the
IngressRoute is bound to the HTTP entryPoint "web" while TLS is being configured
— TLS cannot terminate on a non-TLS entrypoint. Fix by choosing one pattern:
Option A: make this an HTTP-only route by removing the TLS configuration and (if
needed) attach or rely on a global redirect middleware to forward traffic to
HTTPS; Option B: make this an HTTPS route by changing the entryPoint to
"websecure" and keeping the TLS section with a proper certResolver/secret so TLS
terminates on the secure entryPoint. Also ensure you have a separate HTTP
IngressRoute only if you opt for global redirection.

[coderabbitai]

🧹 Nitpick (assertive)

Add missing newline at EOF to satisfy linters.

Apply this diff:

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	certResolver: letsencrypt
	certResolver: letsencrypt

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In k8s/ingress/api-server-ingress-http.yaml around line 17, the file is missing
a trailing newline at EOF which causes linter failures; open the file and add a
single newline character after the last line (after "certResolver: letsencrypt")
so the file ends with a newline, save and commit the change.

[coderabbitai]

🧹 Nitpick (assertive)

Make middleware namespace explicit.

If your IngressRoutes are in “default”, keeping the middleware in the same namespace is fine, but making it explicit avoids surprises when contexts change.

Apply this diff:

 kind: Middleware
 metadata:
-  name: http-to-https-redirect
+  name: http-to-https-redirect
+  namespace: default

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	name: http-to-https-redirect
	kind: Middleware
	metadata:
	name: http-to-https-redirect
	namespace: default

🤖 Prompt for AI Agents

In k8s/ingress/http-to-https-redirect-middleware.yaml around lines 3-4, the
middleware manifest omits an explicit namespace under metadata; add a
metadata.namespace field (e.g., namespace: default) so the middleware lives in
the same namespace as your IngressRoutes (or set it to whatever namespace your
IngressRoutes use) to avoid cross-namespace surprises.

[coderabbitai]

🧹 Nitpick (assertive)

Trailing space and missing newline; also consider wiring the middleware.

• Clean up whitespace/newline to satisfy linters.
• This middleware isn’t referenced by the IngressRoutes. If you retain it, attach it to the HTTP routes as in the Option A diffs.

Apply this diff:

 spec:
   redirectScheme:
     scheme: https
     port: "443"
-    permanent: true 
+    permanent: true
+

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	redirectScheme:
	scheme: https
	port: "443"
	permanent: true
	spec:
	redirectScheme:
	scheme: https
	port: "443"
	permanent: true

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 9-9: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 9-9: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In k8s/ingress/http-to-https-redirect-middleware.yaml around lines 6 to 9,
remove the trailing space after "permanent: true" and ensure the file ends with
a newline to satisfy linters, and if you intend to keep this middleware also
wire it into your IngressRoute HTTP routes by adding this middleware's name to
the appropriate route(s) (e.g., under the route's middlewares list) so the
redirect is applied; update the IngressRoute manifests to reference this
middleware for the HTTP entrypoints or remove the middleware file if not used.

[coderabbitai]

🧹 Nitpick (assertive)

Header comment path is incorrect.

The file header says “k8s/api-ingressroute.yaml” but the file is “k8s/ingress/landing-page-ingress-http.yaml”.

Apply this diff:

-# k8s/api-ingressroute.yaml
+# k8s/ingress/landing-page-ingress-http.yaml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# k8s/api-ingressroute.yaml
	# k8s/ingress/landing-page-ingress-http.yaml

🤖 Prompt for AI Agents

In k8s/ingress/landing-page-ingress-http.yaml around lines 1 to 1, the header
comment references the wrong path ("k8s/api-ingressroute.yaml"); update the
top-of-file comment to the correct file path
("k8s/ingress/landing-page-ingress-http.yaml") so the header accurately reflects
the file location.

[coderabbitai]

🛠️ Refactor suggestion

Same inconsistency: HTTP entryPoint with TLS enabled. Align with one pattern.

Mirror the API ingress fix. Choose one:

• Option A (HTTP-only + redirect middleware).
• Option B (HTTPS-only on websecure + tls).

Option A:

 spec:
   entryPoints:
     - web
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B:

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

Also applies to: 16-17

🤖 Prompt for AI Agents

In k8s/ingress/landing-page-ingress-http.yaml around lines 7 to 11 (also applies
to lines 16-17), the ingress declares the HTTP entryPoint "web" while TLS is
enabled—pick one consistent pattern: either Option A (HTTP-only): keep
entryPoint "web", remove any tls block, and attach a redirect-to-HTTPS
middleware (or ensure a global redirect) so HTTP endpoints don’t claim TLS; or
Option B (HTTPS-only): change entryPoint to "websecure", keep or add the tls
section with the certificate resolver, and remove any redirect middleware; apply
the same change to the other route at lines 16-17 so both routes follow the
chosen pattern.

[coderabbitai]

🧹 Nitpick (assertive)

Add missing newline at EOF to satisfy linters.

Apply this diff:

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In k8s/ingress/landing-page-ingress-http.yaml around line 17, the file is
missing a trailing newline at EOF which fails linters; fix by adding a single
newline character at the end of the file (ensure the file ends with a blank line
after the final line "certResolver: letsencrypt") and save.

[coderabbitai]

🧹 Nitpick (assertive)

Avoid duplication: entrypoint-level redirect makes the middleware redundant unless explicitly used.

You added both an entrypoint-level redirect and a Middleware. If you keep the entrypoint-level redirect, you generally don't need an HTTP IngressRoute or the redirect middleware. Conversely, if you prefer per-route control using the middleware, remove the additionalArguments and attach the middleware to the HTTP IngressRoutes.

Would you like me to generate a minimal set of manifests for either approach (global vs per-route)?

🤖 Prompt for AI Agents

In k8s/traefik-values.yaml around lines 6 to 12 you defined an entrypoint-level
redirect and also use a redirect Middleware elsewhere, causing duplicated
behavior; either remove the entrypoint-level redirect arguments (the
--entrypoints.web.http.redirections.* flags) to rely on per-route Middleware, or
remove the Middleware and keep the entrypoint-level redirect for global
HTTP->HTTPS redirection; if you choose per-route control, delete the three
redirection lines under additionalArguments and attach the Middleware to your
HTTP IngressRoutes; if you choose global redirection, remove any redirect
Middleware manifests to avoid redundancy.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (8)

k8s/ingress/api-server-ingress-http.yaml (4)

5-5: Good: unique resource name prevents conflict with HTTPS IngressRoute.

Using exosphere-api-server-http avoids clashing with the HTTPS IngressRoute (typically named exosphere-api-server).

---

1-1: Fix incorrect header path comment.

The header references k8s/api-ingressroute.yaml while the file path is k8s/ingress/api-server-ingress-http.yaml.

-# k8s/api-ingressroute.yaml
+# k8s/ingress/api-server-ingress-http.yaml

---

7-17: Inconsistent: HTTP entryPoint with TLS enabled — choose HTTP-only + redirect or HTTPS-only.

You bind to entryPoints: [web] (HTTP) while configuring tls:. TLS won’t terminate on a non‑TLS entrypoint. Pick one pattern and apply consistently across files.

• Option A (HTTP-only, attach redirect middleware — preferred if you keep this file):

  • Keep entryPoints: [web]
  • Remove tls: block
  • Attach the redirect middleware

• Option B (HTTPS-only on websecure):

  • Change entryPoint to websecure
  • Keep tls: block
  • Typically you don’t need a separate HTTP IngressRoute if entrypoint-level redirect is enabled.

Option A diff:

 spec:
   entryPoints:
     - web
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B diff:

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`api.exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-api-server
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

---

17-17: Add trailing newline at EOF to satisfy linters.

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+

k8s/ingress/landing-page-ingress-http.yaml (4)

5-5: Good: unique resource name avoids conflict with HTTPS route.

exosphere-landing-page-http won’t collide with the HTTPS IngressRoute.

---

1-1: Fix incorrect header path comment.

Header points to k8s/api-ingressroute.yaml; update to the current file path.

-# k8s/api-ingressroute.yaml
+# k8s/ingress/landing-page-ingress-http.yaml

---

7-17: Same inconsistency: HTTP entryPoint with TLS enabled. Align with a single pattern.

Choose either HTTP-only + redirect middleware (remove tls:) or HTTPS-only on websecure (keep tls:).

Option A diff:

 spec:
   entryPoints:
     - web
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
+      middlewares:
+        - name: http-to-https-redirect
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
-  tls:
-    certResolver: letsencrypt

Option B diff:

 spec:
-  entryPoints:
-    - web
+  entryPoints:
+    - websecure
   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
       services:
         - name: exosphere-landing-page
           namespace: default
           port: 80
   tls:
     certResolver: letsencrypt

---

17-17: Add trailing newline at EOF to satisfy linters.

-    certResolver: letsencrypt
\ No newline at end of file
+    certResolver: letsencrypt
+

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 13e4928 and 6042779.

📒 Files selected for processing (2)

• k8s/ingress/api-server-ingress-http.yaml (1 hunks)
• k8s/ingress/landing-page-ingress-http.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

k8s/ingress/landing-page-ingress-http.yaml

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

k8s/ingress/api-server-ingress-http.yaml

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

k8s/ingress/api-server-ingress-http.yaml (1)

7-17: Redirect strategy is correctly centralized at the entrypoint level

I’ve verified that:

• k8s/traefik-values.yaml configures Traefik’s HTTP→HTTPS entrypoint redirect (--entrypoints.web.http.redirections.entrypoint.* at lines 8–10).
• There are no http-to-https-redirect middleware definitions or references in the k8s/ingress manifests.

Since only the global entrypoint-level redirect is in use and no duplicate middleware exists, no changes are needed here.

[coderabbitai]

🧹 Nitpick (assertive)

Be explicit about namespace to avoid surprises in CI contexts.

Unless your workflow sets the default namespace, add metadata.namespace: default to make placement explicit.

 kind: IngressRoute
 metadata:
   name: exosphere-api-server-http
+  namespace: default

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	name: exosphere-api-server-http
	kind: IngressRoute
	metadata:
	name: exosphere-api-server-http
	namespace: default

🤖 Prompt for AI Agents

In k8s/ingress/api-server-ingress-http.yaml around lines 4 to 5, the resource
metadata lacks an explicit namespace which can cause unpredictable placement in
CI; add a metadata.namespace field (e.g., namespace: default or the intended
namespace) under metadata to make placement explicit and avoid relying on
cluster/default contexts.

[coderabbitai]

🧹 Nitpick (assertive)

Be explicit about namespace to avoid default-namespace assumptions.

 kind: IngressRoute
 metadata:
   name: exosphere-landing-page-http
+  namespace: default

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	name: exosphere-landing-page-http
	kind: IngressRoute
	metadata:
	name: exosphere-landing-page-http
	namespace: default

🤖 Prompt for AI Agents

In k8s/ingress/landing-page-ingress-http.yaml around lines 4 to 5, metadata only
contains name which leaves the resource in the default namespace; add an
explicit metadata.namespace field (set to the intended namespace used by the
app, e.g., "exosphere" or the cluster-specific namespace) to the metadata block
so the ingress is created in the correct namespace and is consistent with other
manifests.

[coderabbitai]

🧹 Nitpick (assertive)

Security hardening: consider HSTS on HTTPS routes.

If you proceed with HTTPS-only, add a Headers middleware with STSSeconds, STSIncludeSubdomains, and STSPreload to enforce HSTS. Attach it to the HTTPS IngressRoutes.

Example (in a separate middleware manifest):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: default
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true

Then attach:

   routes:
     - match: Host(`exosphere.host`)
       kind: Rule
-      services:
+      middlewares:
+        - name: security-headers
+      services:
         - name: exosphere-landing-page

🤖 Prompt for AI Agents

In k8s/ingress/landing-page-ingress-http.yaml around lines 7 to 12, the
IngressRoute for exosphere.host lacks HSTS enforcement for HTTPS; add a Traefik
Headers Middleware resource (e.g., name security-headers) in the same namespace
with stsSeconds: 31536000, stsIncludeSubdomains: true, and stsPreload: true,
then attach that middleware to the HTTPS IngressRoute(s) via the middlewares
section so HSTS is applied only to HTTPS traffic.