I hate ingress controllers

apps/values/openwebui.yaml

@@ -4,21 +4,14 @@ image:
     pullPolicy: IfNotPresent
 
 service:
-    type: ClusterIP # use Ingress for external access
+    type: NodePort
 
 persistence:
     enabled: true
     size: 5Gi
 
 ingress:
-    enabled: true # expose via nginx ingress
-    className: nginx
-    hosts:
-        - host: openwebui.local
-          paths:
-              - path: /
-                pathType: Prefix
-    tls: [] # no https for local/minikube
+    enabled: false
 
 # NO SECRETS!!!
 extraEnvVars:

manifests/argo-schedules-api/deployment.yaml

@@ -56,4 +56,4 @@ spec:
         - name: http
           port: 12253
           targetPort: 12253
-    type: ClusterIP
+    type: NodePort

manifests/browser/deployment.yaml

@@ -37,4 +37,4 @@ metadata: { name: browser, namespace: ai }
 spec:
     selector: { app: browser }
     ports: [{ name: http, port: 7788, targetPort: 7788 }]
-    type: ClusterIP
+    type: NodePort

manifests/coderunner/deployment.yaml

@@ -41,4 +41,4 @@ metadata: { name: coderunner, namespace: ai }
 spec:
     selector: { app: coderunner }
     ports: [{ name: http, port: 8787, targetPort: 8787 }]
-    type: ClusterIP
+    type: NodePort

manifests/policy/allow-coderunner-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-coderunner-ingress
+    namespace: ai
+spec:
+    podSelector:
+        matchLabels:
+            app: coderunner
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock: { cidr: 0.0.0.0/0 }
+          ports:
+              - { protocol: TCP, port: 8787 }
+

manifests/policy/allow-rag-server-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-rag-server-ingress
+    namespace: ai
+spec:
+    podSelector:
+        matchLabels:
+            app: rag-server
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock: { cidr: 0.0.0.0/0 }
+          ports:
+              - { protocol: TCP, port: 8788 }
+

manifests/policy/allow-tools-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-tools-ingress
+    namespace: ai
+spec:
+    podSelector:
+        matchLabels:
+            app: tools
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock: { cidr: 0.0.0.0/0 }
+          ports:
+              - { protocol: TCP, port: 1331 }
+

manifests/policy/kustomization.yaml

@@ -7,3 +7,6 @@ resources:
     - allow-browser-ingress.yaml
     - allow-common-egress.yaml
     - allow-https-egress.yaml
+    - allow-tools-ingress.yaml
+    - allow-coderunner-ingress.yaml
+    - allow-rag-server-ingress.yaml

manifests/rag-server/deployment.yaml

@@ -36,4 +36,4 @@ metadata: { name: rag-server, namespace: ai }
 spec:
     selector: { app: rag-server }
     ports: [{ name: http, port: 8788, targetPort: 8788 }]
-    type: ClusterIP
+    type: NodePort

manifests/tools/deployment.yaml

@@ -32,4 +32,4 @@ metadata: { name: tools, namespace: ai }
 spec:
     selector: { app: tools }
     ports: [{ name: http, port: 1331, targetPort: 1331 }]
-    type: ClusterIP
+    type: NodePort