sawrus/ingress-patterns
areas/devops/networking/skills/ingress-patterns/SKILL.md
NGINX Ingress Controller patterns — TLS, rate limiting, CORS, rewrites, path-based routing, and MetalLB for bare-metal.
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides ingress-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:51 AM17.8s1 file scanned
SKILL.md
- name:
- ingress-patterns
- type:
- skill
- description:
- NGINX Ingress Controller patterns — TLS, rate limiting, CORS, rewrites, path-based routing, and MetalLB for bare-metal.
- allowed-tools:
- Read, Write, Edit
Skill: Ingress Patterns
Expertise: NGINX Ingress Controller, MetalLB, cert-manager TLS, rate limiting, CORS, canary routing.
When to load
When creating or reviewing Kubernetes Ingress resources, setting up TLS, configuring rate limits, or debugging 502/504 responses.
Standard Production Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-service
namespace: production
annotations:
# TLS + redirect
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Rate limiting
nginx.ingress.kubernetes.io/limit-rps: "100"
nginx.ingress.kubernetes.io/limit-connections: "20"
# Timeouts (seconds)
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
# TLS cert via cert-manager
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# Security headers
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
spec:
ingressClassName: nginx
tls:
- hosts: [api.example.com]
secretName: api-example-com-tls
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port: { number: 80 }
Path-Based Routing (API + Frontend)
spec:
rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service: { name: api-service, port: { number: 80 } }
- path: /
pathType: Prefix
backend:
service: { name: frontend, port: { number: 80 } }
CORS Configuration
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://app.example.com" # NOT *
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
Canary Routing (A/B / blue-green)
# Primary ingress (stable)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-stable
annotations:
nginx.ingress.kubernetes.io/canary: "false"
spec: { ... }
# Canary ingress (10% traffic)
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-canary
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10" # 10% of traffic
# OR by header:
nginx.ingress.kubernetes.io/canary-by-header: "X-Canary"
nginx.ingress.kubernetes.io/canary-by-header-value: "true"
spec: { ... } # points to canary service
MetalLB (Bare-Metal Load Balancer)
# IPAddressPool — assign bare-metal IPs to LoadBalancer services
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: prod-pool
namespace: metallb-system
spec:
addresses:
- 192.168.10.100-192.168.10.150
---
# L2Advertisement — announce IPs via ARP/NDP
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2-advert
namespace: metallb-system
spec:
ipAddressPools: [prod-pool]
Debugging Ingress Issues
# Check ingress controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=100
# Verify ingress is configured correctly
kubectl describe ingress <name> -n <ns>
# Check endpoints (service selecting the right pods?)
kubectl get endpoints <svc> -n <ns>
# Test TLS
curl -v https://api.example.com/health 2>&1 | grep "SSL\|TLS\|certificate"
# Check cert-manager certificate status
kubectl get certificate -n <ns>
kubectl describe certificate <name> -n <ns>
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026