Skip to main content
Each Midaz service can be independently exposed via ingress. The ingress block is identical across services (Ledger, Onboarding, Transaction, CRM, Grafana) — configure it under each service’s .ingress section in values.yaml. To use ingress, you need an ingress controller running in your cluster (e.g., NGINX, AWS ALB, or Traefik) and DNS entries pointing to it.
You can enable ingress per service in your values.yaml file and configure hostnames, TLS secrets, and any controller-specific annotations.
cert-manager integration: If you use cert-manager for automatic TLS, add the annotation cert-manager.io/cluster-issuer: <issuer-name> and set tls.secretName — cert-manager will provision the certificate automatically.
The following sections provide configuration examples for the most common ingress controllers.

NGINX ingress controller

To use the NGINX Ingress Controller, configure the values.yaml as follows: 
ingress:
  enabled: true
  className: "nginx"
  # The `annotations` field is used to add custom metadata to the Nginx resource.
  # Annotations are key-value pairs that can be used to attach arbitrary non-identifying metadata to objects.
  # These annotations can be used by various tools and libraries to augment the behavior of the Nginx resource.
  # See more https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
  annotations: {}
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists or is managed by cert-manager
      hosts:
        - midaz.example.com
Check the ingress-nginx official documentation for a full reference on Nginx annotations.

AWS ALB (Application load balancer)

For AWS ALB Ingress Controller, configure the values.yaml as follows: 
ingress:
  enabled: true
  className: "alb"
  annotations:
    alb.ingress.kubernetes.io/scheme: internal  # Use "internet-facing" for public ALB
    alb.ingress.kubernetes.io/target-type: ip   # Use "instance" if targeting EC2 instances
    alb.ingress.kubernetes.io/group.name: "midaz"  # Group ALB resources under this name
    alb.ingress.kubernetes.io/healthcheck-path: "/healthz"  # Health check path
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'  # Listen on HTTP and HTTPS
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls: []  # TLS is managed by the ALB using ACM certificates

Traefik Ingress controller

For Traefik, configure the values.yaml as follows: 
ingress:
  enabled: true
  className: "traefik"
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: "web, websecure"  # Entrypoints defined in Traefik
    traefik.ingress.kubernetes.io/router.tls: "true"  # Enable TLS for this route
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists and contains the TLS certificate
      hosts:
        - midaz.example.com

Multiple services example

To expose both the Ledger API and Grafana with different hostnames: 
ledger:
  ingress:
    enabled: true
    className: "nginx"
    hosts:
      - host: api.midaz.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: midaz-api-tls
        hosts:
          - api.midaz.example.com

grafana:
  ingress:
    enabled: true
    className: "nginx"
    hosts:
      - host: grafana.midaz.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: midaz-grafana-tls
        hosts:
          - grafana.midaz.example.com