CDCgov · EmmanuelNwa247 · Mar 12, 2026 · Mar 6, 2026 · Mar 9, 2026 · Mar 10, 2026
diff --git a/charts/dataingestion-service/values.yaml b/charts/dataingestion-service/values.yaml
@@ -69,13 +69,16 @@ compare:
   port: 8085
 
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   tls:
   - secretName: "data.EXAMPLE_DOMAIN"
     hosts:
     - "data.EXAMPLE_DOMAIN"
 
+traefikIngress:
+  enabled: false
+
 resources: {}
 
 autoscaling:

diff --git a/charts/modernization-api/values.yaml b/charts/modernization-api/values.yaml
@@ -41,7 +41,7 @@ pageBuilder:
         enabled: "false"
 
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   tls:
     - secretName: app.EXAMPLE_DOMAIN
@@ -56,6 +56,13 @@ istioGatewayIngress:
   certificateName: ""
   certificateIssuerName: "letsencrypt-production"
 
+traefikIngress:
+  enabled: false
+  bodySizeLimit:
+    # Max request body size in bytes (100MB — matches NGINX proxy-body-size: 100m)
+    maxRequestBodyBytes: 104857600
+
+
 mTLS:
   enabled: true
 

diff --git a/charts/nbs-ingress/Chart.yaml b/charts/nbs-ingress/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: nbs-ingress
+description: NBS7 Ingress routing resources — decoupled from application charts
+type: application
+version: 1.0.0
+appVersion: "1.0.0"
diff --git a/charts/nbs-ingress/README.md b/charts/nbs-ingress/README.md
@@ -0,0 +1,47 @@
+# NBS7 Ingress Chart
+
+Standalone Helm chart that manages all NBS7 ingress routing, decoupled from application charts.
+
+## Why a Separate Chart?
+
+The ingress resources were previously embedded in `modernization-api` and `dataingestion-service` Helm charts. This created a coupling problem: upgrading the ingress controller (e.g., NGINX → Traefik) required upgrading the application charts, which could pull in unwanted application changes for STLTs on older NBS7 versions.
+
+This chart allows:
+- Deploying Traefik ingress independently of NBS7 application version
+- STLTs to choose their ingress provider (NGINX or Traefik) without changing application charts
+- Centralized management of all routing rules in one place
+
+## Usage
+
+### Deploy with Traefik (default)
+
+```bash
+helm install nbs-ingress ./charts/nbs-ingress \
+  --set appHost=app.example.com \
+  --set dataHost=data.example.com
+```
+
+### Deploy with NGINX
+
+```bash
+helm install nbs-ingress ./charts/nbs-ingress \
+  --set traefik.enabled=false \
+  --set nginx.enabled=true \
+  --set appHost=app.example.com \
+  --set dataHost=data.example.com
+```
+
+### Switch from NGINX to Traefik
+
+```bash
+helm upgrade nbs-ingress ./charts/nbs-ingress \
+  --set traefik.enabled=true \
+  --set nginx.enabled=false
+```
+
+## Important Notes
+
+- **Disable ingress in application charts** when using this chart. Set `ingress.enabled: false` in both `modernization-api` and `dataingestion-service` values.
+- **Deploy this chart after application charts** so the backend services exist.
+- **Only enable one provider** at a time (`nginx` or `traefik`).
+- The Traefik controller itself is deployed separately via `charts/traefik/values.yaml`.
diff --git a/charts/nbs-ingress/templates/_helpers.tpl b/charts/nbs-ingress/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "nbs-ingress.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "nbs-ingress.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "nbs-ingress.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "nbs-ingress.labels" -}}
+app: NBS
+type: Ingress
+helm.sh/chart: {{ include "nbs-ingress.chart" . }}
+app.kubernetes.io/name: {{ include "nbs-ingress.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: ingress
+{{- end }}
diff --git a/charts/nbs-ingress/templates/nginx-ingress.yaml b/charts/nbs-ingress/templates/nginx-ingress.yaml
@@ -0,0 +1,241 @@
+{{/*
+NGINX Ingress - Main application routes
+Only rendered when nginx.enabled is true.
+Preserves the existing NGINX routing for STLTs that haven't migrated to Traefik.
+*/}}
+{{- if .Values.nginx.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "nbs-ingress.fullname" . }}-main
+  labels:
+    {{- include "nbs-ingress.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Frame-Options: Allow";
+      more_set_headers "Cross-Origin-Opener-Policy: same-origin";
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: {{ .Values.appHost }}
+      hosts:
+        - {{ .Values.appHost }}
+  rules:
+    - host: {{ .Values.appHost }}
+      http:
+        paths:
+          - path: "/auth/realms/nbs-users/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.app.keycloak.serviceName }}
+                port:
+                  name: {{ .Values.app.keycloak.portName }}
+          - path: "/auth/robots.txt"
+            pathType: Exact
+            backend:
+              service:
+                name: {{ .Values.app.keycloak.serviceName }}
+                port:
+                  name: {{ .Values.app.keycloak.portName }}
+          - path: "/auth/js/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.app.keycloak.serviceName }}
+                port:
+                  name: {{ .Values.app.keycloak.portName }}
+          - path: "/auth/resources/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.app.keycloak.serviceName }}
+                port:
+                  name: {{ .Values.app.keycloak.portName }}
+          - path: /favicon.ico
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.app.gateway.serviceName }}
+                port:
+                  number: {{ .Values.app.gateway.port }}
+          - path: "/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.app.gateway.serviceName }}
+                port:
+                  number: {{ .Values.app.gateway.port }}
+---
+# NGINX Ingress - Cached static assets
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "nbs-ingress.fullname" . }}-cached
+  labels:
+    {{- include "nbs-ingress.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Frame-Options: Allow";
+      more_set_headers "Cross-Origin-Opener-Policy: same-origin";
+      more_set_headers "Cache-Control: max-age=1209600, immutable";
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: {{ .Values.appHost }}
+      hosts:
+        - {{ .Values.appHost }}
+  rules:
+    - host: {{ .Values.appHost }}
+      http:
+        paths:
+          - path: "/(.+)\\.(jpg|svg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|ttf|woff|woff2)$"
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ .Values.app.gateway.serviceName }}
+                port:
+                  number: {{ .Values.app.gateway.port }}
+---
+# NGINX Ingress - Data Ingestion
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "nbs-ingress.fullname" . }}-dataingestion
+  labels:
+    {{- include "nbs-ingress.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.tls.clusterIssuer | quote }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: {{ .Values.dataHost }}
+      hosts:
+        - {{ .Values.dataHost }}
+  rules:
+    - host: {{ .Values.dataHost }}
+      http:
+        paths:
+          {{- if .Values.data.ingestion.enabled }}
+          - path: "/ingestion/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.ingestion.serviceName }}
+                port:
+                  number: {{ .Values.data.ingestion.port }}
+          {{- end }}
+          {{- if .Values.data.dataProcessing.enabled }}
+          - path: "/rti/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.dataProcessing.serviceName }}
+                port:
+                  number: {{ .Values.data.dataProcessing.port }}
+          {{- end }}
+          {{- if .Values.data.nnd.enabled }}
+          - path: "/extraction/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.nnd.serviceName }}
+                port:
+                  number: {{ .Values.data.nnd.port }}
+          {{- end }}
+          {{- if .Values.data.srteData.enabled }}
+          - path: "/data/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.srteData.serviceName }}
+                port:
+                  number: {{ .Values.data.srteData.port }}
+          {{- end }}
+          {{- if .Values.data.dataExtraction.enabled }}
+          - path: "/data-extraction/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.dataExtraction.serviceName }}
+                port:
+                  number: {{ .Values.data.dataExtraction.port }}
+          {{- end }}
+          {{- if .Values.data.caseNotification.enabled }}
+          - path: "/case-notification/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.caseNotification.serviceName }}
+                port:
+                  number: {{ .Values.data.caseNotification.port }}
+          {{- end }}
+          {{- if .Values.data.xmlHl7Parser.enabled }}
+          - path: "/hl7-parser/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.xmlHl7Parser.serviceName }}
+                port:
+                  number: {{ .Values.data.xmlHl7Parser.port }}
+          {{- end }}
+          {{- if .Values.data.reporting.enabled }}
+          - path: "/reporting/person-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.person.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.person.port }}
+          - path: "/reporting/organization-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.organization.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.organization.port }}
+          - path: "/reporting/investigation-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.investigation.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.investigation.port }}
+          - path: "/reporting/observation-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.observation.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.observation.port }}
+          - path: "/reporting/post-processing-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.postProcessing.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.postProcessing.port }}
+          - path: "/reporting/ldfdata-svc/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.reporting.ldfdata.serviceName }}
+                port:
+                  number: {{ .Values.data.reporting.ldfdata.port }}
+          {{- end }}
+          {{- if .Values.data.compare.enabled }}
+          - path: "/comparison/"
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.data.compare.serviceName }}
+                port:
+                  number: {{ .Values.data.compare.port }}
+          {{- end }}
+{{- end }}