Support multiple http-proxy entries in a single deployment

Previously get_ingress() only used the first http-proxy entry,
silently ignoring additional hostnames. Now iterates over all
entries, creating an Ingress rule and TLS config per hostname.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

stack_orchestrator/deploy/deployment_create.py

@@ -577,7 +577,7 @@ def _generate_and_store_secrets(config_vars: dict, deployment_name: str):
     return secrets
 
 
-def create_registry_secret(spec: Spec, deployment_name: str, namespace: str = "default") -> Optional[str]:
+def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
     """Create K8s docker-registry secret from spec + environment.
 
     Reads registry configuration from spec.yml and creates a Kubernetes
@@ -586,7 +586,6 @@ def create_registry_secret(spec: Spec, deployment_name: str, namespace: str = "d
     Args:
         spec: The deployment spec containing image-registry config
         deployment_name: Name of the deployment (used for secret naming)
-        namespace: Kubernetes namespace to create the secret in
 
     Returns:
         The secret name if created, None if no registry config
@@ -634,6 +633,7 @@ def create_registry_secret(spec: Spec, deployment_name: str, namespace: str = "d
             return None
 
     v1 = client.CoreV1Api()
+    namespace = "default"
 
     k8s_secret = client.V1Secret(
         metadata=client.V1ObjectMeta(name=secret_name),

stack_orchestrator/deploy/k8s/cluster_info.py

@@ -161,66 +161,70 @@ class ClusterInfo:
         return nodeports
 
     def get_ingress(
-        self, use_tls=False, certificate=None, cluster_issuer="letsencrypt-prod"
+        self, use_tls=False, certificates=None, cluster_issuer="letsencrypt-prod"
     ):
         # No ingress for a deployment that has no http-proxy defined, for now
         http_proxy_info_list = self.spec.get_http_proxy()
         ingress = None
         if http_proxy_info_list:
-            # TODO: handle multiple definitions
-            http_proxy_info = http_proxy_info_list[0]
-            if opts.o.debug:
-                print(f"http-proxy: {http_proxy_info}")
-            # TODO: good enough parsing for webapp deployment for now
-            host_name = http_proxy_info["host-name"]
             rules = []
-            tls = (
+            tls = [] if use_tls else None
-                [
+
-                    client.V1IngressTLS(
+            for http_proxy_info in http_proxy_info_list:
-                        hosts=certificate["spec"]["dnsNames"]
-                        if certificate
-                        else [host_name],
-                        secret_name=certificate["spec"]["secretName"]
-                        if certificate
-                        else f"{self.app_name}-tls",
-                    )
-                ]
-                if use_tls
-                else None
-            )
-            paths = []
-            for route in http_proxy_info["routes"]:
-                path = route["path"]
-                proxy_to = route["proxy-to"]
                 if opts.o.debug:
-                    print(f"proxy config: {path} -> {proxy_to}")
+                    print(f"http-proxy: {http_proxy_info}")
-                # proxy_to has the form <service>:<port>
+                host_name = http_proxy_info["host-name"]
-                proxy_to_port = int(proxy_to.split(":")[1])
+                certificate = (certificates or {}).get(host_name)
-                paths.append(
+
-                    client.V1HTTPIngressPath(
+                if use_tls:
-                        path_type="Prefix",
+                    tls.append(
-                        path=path,
+                        client.V1IngressTLS(
-                        backend=client.V1IngressBackend(
+                            hosts=certificate["spec"]["dnsNames"]
-                            service=client.V1IngressServiceBackend(
+                            if certificate
-                                # TODO: this looks wrong
+                            else [host_name],
-                                name=f"{self.app_name}-service",
+                            secret_name=certificate["spec"]["secretName"]
-                                # TODO: pull port number from the service
+                            if certificate
-                                port=client.V1ServiceBackendPort(number=proxy_to_port),
+                            else f"{self.app_name}-{host_name}-tls",
-                            )
+                        )
-                        ),
+                    )
+
+                paths = []
+                for route in http_proxy_info["routes"]:
+                    path = route["path"]
+                    proxy_to = route["proxy-to"]
+                    if opts.o.debug:
+                        print(f"proxy config: {path} -> {proxy_to}")
+                    # proxy_to has the form <service>:<port>
+                    proxy_to_port = int(proxy_to.split(":")[1])
+                    paths.append(
+                        client.V1HTTPIngressPath(
+                            path_type="Prefix",
+                            path=path,
+                            backend=client.V1IngressBackend(
+                                service=client.V1IngressServiceBackend(
+                                    # TODO: this looks wrong
+                                    name=f"{self.app_name}-service",
+                                    # TODO: pull port number from the service
+                                    port=client.V1ServiceBackendPort(
+                                        number=proxy_to_port
+                                    ),
+                                )
+                            ),
+                        )
+                    )
+                rules.append(
+                    client.V1IngressRule(
+                        host=host_name,
+                        http=client.V1HTTPIngressRuleValue(paths=paths),
                     )
                 )
-            rules.append(
+
-                client.V1IngressRule(
-                    host=host_name, http=client.V1HTTPIngressRuleValue(paths=paths)
-                )
-            )
             spec = client.V1IngressSpec(tls=tls, rules=rules)
 
             ingress_annotations = {
                 "kubernetes.io/ingress.class": "caddy",
             }
-            if not certificate:
+            if not certificates:
                 ingress_annotations["cert-manager.io/cluster-issuer"] = cluster_issuer
 
             ingress = client.V1Ingress(

stack_orchestrator/deploy/k8s/deploy_k8s.py

@@ -504,7 +504,7 @@ class K8sDeployer(Deployer):
         # Create registry secret if configured
         from stack_orchestrator.deploy.deployment_create import create_registry_secret
 
-        create_registry_secret(self.cluster_info.spec, self.cluster_info.app_name, self.k8s_namespace)
+        create_registry_secret(self.cluster_info.spec, self.cluster_info.app_name)
 
         self._create_volume_data()
         self._create_deployment()
@@ -513,17 +513,19 @@ class K8sDeployer(Deployer):
         http_proxy_info = self.cluster_info.spec.get_http_proxy()
         # Note: we don't support tls for kind (enabling tls causes errors)
         use_tls = http_proxy_info and not self.is_kind()
-        certificate = (
+        certificates = None
-            self._find_certificate_for_host_name(http_proxy_info[0]["host-name"])
+        if use_tls:
-            if use_tls
+            certificates = {}
-            else None
+            for proxy in http_proxy_info:
-        )
+                host_name = proxy["host-name"]
-        if opts.o.debug:
+                cert = self._find_certificate_for_host_name(host_name)
-            if certificate:
+                if cert:
-                print(f"Using existing certificate: {certificate}")
+                    certificates[host_name] = cert
+                    if opts.o.debug:
+                        print(f"Using existing certificate for {host_name}: {cert}")
 
         ingress = self.cluster_info.get_ingress(
-            use_tls=use_tls, certificate=certificate
+            use_tls=use_tls, certificates=certificates
         )
         if ingress:
             if opts.o.debug: