The nginx ingress that we are using in the 2020 Kubernetes cluster can be tuned to do a lot of different things. Changes can be made by tool maintainers manually using kubectl edit ingress ..., but unfortunately these changes will not survive a webserver stop; webserver start cycle.

As part of T234617: Toolforge. introduce new domain toolforge.org we introduced a --canonical flag that conditionally adds an ingress annotation for redirection from tools.wmflabs.org to toolforge.org. This feature is also exposed to the new service.template configuration file to make the stop+start process easier for maintainers.

There are other annotations that could be helpful to maintainers:

• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#enable-cors
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#http2-push-preload
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-timeouts
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#lua-resty-waf

Adding support for multiple --ingress-annotation arguments in the cli and a collection of such arguments in the service.template would allow roundtrippable configuration of the ingress by tool maintainers.

Whether we would want to also create an allow/deny list for the annotations supported is open for debate.