Refactor ingress configuration for Traefik and NGINX; add host for TLS support and remove deprecated middleware

Author: emmanuelmathot

.github/workflows/helm-tests.yml

@@ -196,11 +196,17 @@ jobs:
           kubectl get ingress --all-namespaces -o jsonpath='{range .items[0]}kubectl describe ingress {.metadata.name} -n {.metadata.namespace}{end}' | sh
           kubectl get middleware.traefik.io --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers | while read -r namespace name; do kubectl describe middleware.traefik.io "$name" -n "$namespace"; done
 
-          PUBLICIP='http://'$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+          # Get the IP address of the Traefik service
+          PUBLICIP_VALUE=$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+          PUBLICIP='http://'$PUBLICIP_VALUE
           export VECTOR_ENDPOINT=$PUBLICIP/vector
           export STAC_ENDPOINT=$PUBLICIP/stac
           export RASTER_ENDPOINT=$PUBLICIP/raster
 
+          # Add entry to /etc/hosts for eoapi.local
+          echo "Adding eoapi.local to /etc/hosts with IP: $PUBLICIP_VALUE"
+          echo "$PUBLICIP_VALUE eoapi.local" | sudo tee -a /etc/hosts
+
           echo '#################################'
           echo $VECTOR_ENDPOINT
           echo $STAC_ENDPOINT

docs/unified-ingress.md

@@ -49,28 +49,44 @@ For NGINX, use the following configuration:
 ingress:
   enabled: true
   className: "nginx"
-  pathType: "ImplementationSpecific"
-  pathSuffix: "(/|$)(.*)"  # Required for NGINX path rewriting
+  pathType: "Prefix"
   annotations:
     nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
     nginx.ingress.kubernetes.io/enable-cors: "true"
     nginx.ingress.kubernetes.io/enable-access-log: "true"
 ```
 
 ### Traefik Ingress Controller
 
-For Traefik, use the following configuration:
+When using Traefik, the system automatically includes the Traefik middleware to strip prefixes (e.g., `/stac`, `/raster`) from requests before forwarding them to services. This is handled by the `traefik-middleware.yaml` template.
+
+For basic Traefik configuration:
 
 ```yaml
 ingress:
   enabled: true
   className: "traefik"
   pathType: "Prefix"
+  # When using TLS, setting host is required to avoid "No domain found" warnings
+  host: "example.domain.com"  # Required to work properly with TLS
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.pathtransform.regex: "^/([^/]+)(.*)"
-    traefik.ingress.kubernetes.io/router.pathtransform.replacement: "/$1$2"
+```
+
+For Traefik with TLS:
+
+```yaml
+ingress:
+  enabled: true
+  className: "traefik"
+  pathType: "Prefix"
+  # Host is required when using TLS with Traefik
+  host: "example.domain.com"
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+  tls:
+    enabled: true
+    secretName: eoapi-tls
 ```
 
 ## Migration
@@ -79,7 +95,7 @@ If you're migrating from a previous version, follow these guidelines:
 
 1. Update your values to use the new unified configuration
 2. Ensure your ingress controller-specific annotations are set correctly
-3. Set the appropriate `pathType` and `pathSuffix` for your controller
+3. Set the appropriate `pathType` for your controller
 4. Test the configuration before deploying to production
 
 ## Note for Traefik Users

helm-chart/eoapi/templates/services/deployment.yaml

@@ -32,14 +32,38 @@ spec:
         app: {{ $serviceName }}-{{ $.Release.Name }}
     spec:
       serviceAccountName: eoapi-sa-{{ $.Release.Name }}
+      {{- if $.Values.pgstacBootstrap.enabled }}
       initContainers:
-        {{- include "eoapi.pgstacInitContainer" $ | nindent 8 }}
+      - name: wait-for-pgstac-jobs
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Waiting for pgstac-migrate job to complete..."
+          until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-migrate job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-migrate job completed successfully."
+          
+          {{- if $.Values.pgstacBootstrap.settings.loadSamples }}
+          echo "Waiting for pgstac-load-samples job to complete..."
+          until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-load-samples job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-load-samples job completed successfully."
+          {{- end }}
+      {{- end }}
       containers:
       - image: {{ index $v "image" "name" }}:{{ index $v "image" "tag" }}
         name: {{ $serviceName }}
         command:
           {{- toYaml (index $v "command") | nindent 10 }}
           {{- if (and ($.Values.ingress.className) (or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik"))) }}
+          - "--proxy-headers"
+          - "--forwarded-allow-ips=*"
           - "--root-path=/{{ $serviceName }}"
           {{- end }}{{/* needed for proxies and path rewrites on NLB */}}
         livenessProbe:

helm-chart/eoapi/templates/services/ingress.yaml

@@ -12,12 +12,11 @@ metadata:
   labels:
     app: sharedingress
   annotations:
-    {{- if eq .Values.ingress.className "traefik" }}
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: path-rewrite-middleware-{{ $.Release.Name }}@kubernetescrd
-    {{- end }}
     {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
+    {{- end }}
+    {{- if eq .Values.ingress.className "traefik" }}
+    traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-strip-prefix-middleware-{{ $.Release.Name }}@kubernetescrd
     {{- end }}
     {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.certManager .Values.ingress.tls.certManagerIssuer }}
     cert-manager.io/issuer: {{ .Values.ingress.tls.certManagerIssuer }}
@@ -27,7 +26,10 @@ spec:
   ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
   rules:
-    - http:
+    - {{- if .Values.ingress.host }}
+      host: {{ .Values.ingress.host }}
+      {{- end }}
+      http:
         paths:
           {{- range $serviceName, $v := .Values }}
           {{- if has $serviceName $.Values.apiServices }}
@@ -51,9 +53,6 @@ spec:
                 port:
                   number: 80
           {{- end }}
-      {{- if .Values.ingress.host }}
-      host: {{ .Values.ingress.host }}
-      {{- end }}
   {{- if and .Values.ingress.host .Values.ingress.tls.enabled }}
   tls:
     - hosts:

helm-chart/eoapi/templates/services/traefik-middleware.yaml

@@ -2,10 +2,16 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: path-rewrite-middleware-{{ $.Release.Name }}
+  name: strip-prefix-middleware-{{ $.Release.Name }}
   namespace: {{ $.Release.Namespace }}
 spec:
-  replacePathRegex:
-    regex: "^/(raster|vector|stac|multidim)(/|$)(.*)"
-    replacement: "$1/$3"
+  stripPrefix:
+    prefixes:
+      {{- range $serviceName, $v := .Values }}
+      {{- if has $serviceName $.Values.apiServices }}
+      {{- if (index $v "enabled") }}
+      - /{{ $serviceName }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
 {{- end }}

helm-chart/eoapi/test-k3s-unittest-values.yaml

@@ -4,6 +4,7 @@ ingress:
   enabled: true
   className: "traefik"
   pathType: "Prefix"
+  host: "eoapi.local"  # Adding a host value to avoid "No domain found" warnings with Traefik
 pgstacBootstrap:
   enabled: true
   settings:

helm-chart/eoapi/tests/ingress_tests.yaml

@@ -40,6 +40,7 @@ tests:
     set:
       ingress.className: "traefik"
       ingress.pathType: "Prefix"
+      ingress.host: "eoapi.local"
       testing: true
       raster.enabled: false
       stac.enabled: true
@@ -58,21 +59,23 @@ tests:
           path: metadata.annotations
           value:
             traefik.ingress.kubernetes.io/router.entrypoints: web
-            traefik.ingress.kubernetes.io/router.middlewares: path-rewrite-middleware-RELEASE-NAME@kubernetescrd
       - equal:
           path: spec.ingressClassName
           value: "traefik"
+      - equal:
+          path: spec.rules[0].host
+          value: "eoapi.local"
 
   - it: "multidim ingress in production (non-testing) with traefik controller"
     set:
       ingress.className: "traefik"
       ingress.pathType: "Prefix"
+      ingress.host: "eoapi.local"
       testing: false
       raster.enabled: false
       stac.enabled: false
       vector.enabled: false
       multidim.enabled: true
-      docServer.enabled: true
     asserts:
       - isKind:
           of: Ingress