developmentseed · emmanuelmathot · Apr 30, 2025 · Apr 17, 2025 · Apr 17, 2025 · Apr 18, 2025
diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml
@@ -196,21 +196,29 @@ jobs:
           kubectl get ingress --all-namespaces -o jsonpath='{range .items[0]}kubectl describe ingress {.metadata.name} -n {.metadata.namespace}{end}' | sh
           kubectl get middleware.traefik.io --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers | while read -r namespace name; do kubectl describe middleware.traefik.io "$name" -n "$namespace"; done
 
-          PUBLICIP='http://'$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-          export VECTOR_ENDPOINT=$PUBLICIP/vector$RELEASE_NAME
-          export STAC_ENDPOINT=$PUBLICIP/stac$RELEASE_NAME
-          export RASTER_ENDPOINT=$PUBLICIP/raster$RELEASE_NAME
+          # Get the IP address of the Traefik service
+          PUBLICIP_VALUE=$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+          PUBLICIP=http://eoapi.local
+          export VECTOR_ENDPOINT=$PUBLICIP/vector
+          export STAC_ENDPOINT=$PUBLICIP/stac
+          export RASTER_ENDPOINT=$PUBLICIP/raster
+
+          # Add entry to /etc/hosts for eoapi.local
+          echo "Adding eoapi.local to /etc/hosts with IP: $PUBLICIP_VALUE"
+          echo "$PUBLICIP_VALUE eoapi.local" | sudo tee -a /etc/hosts
 
           echo '#################################'
           echo $VECTOR_ENDPOINT
           echo $STAC_ENDPOINT
           echo $RASTER_ENDPOINT
           echo '#################################'
 
-          pytest .github/workflows/tests/test_vector.py || kubectl logs svc/vector
-          pytest .github/workflows/tests/test_stac.py || kubectl logs svc/stac
+          # Run tests with proper failure propagation
+          set -e  # Make sure any command failure causes the script to exit with error
+          pytest .github/workflows/tests/test_vector.py || { kubectl logs svc/vector; exit 1; }
+          pytest .github/workflows/tests/test_stac.py || { kubectl logs svc/stac; exit 1; }
           # TODO: fix raster tests
-          #pytest .github/workflows/tests/test_raster.py || kubectl logs svc/raster
+          #pytest .github/workflows/tests/test_raster.py || { kubectl logs svc/raster; exit 1; }
 
       - name: error if tests failed
         if: steps.testrunner.outcome == 'failure'

diff --git a/docs/unified-ingress.md b/docs/unified-ingress.md
@@ -0,0 +1,107 @@
+# Unified Ingress Configuration
+
+This document describes the unified ingress approach implemented in the eoAPI Helm chart.
+
+## Overview
+
+eoAPI now uses a consolidated, controller-agnostic ingress configuration. This approach:
+
+- Eliminates code duplication between different ingress controller implementations
+- Provides consistent behavior across controllers
+- Simplifies testing and maintainability
+- Removes artificial restrictions on using certain ingress controllers in specific environments
+- Makes it easier to add support for additional ingress controllers in the future
+
+## Configuration
+
+The ingress configuration has been streamlined and generalized in the `values.yaml` file:
+
+```yaml
+ingress:
+  # Unified ingress configuration for both nginx and traefik
+  enabled: true
+  # ingressClassName: "nginx" or "traefik"
+  className: "nginx"
+  # Path configuration
+  pathType: "Prefix"  # Can be "Prefix" or "ImplementationSpecific" based on controller
+  pathSuffix: ""      # Add a suffix to service paths (e.g. "(/|$)(.*)" for nginx regex)
+  rootPath: ""        # Root path for doc server
+  # Host configuration
+  host: ""
+  # Custom annotations to add to the ingress
+  annotations: {}
+  # TLS configuration
+  tls:
+    enabled: false
+    secretName: eoapi-tls
+    certManager: false
+    certManagerIssuer: letsencrypt-prod
+    certManagerEmail: ""
+```
+
+## Controller-Specific Configurations
+
+### NGINX Ingress Controller
+
+For NGINX, use the following configuration:
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  pathType: "Prefix"
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/enable-access-log: "true"
+```
+
+### Traefik Ingress Controller
+
+When using Traefik, the system automatically includes the Traefik middleware to strip prefixes (e.g., `/stac`, `/raster`) from requests before forwarding them to services. This is handled by the `traefik-middleware.yaml` template.
+
+For basic Traefik configuration:
+
+```yaml
+ingress:
+  enabled: true
+  className: "traefik"
+  pathType: "Prefix"
+  # When using TLS, setting host is required to avoid "No domain found" warnings
+  host: "example.domain.com"  # Required to work properly with TLS
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+```
+
+For Traefik with TLS:
+
+```yaml
+ingress:
+  enabled: true
+  className: "traefik"
+  pathType: "Prefix"
+  # Host is required when using TLS with Traefik
+  host: "example.domain.com"
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+  tls:
+    enabled: true
+    secretName: eoapi-tls
+```
+
+## Migration
+
+If you're migrating from a previous version, follow these guidelines:
+
+1. Update your values to use the new unified configuration
+2. Ensure your ingress controller-specific annotations are set correctly
+3. Set the appropriate `pathType` for your controller
+4. Test the configuration before deploying to production
+
+## Note for Traefik Users
+
+Traefik is now fully supported in all environments, including production. The previous restriction limiting Traefik to testing environments has been removed.
+
+## Document Server
+
+The document server implementation has also been unified. It now works with both NGINX and Traefik controllers using the same configuration.
diff --git a/helm-chart/eoapi/ingress.bkup b/helm-chart/eoapi/ingress.bkup
diff --git a/helm-chart/eoapi/templates/_helpers.tpl b/helm-chart/eoapi/templates/_helpers.tpl
@@ -397,14 +397,3 @@ validate:
 {{- end -}}
 
 {{- end -}}
-
-{{/*
-validate:
-that you can only use traefik as ingress when `testing=true`
-*/}}
-{{- define "eoapi.validateTraefik" -}}
-{{- if and (not .Values.testing) (eq .Values.ingress.className "traefik") $ -}}
-  {{- fail "you cannot use traefik yet outside of testing" -}}
-{{- end -}}
-
-{{- end -}}
diff --git a/helm-chart/eoapi/templates/_pgstac_init.tpl b/helm-chart/eoapi/templates/_pgstac_init.tpl
@@ -0,0 +1,30 @@
+{{- define "eoapi.pgstacInitContainer" -}}
+{{- if .Values.pgstacBootstrap.enabled }}
+- name: wait-for-pgstac-migrate
+  image: bitnami/kubectl:latest
+  command:
+    - /bin/sh
+    - -c
+    - |
+      echo "Waiting for pgstac-migrate job to complete..."
+      until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+        echo "pgstac-migrate job not complete yet, waiting..."
+        sleep 5
+      done
+      echo "pgstac-migrate job completed successfully."
+{{- if .Values.pgstacBootstrap.settings.loadSamples }}
+- name: wait-for-pgstac-load-samples
+  image: bitnami/kubectl:latest
+  command:
+    - /bin/sh
+    - -c
+    - |
+      echo "Waiting for pgstac-load-samples job to complete..."
+      until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+        echo "pgstac-load-samples job not complete yet, waiting..."
+        sleep 5
+      done
+      echo "pgstac-load-samples job completed successfully."
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/helm-chart/eoapi/templates/pgstacbootstrap/job.yaml b/helm-chart/eoapi/templates/pgstacbootstrap/job.yaml
@@ -29,7 +29,7 @@ metadata:
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-5"
-    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+    helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
   template:
     metadata:
@@ -97,7 +97,7 @@ metadata:
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-4"
-    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+    helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
   template:
     metadata:

diff --git a/helm-chart/eoapi/templates/services/deployment.yaml b/helm-chart/eoapi/templates/services/deployment.yaml
@@ -34,12 +34,38 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if $.Values.pgstacBootstrap.enabled }}
+      initContainers:
+      - name: wait-for-pgstac-jobs
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Waiting for pgstac-migrate job to complete..."
+          until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-migrate job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-migrate job completed successfully."
+
+          {{- if $.Values.pgstacBootstrap.settings.loadSamples }}
+          echo "Waiting for pgstac-load-samples job to complete..."
+          until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-load-samples job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-load-samples job completed successfully."
+          {{- end }}
+      {{- end }}
       containers:
       - image: {{ index $v "image" "name" }}:{{ index $v "image" "tag" }}
         name: {{ $serviceName }}
         command:
           {{- toYaml (index $v "command") | nindent 10 }}
           {{- if (and ($.Values.ingress.className) (or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik"))) }}
+          - "--proxy-headers"
+          - "--forwarded-allow-ips=*"
           - "--root-path=/{{ $serviceName }}"
           {{- end }}{{/* needed for proxies and path rewrites on NLB */}}
         livenessProbe:

diff --git a/.../templates/services/nginx-doc-server.yaml → .../eoapi/templates/services/doc-server.yaml b/.../templates/services/nginx-doc-server.yaml → .../eoapi/templates/services/doc-server.yaml
@@ -1,8 +1,8 @@
-{{- if (and (.Values.ingress.className) (eq .Values.ingress.className "nginx") (not .Values.testing)  (.Values.docServer.enabled))}}
+{{- if .Values.docServer.enabled}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: nginx-root-html-{{ .Release.Name }}
+  name: doc-server-html-{{ .Release.Name }}
 data:
   index.html: |
     <html>
@@ -11,7 +11,7 @@ data:
     </head>
     <body>
         <h2>This is the root path /</h2>
-        <p>Your service configuration is using ingress-nginx with path rewrites. So use these paths for each service:</p>
+        <p>Your service configuration is using path rewrites. So use these paths for each service:</p>
         <ul>
           <li><a href="/raster" target="_blank" rel="noopener noreferrer">/raster</a></li>
           <li><a href="/vector" target="_blank" rel="noopener noreferrer">/vector</a></li>
@@ -48,7 +48,7 @@ spec:
       volumes:
       - name: doc-html-{{ .Release.Name }}
         configMap:
-          name: nginx-root-html-{{ .Release.Name }}
+          name: doc-server-html-{{ .Release.Name }}
       {{- if .Values.docServer.settings }}
       {{- with .Values.docServer.settings.affinity }}
       affinity: