diff --git a/images/taginfo/Dockerfile b/images/taginfo/Dockerfile index e461bceb..137196b3 100644 --- a/images/taginfo/Dockerfile +++ b/images/taginfo/Dockerfile @@ -30,6 +30,7 @@ RUN apt-get update && apt-get install -y \ RUN git clone https://github.com/taginfo/taginfo-tools.git $workdir/taginfo-tools && \ cd $workdir/taginfo-tools && \ + git checkout 24412e65740752f8b962bd1cf3baf350d0672cc7 && \ git submodule update --init && \ mkdir build && cd build && \ cmake .. && make diff --git a/osm-seed/templates/cgimap/cgimap-service.yaml b/osm-seed/templates/cgimap/cgimap-service.yaml index bed7721a..512f599b 100644 --- a/osm-seed/templates/cgimap/cgimap-service.yaml +++ b/osm-seed/templates/cgimap/cgimap-service.yaml @@ -9,19 +9,12 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https - {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.cgimap.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} spec: type: {{ .Values.serviceType }} diff --git a/osm-seed/templates/letsencrypt-issuer.yaml b/osm-seed/templates/letsencrypt-issuer.yaml index f9fa2aef..d1858474 100644 --- a/osm-seed/templates/letsencrypt-issuer.yaml +++ b/osm-seed/templates/letsencrypt-issuer.yaml @@ -1,8 +1,8 @@ -{{- if and (eq .Values.serviceType "ClusterIP") (eq .Values.createClusterIssuer true) }} +{{- if and (eq .Values.serviceType "ClusterIP") (eq .Values.ingressClassNameType "elb") }} apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: letsencrypt-prod-issuer + name: {{ .Release.Name }}-letsencrypt-prod-issuer spec: acme: # You must replace this email address with your own. @@ -15,12 +15,12 @@ spec: server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource used to store the account's private key. - name: letsencrypt-issuer-key + name: {{ .Release.Name }}-letsencrypt-issuer-key # Enable the HTTP-01 challenge provider # you prove ownership of a domain by ensuring that a particular # file is present at the domain solvers: - http01: ingress: - class: nginx + class: {{ .Values.ingressClassName }} {{- end }} \ No newline at end of file diff --git a/osm-seed/templates/nominatim-api/nominatim-ingress.yaml b/osm-seed/templates/nominatim-api/nominatim-ingress.yaml index 410312f8..c65bfb4b 100644 --- a/osm-seed/templates/nominatim-api/nominatim-ingress.yaml +++ b/osm-seed/templates/nominatim-api/nominatim-ingress.yaml @@ -4,12 +4,27 @@ kind: Ingress metadata: name: {{ template "osm-seed.fullname" . }}-ingress-nominatim-api annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - nginx.ingress.kubernetes.io/proxy-body-size: 5m - nginx.ingress.kubernetes.io/use-regex: "true" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer + nginx.ingress.kubernetes.io/proxy-body-size: 200m + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} tls: - hosts: {{- if .Values.nominatimApi.ingressDomain }} diff --git a/osm-seed/templates/nominatim-api/nominatim-service.yaml b/osm-seed/templates/nominatim-api/nominatim-service.yaml index e707bd12..11da7234 100644 --- a/osm-seed/templates/nominatim-api/nominatim-service.yaml +++ b/osm-seed/templates/nominatim-api/nominatim-service.yaml @@ -9,51 +9,28 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.nominatimApi.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.nominatimApi.healthCheckPath | default "/" }} {{- end }} spec: - {{- if and .Values.nominatimApi.enabled .Values.nominatimApi.externalService.enabled }} - # External service (no selector) - ports: - - name: http - port: 80 - targetPort: {{ .Values.nominatimApi.externalService.port | default "80" }} - protocol: TCP - {{- else }} - # Internal service type: {{ .Values.serviceType }} ports: - port: 80 protocol: TCP name: http targetPort: api - # - port: 5432 - # protocol: TCP - # name: postgres - # targetPort: postgres - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - - port: 443 - protocol: TCP - name: https - targetPort: apache - {{- end }} selector: app: {{ template "osm-seed.name" . }} release: {{ .Release.Name }} run: {{ .Release.Name }}-nominatim - {{- end }} {{- end }} --- {{- if and .Values.nominatimApi.enabled .Values.nominatimUI.enabled }} @@ -67,15 +44,6 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} spec: - {{- if and .Values.nominatimUI.enabled .Values.nominatimUI.externalService.enabled }} - # External service (no selector) - ports: - - name: http - port: 80 - targetPort: {{ .Values.nominatimUI.externalService.port | default "80" }} - protocol: TCP - {{- else }} - # Internal service type: ClusterIP ports: - port: 80 @@ -86,5 +54,4 @@ spec: app: {{ template "osm-seed.name" . }} release: {{ .Release.Name }} run: {{ .Release.Name }}-nominatim - {{- end }} {{- end }} \ No newline at end of file diff --git a/osm-seed/templates/osmcha-app/ingress.yaml b/osm-seed/templates/osmcha-app/ingress.yaml index 387f8448..ae32c440 100644 --- a/osm-seed/templates/osmcha-app/ingress.yaml +++ b/osm-seed/templates/osmcha-app/ingress.yaml @@ -4,11 +4,27 @@ kind: Ingress metadata: name: {{ template "osm-seed.fullname" . }}-ingress-osmcha-app annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - nginx.ingress.kubernetes.io/proxy-body-size: 5m + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer + nginx.ingress.kubernetes.io/proxy-body-size: 200m + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} tls: - hosts: {{- if .Values.osmchaApi.ingressDomain }} diff --git a/osm-seed/templates/osmcha-app/service.yaml b/osm-seed/templates/osmcha-app/service.yaml index 985cf171..25d93a68 100644 --- a/osm-seed/templates/osmcha-app/service.yaml +++ b/osm-seed/templates/osmcha-app/service.yaml @@ -9,19 +9,12 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https - {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.osmchaApi.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} spec: type: {{ .Values.serviceType }} diff --git a/osm-seed/templates/overpass-api/overpass-api-ingress.yaml b/osm-seed/templates/overpass-api/overpass-api-ingress.yaml index ccdf5ac3..7bb6f8dd 100644 --- a/osm-seed/templates/overpass-api/overpass-api-ingress.yaml +++ b/osm-seed/templates/overpass-api/overpass-api-ingress.yaml @@ -4,14 +4,27 @@ kind: Ingress metadata: name: {{ template "osm-seed.fullname" . }}-ingress-overpass-api annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer nginx.ingress.kubernetes.io/proxy-body-size: 200m - nginx.ingress.kubernetes.io/proxy-connect-timeout: "1200" - nginx.ingress.kubernetes.io/proxy-read-timeout: "1200" - nginx.ingress.kubernetes.io/proxy-send-timeout: "1200" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} tls: - hosts: {{- if .Values.overpassApi.ingressDomain }} diff --git a/osm-seed/templates/overpass-api/overpass-api-service.yaml b/osm-seed/templates/overpass-api/overpass-api-service.yaml index 558973ae..6a09f917 100644 --- a/osm-seed/templates/overpass-api/overpass-api-service.yaml +++ b/osm-seed/templates/overpass-api/overpass-api-service.yaml @@ -9,30 +9,18 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.overpassApi.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.overpassApi.healthCheckPath | default "/" }} {{- end }} spec: - {{- if and .Values.overpassApi.enabled .Values.overpassApi.externalService.enabled }} - # External service (no selector) - ports: - - name: http - port: 80 - targetPort: {{ .Values.overpassApi.externalService.port | default "80" }} - protocol: TCP - {{- else }} - # Internal service type: {{ .Values.serviceType }} ports: - port: 80 @@ -49,5 +37,4 @@ spec: app: {{ template "osm-seed.name" . }} release: {{ .Release.Name }} run: {{ .Release.Name }}-overpass-api - {{- end }} {{- end }} diff --git a/osm-seed/templates/taginfo/taginfo-ingress.yaml b/osm-seed/templates/taginfo/taginfo-ingress.yaml index c546d2c3..a9aa70f8 100644 --- a/osm-seed/templates/taginfo/taginfo-ingress.yaml +++ b/osm-seed/templates/taginfo/taginfo-ingress.yaml @@ -4,11 +4,28 @@ kind: Ingress metadata: name: {{ template "osm-seed.fullname" . }}-ingress-taginfo-api annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - nginx.ingress.kubernetes.io/proxy-body-size: 5m + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer + nginx.ingress.kubernetes.io/proxy-body-size: 200m + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} + {{- if eq .Values.ingressClassNameType "nlb" }} tls: - hosts: {{- if .Values.taginfo.ingressDomain }} @@ -17,6 +34,7 @@ spec: - taginfo.{{ .Values.domain }} {{- end }} secretName: {{ template "osm-seed.fullname" . }}-secret-taginfo + {{- end }} rules: - host: {{ if .Values.taginfo.ingressDomain }}{{ .Values.taginfo.ingressDomain }}{{ else }}taginfo.{{ .Values.domain }}{{ end }} http: diff --git a/osm-seed/templates/taginfo/taginfo-service.yaml b/osm-seed/templates/taginfo/taginfo-service.yaml index 1a6e08bb..c02395e5 100644 --- a/osm-seed/templates/taginfo/taginfo-service.yaml +++ b/osm-seed/templates/taginfo/taginfo-service.yaml @@ -9,19 +9,16 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.taginfo.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.taginfo.healthCheckPath | default "/" }} {{- end }} spec: type: {{ .Values.serviceType }} diff --git a/osm-seed/templates/tasking-manager-api/tm-ingress.yaml b/osm-seed/templates/tasking-manager-api/tm-ingress.yaml index d8dda37c..82a44ad4 100644 --- a/osm-seed/templates/tasking-manager-api/tm-ingress.yaml +++ b/osm-seed/templates/tasking-manager-api/tm-ingress.yaml @@ -4,11 +4,28 @@ kind: Ingress metadata: name: {{ template "osm-seed.fullname" . }}-ingress-tm-api annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - nginx.ingress.kubernetes.io/proxy-body-size: 5m + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer + nginx.ingress.kubernetes.io/proxy-body-size: 200m + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} + {{- if eq .Values.ingressClassNameType "nlb" }} tls: - hosts: {{- if .Values.tmApi.ingressDomain }} @@ -17,6 +34,7 @@ spec: - tm-api.{{ .Values.domain }} {{- end }} secretName: {{ template "osm-seed.fullname" . }}-secret-tm-api + {{- end }} rules: - host: {{ if .Values.tmApi.ingressDomain }}{{ .Values.tmApi.ingressDomain }}{{ else }}tm-api.{{ .Values.domain }}{{ end }} http: diff --git a/osm-seed/templates/tasking-manager-api/tm-service.yaml b/osm-seed/templates/tasking-manager-api/tm-service.yaml index 33d13b23..b5860436 100644 --- a/osm-seed/templates/tasking-manager-api/tm-service.yaml +++ b/osm-seed/templates/tasking-manager-api/tm-service.yaml @@ -9,22 +9,19 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.tmApi.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.tmApi.healthCheckPath | default "/api/docs" }} {{- end }} spec: - type: {{ .Values.serviceType }} + type: {{ if eq .Values.ingressClassNameType "nlb" }}{{ default "LoadBalancer" .Values.serviceType }}{{ else }}ClusterIP{{ end }} ports: - port: 80 targetPort: http diff --git a/osm-seed/templates/tiler-server/tiler-server-ingress.yaml b/osm-seed/templates/tiler-server/tiler-server-ingress.yaml index bf544fde..7bc066cb 100644 --- a/osm-seed/templates/tiler-server/tiler-server-ingress.yaml +++ b/osm-seed/templates/tiler-server/tiler-server-ingress.yaml @@ -4,14 +4,28 @@ kind: Ingress metadata: name: {{ .Release.Name }}-ingress-tiler-server annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer nginx.ingress.kubernetes.io/proxy-body-size: 200m nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} + {{- if eq .Values.ingressClassNameType "nlb" }} tls: - hosts: {{- if .Values.tilerServer.ingressDomain }} @@ -20,6 +34,7 @@ spec: - tiler.{{ .Values.domain }} {{- end }} secretName: {{ .Release.Name }}-secret-tiler-server + {{- end }} rules: - host: {{ if .Values.tilerServer.ingressDomain }}{{ .Values.tilerServer.ingressDomain }}{{ else }}tiler.{{ .Values.domain }}{{ end }} http: diff --git a/osm-seed/templates/tiler-server/tiler-server-service.yaml b/osm-seed/templates/tiler-server/tiler-server-service.yaml index 963e0d69..33aa34f6 100644 --- a/osm-seed/templates/tiler-server/tiler-server-service.yaml +++ b/osm-seed/templates/tiler-server/tiler-server-service.yaml @@ -9,30 +9,20 @@ metadata: environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "600" - {{- end }} - {{- with .Values.tilerServer.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.tilerServer.healthCheckPath | default "/" }} {{- end }} + spec: - # This is a workaround for the issue with the external service - {{- if and .Values.tilerServer.enabled .Values.tilerServer.externalService.enabled }} - ports: - - name: http - port: 80 - targetPort: {{ .Values.tilerServer.externalService.port | default "9090" }} - protocol: TCP - {{- else }} - # This is the default service, atached to the deployment - type: {{ default "ClusterIP" .Values.serviceType }} + type: {{ .Values.serviceType }} ports: - name: http port: 80 @@ -46,5 +36,4 @@ spec: app: {{ template "osm-seed.name" . }} release: {{ .Release.Name }} run: {{ .Release.Name }}-tiler-server # This is working for deployment and not for statefulset , make sure you use "s3" to storage the vtiles - {{- end }} {{- end }} diff --git a/osm-seed/templates/web/web-deployment.yaml b/osm-seed/templates/web/web-deployment.yaml index 3ac7842b..dca9eca3 100644 --- a/osm-seed/templates/web/web-deployment.yaml +++ b/osm-seed/templates/web/web-deployment.yaml @@ -174,6 +174,10 @@ spec: value: {{ .Values.web.env.OPENSTREETMAP_AUTH_ID | default "" | quote }} - name: OPENSTREETMAP_AUTH_SECRET value: {{ .Values.web.env.OPENSTREETMAP_AUTH_SECRET | default "" | quote }} + - name: WIKIPEDIA_AUTH_ID + value: {{ .Values.web.env.WIKIPEDIA_AUTH_ID | default "" | quote }} + - name: WIKIPEDIA_AUTH_SECRET + value: {{ .Values.web.env.WIKIPEDIA_AUTH_SECRET | default "" | quote }} volumeMounts: - mountPath: /dev/shm name: shared-memory diff --git a/osm-seed/templates/web/web-ingress.yaml b/osm-seed/templates/web/web-ingress.yaml index e45cf645..77f9b810 100644 --- a/osm-seed/templates/web/web-ingress.yaml +++ b/osm-seed/templates/web/web-ingress.yaml @@ -2,55 +2,72 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ template "osm-seed.fullname" . }}-ingress + name: {{ .Release.Name }}-ingress-web annotations: + ## NLB + {{- if eq .Values.ingressClassNameType "nlb" }} kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer nginx.ingress.kubernetes.io/proxy-body-size: 200m - nginx.ingress.kubernetes.io/proxy-connect-timeout: "1200" - nginx.ingress.kubernetes.io/proxy-read-timeout: "1200" - nginx.ingress.kubernetes.io/proxy-send-timeout: "1200" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + {{- end }} + # ALB + {{- if eq .Values.ingressClassNameType "alb" }} + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/group.name: {{ .Release.Name }} + alb.ingress.kubernetes.io/scheme: "internet-facing" + alb.ingress.kubernetes.io/target-type: "ip" + alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' + alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" + alb.ingress.kubernetes.io/ssl-redirect: '443' + {{- end }} spec: - ingressClassName: nginx + ingressClassName: {{ .Values.ingressClassName }} + {{- if eq .Values.ingressClassNameType "nlb" }} tls: - - hosts: - {{- if .Values.web.ingressDomain }} - - {{ .Values.web.ingressDomain }} - {{- else }} - - web.{{ .Values.domain }} - {{- end }} - - api.{{ .Values.domain }} - - {{ .Values.domain }} - secretName: {{ template "osm-seed.fullname" . }}-tls-secret + - hosts: + {{- if .Values.web.ingressDomain }} + - {{ .Values.web.ingressDomain }} + {{- else }} + - web.{{ .Values.domain }} + {{- end }} + - api.{{ .Values.domain }} + - {{ .Values.domain }} + secretName: {{ .Release.Name }}-tls-secret + {{- end }} rules: - - host: {{ if .Values.web.ingressDomain }}{{ .Values.web.ingressDomain }}{{ else }}web.{{ .Values.domain }}{{ end }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ template "osm-seed.fullname" . }}-web - port: - number: 80 - - host: api.{{ .Values.domain }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ template "osm-seed.fullname" . }}-web - port: - number: 80 - - host: {{ .Values.domain }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ template "osm-seed.fullname" . }}-web - port: - number: 80 + - host: {{ if .Values.web.ingressDomain }}{{ .Values.web.ingressDomain }}{{ else }}web.{{ .Values.domain }}{{ end }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }}-service-web + port: + number: 80 + + - host: api.{{ .Values.domain }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }}-service-web + port: + number: 80 + + - host: {{ .Values.domain }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .Release.Name }}-service-web + port: + number: 80 {{- end }} diff --git a/osm-seed/templates/web/web-service.yaml b/osm-seed/templates/web/web-service.yaml index 341eae06..8edc4554 100644 --- a/osm-seed/templates/web/web-service.yaml +++ b/osm-seed/templates/web/web-service.yaml @@ -2,46 +2,40 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "osm-seed.fullname" . }}-web + name: {{ .Release.Name }}-service-web labels: app: {{ template "osm-seed.name" . }} component: web-service environment: {{ .Values.environment }} release: {{ .Release.Name }} annotations: - {{- if eq .Values.serviceType "LoadBalancer" }} + # NLB + {{- if and (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }} + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300" + cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer {{- end }} - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }} - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https - {{- end }} - {{- if eq .Values.serviceType "ClusterIP" }} - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod-issuer - {{- else }} - fake.annotation: fake - {{- end }} - {{- with .Values.web.serviceAnnotations }} - {{- toYaml . | nindent 4 }} + + {{- if and (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }} + alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.web.healthCheckPath | default "/" }} {{- end }} spec: type: {{ .Values.serviceType }} + selector: + app: {{ template "osm-seed.name" . }} + release: {{ .Release.Name }} + run: {{ .Release.Name }}-web ports: - - port: 80 + - name: http + port: 80 targetPort: http protocol: TCP - name: http - {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }} - - port: 443 + {{- if and (eq .Values.ingressClassNameType "nlb") .Values.AWS_SSL_ARN }} + - name: https + port: 443 targetPort: http protocol: TCP - name: https - {{- end }} - selector: - app: {{ template "osm-seed.name" . }} - release: {{ .Release.Name }} - run: {{ .Release.Name }}-web -{{- end }} \ No newline at end of file + {{- end }} +{{- end }} diff --git a/osm-seed/values.yaml b/osm-seed/values.yaml index 08ae0923..6d41c018 100644 --- a/osm-seed/values.yaml +++ b/osm-seed/values.yaml @@ -42,6 +42,12 @@ AWS_SSL_ARN: false # serviceType: NodePort serviceType: ClusterIP createClusterIssuer: false +## ALB configuration +ingressClassNameType: "alb" #Type can be alb or nlb +ingressClassName: alb #nginx, nginx-nlb, alb +alb: + certificateArn: "arn:aws:acm:us-east-1:618380242247:certificate/498e3dc0-843b-4c98-8d41-861775806e86" + # Domain that is pointed to the clusterIP # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP # Then, the cluster configuration will setup services at their respective subdomains: