Refactor Helm Chart to Service-Specific Templates (#220)

* Refactor PostgreSQL configuration and remove deprecated database setup

- Introduced a unified PostgreSQL configuration structure in values.yaml, replacing the old db configuration.
- Added new helper functions for managing PostgreSQL environment variables and secrets based on the selected configuration type (postgrescluster, external-plaintext, external-secret).
- Removed old database-related templates (ConfigMap, Deployment, PVC, Secrets, Service) that are no longer needed.
- Updated the pgstacbootstrap job and configmap templates to align with the new PostgreSQL configuration.
- Implemented validation for PostgreSQL settings to ensure required fields are set based on the selected type.

* Add PostgreSQL host reader and writer environment variables, and include DATABASE_URL for connection string

* Added a clarifying comment in values.yaml to explain that values in the external secret (host, port, database) will override the corresponding values defined in external.host, external.port, and external.database.

Confirmed that the conditional blocks in deployment.yaml were already consolidated to eliminate redundancy. The file was already using a single include statement for PostgreSQL environment variables:

env:
  {{- include "eoapi.postgresqlEnv" $ | nindent 12 }}
Removed the unused eoapi.mapLegacyPostgresql helper function from _helpers.tpl as it wasn't being referenced anywhere in the codebase.

* Refactor: Implement unified ingress configuration for nginx and traefik, streamline values.yaml, and update related documentation and tests

* Remove deprecated ingress backup template from helm chart

* Enhance ingress configuration in test values for Traefik with path transformation annotations

* Add Traefik middleware for path rewriting and update ingress annotations

* Refactor: Update Traefik ingress annotations to use middleware for path rewriting

* Remove Traefik ingress annotations for entrypoints and middlewares in test cases

* Add init container for pgstac migration and loading samples in deployment

* Add command to retrieve and describe Traefik middleware in CI workflow

* Refactor ingress configuration for Traefik and NGINX; add host for TLS support and remove deprecated middleware

* Add Traefik middleware annotation for ingress tests

* Add Traefik entrypoint annotation to ingress configuration

* Add temporary annotation for Traefik to support ASGI prefix handling

* Remove testing condition from doc-server ConfigMap template

* Update Traefik service IP address to use local endpoint in helm-tests workflow

* Remove hardcoded service account name from deployment template

* Refactor code structure for improved readability and maintainability

* Refactor service templates and tests for improved organization and clarity

* Refactor Helm chart tests: Split service tests into individual files for raster, stac, vector, and multidim services; update deployment and configmap tests for backward compatibility; adjust ingress and HPA tests; clean up unused configurations in test.yaml.

* Add template references to service tests for multidim, raster, stac, and vector

* Refactor Helm chart to support service-specific ingress configurations for raster, stac, vector, and multidim services; enhance readability and maintainability.

* Update helm-chart/eoapi/templates/services/multidim/hpa.yaml

Co-authored-by: Tarashish Mishra <[email protected]>

* Update helm-chart/eoapi/templates/services/raster/hpa.yaml

Co-authored-by: Tarashish Mishra <[email protected]>

* Update helm-chart/eoapi/templates/services/vector/hpa.yaml

Co-authored-by: Tarashish Mishra <[email protected]>

* Implement STAC Auth Proxy integration with EOAPI-K8S for service-specific ingress control

- Added documentation for STAC Auth Proxy integration
- Configured service-specific ingress settings in values.yaml
- Updated ingress template to conditionally include STAC service paths
- Provided deployment guide and network flow diagram
- Included testing and troubleshooting sections for configuration verification

* Update helm-chart/eoapi/templates/services/stac/hpa.yaml

Co-authored-by: Tarashish Mishra <[email protected]>

---------

Co-authored-by: Tarashish Mishra <[email protected]>

Author: emmanuelmathot

docs/stac-auth-proxy.md

@@ -0,0 +1,127 @@
+# STAC Auth Proxy Integration with EOAPI-K8S
+
+## Solution Overview
+
+We have implemented support for STAC Auth Proxy integration with EOAPI-K8S through service-specific ingress control. This feature allows the STAC service to be accessible only internally while other services remain externally available.
+
+## Implementation Details
+
+### 1. Service-Specific Ingress Control
+
+Each service can now independently control its ingress settings via the values.yaml configuration:
+
+```yaml
+stac:
+  enabled: true
+  ingress:
+    enabled: false  # Disable external ingress for STAC only
+
+# Other services remain externally accessible
+raster:
+  enabled: true
+  ingress:
+    enabled: true
+```
+
+### 2. Template Changes
+
+The ingress template now checks service-specific settings:
+
+```yaml
+{{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }}
+- pathType: {{ .Values.ingress.pathType }}
+  path: /stac{{ .Values.ingress.pathSuffix }}
+  backend:
+    service:
+      name: stac
+      port:
+        number: {{ .Values.service.port }}
+{{- end }}
+```
+
+This ensures:
+- Service paths are only included if the service and its ingress are enabled
+- Backward compatibility is maintained (ingress enabled by default)
+- Clean separation of service configurations
+
+## Deployment Guide
+
+### 1. Configure EOAPI-K8S
+
+```yaml
+# values.yaml for eoapi-k8s
+stac:
+  enabled: true
+  ingress:
+    enabled: false  # No external ingress for STAC
+
+# Other services remain externally accessible
+raster:
+  enabled: true
+vector:
+  enabled: true
+multidim:
+  enabled: true
+```
+
+### 2. Deploy STAC Auth Proxy
+
+Deploy the stac-auth-proxy Helm chart in the same namespace:
+
+```yaml
+# values.yaml for stac-auth-proxy
+backend:
+  service: stac  # Internal K8s service name
+  port: 8080     # Service port
+
+auth:
+  # Configure authentication settings
+  provider: oauth2
+  # ... other auth settings
+```
+
+### 3. Network Flow
+
+```mermaid
+graph LR
+    A[External Request] --> B[STAC Auth Proxy]
+    B -->|Authentication| C[Internal STAC Service]
+    D[External Request] -->|Direct Access| E[Raster/Vector/Other Services]
+```
+
+## Testing
+
+Verify the configuration:
+
+```bash
+# Check that STAC paths are excluded
+helm template eoapi --set stac.ingress.enabled=false,stac.enabled=true -f values.yaml
+
+# Verify other services remain accessible
+kubectl get ingress
+kubectl get services
+```
+
+Expected behavior:
+- STAC service accessible only within the cluster
+- Other services (raster, vector, etc.) accessible via their ingress paths
+- Auth proxy successfully routing authenticated requests to STAC
+
+## Troubleshooting
+
+1. **STAC Service Not Accessible Internally**
+   - Verify service is running: `kubectl get services`
+   - Check service port matches auth proxy configuration
+   - Verify network policies allow proxy-to-STAC communication
+
+2. **Other Services Affected**
+   - Confirm ingress configuration for other services
+   - Check ingress controller logs
+   - Verify service-specific settings in values.yaml
+
+## Additional Notes
+
+- The solution leverages Kubernetes service discovery for internal communication
+- No changes required to the STAC service itself
+- Zero downtime deployment possible
+- Existing deployments without auth proxy remain compatible

helm-chart/eoapi/.helmignore

@@ -22,3 +22,5 @@
 *.tmproj
 .vscode/
 tests/
+# Ignore all README.md in all subdirectories 
+README.md

helm-chart/eoapi/templates/services/README.md

@@ -0,0 +1,45 @@
+# Service-Specific Templates
+
+This directory contains service-specific templates organized to improve readability, maintainability, and flexibility.
+
+## Directory Structure
+
+```
+services/
+├── _common.tpl            # Limited common helper functions
+├── ingress.yaml           # Single shared ingress for all services
+├── raster/                # Raster service templates
+│   ├── deployment.yaml    # Deployment definition
+│   ├── service.yaml       # Service definition
+│   ├── configmap.yaml     # ConfigMap definition
+│   └── hpa.yaml           # HorizontalPodAutoscaler definition
+├── stac/                  # STAC service templates
+│   ├── deployment.yaml
+│   ├── service.yaml
+│   ├── configmap.yaml
+│   └── hpa.yaml
+├── vector/                # Vector service templates
+│   ├── deployment.yaml
+│   ├── service.yaml
+│   ├── configmap.yaml
+│   └── hpa.yaml
+└── multidim/             # Multidimensional service templates
+    ├── deployment.yaml
+    ├── service.yaml
+    ├── configmap.yaml
+    └── hpa.yaml
+```
+
+## Common Helpers
+
+The `_common.tpl` file provides limited helper functions for truly common elements:
+
+- `eoapi.mountServiceSecrets`: For mounting service secrets
+- `eoapi.commonEnvVars`: For common environment variables like SERVICE_NAME, RELEASE_NAME, GIT_SHA
+- `eoapi.pgstacInitContainers`: For init containers that wait for pgstac jobs
+
+For database environment variables, we leverage the existing `eoapi.postgresqlEnv` helper from the main `_helpers.tpl` file.
+
+## Usage
+
+No changes to `values.yaml` structure were required. The chart maintains full backward compatibility with existing deployments.

helm-chart/eoapi/templates/services/_common.tpl

@@ -0,0 +1,58 @@
+{{/* 
+Helper function for mounting service secrets
+Only extract truly common elements that are mechanical and don't need customization
+*/}}
+{{- define "eoapi.mountServiceSecrets" -}}
+{{- $service := .service -}}
+{{- $root := .root -}}
+{{- if index $root.Values $service "settings" "envSecrets" }}
+{{- range $secret := index $root.Values $service "settings" "envSecrets" }}
+- secretRef:
+    name: {{ $secret }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Helper function for common environment variables
+*/}}
+{{- define "eoapi.commonEnvVars" -}}
+{{- $service := .service -}}
+{{- $root := .root -}}
+- name: SERVICE_NAME
+  value: {{ $service | quote }}
+- name: RELEASE_NAME
+  value: {{ $root.Release.Name | quote }}
+- name: GIT_SHA
+  value: {{ $root.Values.gitSha | quote }}
+{{- end -}}
+
+{{/*
+Helper function for common init containers to wait for pgstac jobs
+*/}}
+{{- define "eoapi.pgstacInitContainers" -}}
+{{- if .Values.pgstacBootstrap.enabled }}
+initContainers:
+- name: wait-for-pgstac-jobs
+  image: bitnami/kubectl:latest
+  command:
+  - /bin/sh
+  - -c
+  - |
+    echo "Waiting for pgstac-migrate job to complete..."
+    until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+      echo "pgstac-migrate job not complete yet, waiting..."
+      sleep 5
+    done
+    echo "pgstac-migrate job completed successfully."
+    
+    {{- if .Values.pgstacBootstrap.settings.loadSamples }}
+    echo "Waiting for pgstac-load-samples job to complete..."
+    until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+      echo "pgstac-load-samples job not complete yet, waiting..."
+      sleep 5
+    done
+    echo "pgstac-load-samples job completed successfully."
+    {{- end }}
+{{- end }}
+{{- end -}}