Unified Ingress Implementation - Fixes #205 (#219)

* Refactor PostgreSQL configuration and remove deprecated database setup

- Introduced a unified PostgreSQL configuration structure in values.yaml, replacing the old db configuration.
- Added new helper functions for managing PostgreSQL environment variables and secrets based on the selected configuration type (postgrescluster, external-plaintext, external-secret).
- Removed old database-related templates (ConfigMap, Deployment, PVC, Secrets, Service) that are no longer needed.
- Updated the pgstacbootstrap job and configmap templates to align with the new PostgreSQL configuration.
- Implemented validation for PostgreSQL settings to ensure required fields are set based on the selected type.

* Add PostgreSQL host reader and writer environment variables, and include DATABASE_URL for connection string

* Added a clarifying comment in values.yaml to explain that values in the external secret (host, port, database) will override the corresponding values defined in external.host, external.port, and external.database.

Confirmed that the conditional blocks in deployment.yaml were already consolidated to eliminate redundancy. The file was already using a single include statement for PostgreSQL environment variables:

env:
  {{- include "eoapi.postgresqlEnv" $ | nindent 12 }}
Removed the unused eoapi.mapLegacyPostgresql helper function from _helpers.tpl as it wasn't being referenced anywhere in the codebase.

* Refactor: Implement unified ingress configuration for nginx and traefik, streamline values.yaml, and update related documentation and tests

* Remove deprecated ingress backup template from helm chart

* Enhance ingress configuration in test values for Traefik with path transformation annotations

* Add Traefik middleware for path rewriting and update ingress annotations

* Refactor: Update Traefik ingress annotations to use middleware for path rewriting

* Remove Traefik ingress annotations for entrypoints and middlewares in test cases

* Add init container for pgstac migration and loading samples in deployment

* Add command to retrieve and describe Traefik middleware in CI workflow

* Refactor ingress configuration for Traefik and NGINX; add host for TLS support and remove deprecated middleware

* Add Traefik middleware annotation for ingress tests

* Add Traefik entrypoint annotation to ingress configuration

* Add temporary annotation for Traefik to support ASGI prefix handling

* Remove testing condition from doc-server ConfigMap template

* Update Traefik service IP address to use local endpoint in helm-tests workflow

* Remove hardcoded service account name from deployment template

* Add comments to clarify proxy settings and ingress pathType requirements

* Clarify versioning details in unified ingress documentation

Author: emmanuelmathot

.github/workflows/helm-tests.yml

@@ -196,21 +196,29 @@ jobs:
           kubectl get ingress --all-namespaces -o jsonpath='{range .items[0]}kubectl describe ingress {.metadata.name} -n {.metadata.namespace}{end}' | sh
           kubectl get middleware.traefik.io --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers | while read -r namespace name; do kubectl describe middleware.traefik.io "$name" -n "$namespace"; done
 
-          PUBLICIP='http://'$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-          export VECTOR_ENDPOINT=$PUBLICIP/vector$RELEASE_NAME
-          export STAC_ENDPOINT=$PUBLICIP/stac$RELEASE_NAME
-          export RASTER_ENDPOINT=$PUBLICIP/raster$RELEASE_NAME
+          # Get the IP address of the Traefik service
+          PUBLICIP_VALUE=$(kubectl -n kube-system get svc traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+          PUBLICIP=http://eoapi.local
+          export VECTOR_ENDPOINT=$PUBLICIP/vector
+          export STAC_ENDPOINT=$PUBLICIP/stac
+          export RASTER_ENDPOINT=$PUBLICIP/raster
+
+          # Add entry to /etc/hosts for eoapi.local
+          echo "Adding eoapi.local to /etc/hosts with IP: $PUBLICIP_VALUE"
+          echo "$PUBLICIP_VALUE eoapi.local" | sudo tee -a /etc/hosts
 
           echo '#################################'
           echo $VECTOR_ENDPOINT
           echo $STAC_ENDPOINT
           echo $RASTER_ENDPOINT
           echo '#################################'
 
-          pytest .github/workflows/tests/test_vector.py || kubectl logs svc/vector
-          pytest .github/workflows/tests/test_stac.py || kubectl logs svc/stac
+          # Run tests with proper failure propagation
+          set -e  # Make sure any command failure causes the script to exit with error
+          pytest .github/workflows/tests/test_vector.py || { kubectl logs svc/vector; exit 1; }
+          pytest .github/workflows/tests/test_stac.py || { kubectl logs svc/stac; exit 1; }
           # TODO: fix raster tests
-          #pytest .github/workflows/tests/test_raster.py || kubectl logs svc/raster
+          #pytest .github/workflows/tests/test_raster.py || { kubectl logs svc/raster; exit 1; }
 
       - name: error if tests failed
         if: steps.testrunner.outcome == 'failure'

docs/unified-ingress.md

@@ -0,0 +1,107 @@
+# Unified Ingress Configuration
+
+This document describes the unified ingress approach implemented in the eoAPI Helm chart.
+
+## Overview
+
+As of version 0.7.0, eoAPI uses a consolidated, controller-agnostic ingress configuration. This approach:
+
+- Eliminates code duplication between different ingress controller implementations
+- Provides consistent behavior across controllers
+- Simplifies testing and maintainability
+- Removes artificial restrictions on using certain ingress controllers in specific environments
+- Makes it easier to add support for additional ingress controllers in the future
+
+## Configuration
+
+The ingress configuration has been streamlined and generalized in the `values.yaml` file:
+
+```yaml
+ingress:
+  # Unified ingress configuration for both nginx and traefik
+  enabled: true
+  # ingressClassName: "nginx" or "traefik"
+  className: "nginx"
+  # Path configuration
+  pathType: "Prefix"  # Can be "Prefix" or "ImplementationSpecific" based on controller
+  pathSuffix: ""      # Add a suffix to service paths (e.g. "(/|$)(.*)" for nginx regex)
+  rootPath: ""        # Root path for doc server
+  # Host configuration
+  host: ""
+  # Custom annotations to add to the ingress
+  annotations: {}
+  # TLS configuration
+  tls:
+    enabled: false
+    secretName: eoapi-tls
+    certManager: false
+    certManagerIssuer: letsencrypt-prod
+    certManagerEmail: ""
+```
+
+## Controller-Specific Configurations
+
+### NGINX Ingress Controller
+
+For NGINX, use the following configuration:
+
+```yaml
+ingress:
+  enabled: true
+  className: "nginx"
+  pathType: "Prefix"
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/enable-access-log: "true"
+```
+
+### Traefik Ingress Controller
+
+When using Traefik, the system automatically includes the Traefik middleware to strip prefixes (e.g., `/stac`, `/raster`) from requests before forwarding them to services. This is handled by the `traefik-middleware.yaml` template.
+
+For basic Traefik configuration:
+
+```yaml
+ingress:
+  enabled: true
+  className: "traefik"
+  pathType: "Prefix"
+  # When using TLS, setting host is required to avoid "No domain found" warnings
+  host: "example.domain.com"  # Required to work properly with TLS
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+```
+
+For Traefik with TLS:
+
+```yaml
+ingress:
+  enabled: true
+  className: "traefik"
+  pathType: "Prefix"
+  # Host is required when using TLS with Traefik
+  host: "example.domain.com"
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+  tls:
+    enabled: true
+    secretName: eoapi-tls
+```
+
+## Migration
+
+If you're migrating from a version 0.6.0 or earlier, follow these guidelines:
+
+1. Update your values to use the new unified configuration
+2. Ensure your ingress controller-specific annotations are set correctly
+3. Set the appropriate `pathType` for your controller
+4. Test the configuration before deploying to production
+
+## Note for Traefik Users
+
+Traefik is now fully supported in all environments, including production. The previous restriction limiting Traefik to testing environments has been removed.
+
+## Document Server
+
+The document server implementation has also been unified. It now works with both NGINX and Traefik controllers using the same configuration.

helm-chart/eoapi/ingress.bkup

@@ -397,14 +397,3 @@ validate:
 {{- end -}}
 
 {{- end -}}
-
-{{/*
-validate:
-that you can only use traefik as ingress when `testing=true`
-*/}}
-{{- define "eoapi.validateTraefik" -}}
-{{- if and (not .Values.testing) (eq .Values.ingress.className "traefik") $ -}}
-  {{- fail "you cannot use traefik yet outside of testing" -}}
-{{- end -}}
-
-{{- end -}}

helm-chart/eoapi/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "eoapi.pgstacInitContainer" -}}
+{{- if .Values.pgstacBootstrap.enabled }}
+- name: wait-for-pgstac-migrate
+  image: bitnami/kubectl:latest
+  command:
+    - /bin/sh
+    - -c
+    - |
+      echo "Waiting for pgstac-migrate job to complete..."
+      until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+        echo "pgstac-migrate job not complete yet, waiting..."
+        sleep 5
+      done
+      echo "pgstac-migrate job completed successfully."
+{{- if .Values.pgstacBootstrap.settings.loadSamples }}
+- name: wait-for-pgstac-load-samples
+  image: bitnami/kubectl:latest
+  command:
+    - /bin/sh
+    - -c
+    - |
+      echo "Waiting for pgstac-load-samples job to complete..."
+      until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+        echo "pgstac-load-samples job not complete yet, waiting..."
+        sleep 5
+      done
+      echo "pgstac-load-samples job completed successfully."
+{{- end }}
+{{- end }}
+{{- end -}}

helm-chart/eoapi/templates/_pgstac_init.tpl

@@ -29,7 +29,7 @@ metadata:
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-5"
-    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+    helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
   template:
     metadata:
@@ -97,7 +97,7 @@ metadata:
   annotations:
     helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-4"
-    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+    helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
   template:
     metadata:

helm-chart/eoapi/templates/pgstacbootstrap/job.yaml

@@ -34,12 +34,38 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if $.Values.pgstacBootstrap.enabled }}
+      initContainers:
+      - name: wait-for-pgstac-jobs
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Waiting for pgstac-migrate job to complete..."
+          until kubectl get job pgstac-migrate -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-migrate job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-migrate job completed successfully."
+          
+          {{- if $.Values.pgstacBootstrap.settings.loadSamples }}
+          echo "Waiting for pgstac-load-samples job to complete..."
+          until kubectl get job pgstac-load-samples -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; do
+            echo "pgstac-load-samples job not complete yet, waiting..."
+            sleep 5
+          done
+          echo "pgstac-load-samples job completed successfully."
+          {{- end }}
+      {{- end }}
       containers:
       - image: {{ index $v "image" "name" }}:{{ index $v "image" "tag" }}
         name: {{ $serviceName }}
         command:
           {{- toYaml (index $v "command") | nindent 10 }}
           {{- if (and ($.Values.ingress.className) (or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik"))) }}
+          - "--proxy-headers" # Needed when using reverse proxy
+          - "--forwarded-allow-ips=*" # Needed when using reverse proxy
           - "--root-path=/{{ $serviceName }}"
           {{- end }}{{/* needed for proxies and path rewrites on NLB */}}
         livenessProbe:

helm-chart/eoapi/templates/services/deployment.yaml

@@ -1,8 +1,8 @@
-{{- if (and (.Values.ingress.className) (eq .Values.ingress.className "nginx") (not .Values.testing)  (.Values.docServer.enabled))}}
+{{- if .Values.docServer.enabled}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: nginx-root-html-{{ .Release.Name }}
+  name: doc-server-html-{{ .Release.Name }}
 data:
   index.html: |
     <html>
@@ -11,7 +11,7 @@ data:
     </head>
     <body>
         <h2>This is the root path /</h2>
-        <p>Your service configuration is using ingress-nginx with path rewrites. So use these paths for each service:</p>
+        <p>Your service configuration is using path rewrites. So use these paths for each service:</p>
         <ul>
           <li><a href="/raster" target="_blank" rel="noopener noreferrer">/raster</a></li>
           <li><a href="/vector" target="_blank" rel="noopener noreferrer">/vector</a></li>
@@ -48,7 +48,7 @@ spec:
       volumes:
       - name: doc-html-{{ .Release.Name }}
         configMap:
-          name: nginx-root-html-{{ .Release.Name }}
+          name: doc-server-html-{{ .Release.Name }}
       {{- if .Values.docServer.settings }}
       {{- with .Values.docServer.settings.affinity }}
       affinity: