Add configuration to support a custom ingressClassName -NLB and ALB (#375)

* Add env vars for wikipedia-wikiledia

* Add configuration to support a custom ingressClassName

* Add configuration to support a custom ingressClassName - overpass-api

* Set gitsha for taginfo image

* Rename ClusterIssuer and point to ingressClassName

* Set global ingressClassName value

* Support ALB for web service

* Update ingress and service config to support aws ALB

* Set annotations for ingress

* Use ClusterIssuer only if it is NLB

* Update configs

* Add healthcheck-path for services - alb

Author: Rub21

images/taginfo/Dockerfile

@@ -30,6 +30,7 @@ RUN apt-get update && apt-get install -y \
 
 RUN git clone https://github.com/taginfo/taginfo-tools.git $workdir/taginfo-tools && \
     cd $workdir/taginfo-tools && \
+    git checkout 24412e65740752f8b962bd1cf3baf350d0672cc7 && \
     git submodule update --init && \
     mkdir build && cd build && \
     cmake .. && make

osm-seed/templates/cgimap/cgimap-service.yaml

@@ -9,19 +9,12 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
-    {{- end }}
-    {{- if eq .Values.serviceType "ClusterIP" }}
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.cgimap.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
+    # NLB
+    {{- if and  (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     {{- end }}
 spec:
   type: {{ .Values.serviceType }}

osm-seed/templates/letsencrypt-issuer.yaml

@@ -1,8 +1,8 @@
-{{- if and (eq .Values.serviceType "ClusterIP") (eq .Values.createClusterIssuer true) }}
+{{- if and (eq .Values.serviceType "ClusterIP") (eq .Values.ingressClassNameType "elb") }}
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-    name: letsencrypt-prod-issuer
+    name: {{ .Release.Name }}-letsencrypt-prod-issuer
 spec:
     acme:
         # You must replace this email address with your own.
@@ -15,12 +15,12 @@ spec:
         server: https://acme-v02.api.letsencrypt.org/directory
         privateKeySecretRef:
         # Secret resource used to store the account's private key.
-            name: letsencrypt-issuer-key
+            name: {{ .Release.Name }}-letsencrypt-issuer-key
         # Enable the HTTP-01 challenge provider
         # you prove ownership of a domain by ensuring that a particular
         # file is present at the domain
         solvers:
         - http01:
             ingress:
-                class: nginx
+                class: {{ .Values.ingressClassName }}
 {{- end }}

osm-seed/templates/nominatim-api/nominatim-ingress.yaml

@@ -4,12 +4,27 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-nominatim-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
     kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
-    nginx.ingress.kubernetes.io/use-regex: "true"
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/target-type: "ip" 
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ .Values.ingressClassName }}
   tls:
   - hosts:
     {{- if .Values.nominatimApi.ingressDomain }}

osm-seed/templates/nominatim-api/nominatim-service.yaml

@@ -9,51 +9,28 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if and  (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     {{- end }}
-    {{- if eq .Values.serviceType "ClusterIP" }}
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.nominatimApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
+
+    {{- if and  (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }}
+    alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.nominatimApi.healthCheckPath | default "/" }}
     {{- end }}
 spec:
-  {{- if and .Values.nominatimApi.enabled .Values.nominatimApi.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.nominatimApi.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: {{ .Values.serviceType }}
   ports:
     - port: 80
       protocol: TCP
       name: http
       targetPort: api
-    # - port: 5432
-    #   protocol: TCP
-    #   name: postgres
-    #   targetPort: postgres
-  {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    - port: 443
-      protocol: TCP
-      name: https
-      targetPort: apache
-  {{- end }}
   selector:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-nominatim
-  {{- end }}
 {{- end }}
 ---
 {{- if and .Values.nominatimApi.enabled .Values.nominatimUI.enabled }}
@@ -67,15 +44,6 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
 spec:
-  {{- if and .Values.nominatimUI.enabled .Values.nominatimUI.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.nominatimUI.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: ClusterIP
   ports:
     - port: 80
@@ -86,5 +54,4 @@ spec:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-nominatim
-  {{- end }}
 {{- end }}

osm-seed/templates/osmcha-app/ingress.yaml

@@ -4,11 +4,27 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-osmcha-app
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
     kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/target-type: "ip" 
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ .Values.ingressClassName }}
   tls:
     - hosts:
       {{- if .Values.osmchaApi.ingressDomain }}

osm-seed/templates/osmcha-app/service.yaml

@@ -9,19 +9,12 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
-    {{- end }}
-    {{- if eq .Values.serviceType "ClusterIP" }}
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.osmchaApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
+    # NLB
+    {{- if and  (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     {{- end }}
 spec:
   type: {{ .Values.serviceType }}

osm-seed/templates/overpass-api/overpass-api-ingress.yaml

@@ -4,14 +4,27 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-overpass-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
     kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     nginx.ingress.kubernetes.io/proxy-body-size: 200m
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: "1200"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "1200"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "1200"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/target-type: "ip" 
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ .Values.ingressClassName }}
   tls:
   - hosts:
     {{- if .Values.overpassApi.ingressDomain }}

osm-seed/templates/overpass-api/overpass-api-service.yaml

@@ -9,30 +9,18 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if and  (eq .Values.ingressClassNameType "nlb" ) (eq .Values.serviceType "ClusterIP") }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     {{- end }}
-    {{- if eq .Values.serviceType "ClusterIP" }}
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.overpassApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
+
+    {{- if and  (eq .Values.ingressClassNameType "alb" ) (eq .Values.serviceType "ClusterIP") }}
+    alb.ingress.kubernetes.io/healthcheck-path: {{ .Values.overpassApi.healthCheckPath | default "/" }}
     {{- end }}
 spec:
-  {{- if and .Values.overpassApi.enabled .Values.overpassApi.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.overpassApi.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: {{ .Values.serviceType }}
   ports:
     - port: 80
@@ -49,5 +37,4 @@ spec:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-overpass-api
-  {{- end }}
 {{- end }}

osm-seed/templates/taginfo/taginfo-ingress.yaml

@@ -4,11 +4,28 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-taginfo-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
     kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
+    cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: "internet-facing"
+    alb.ingress.kubernetes.io/target-type: "ip" 
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
-  ingressClassName: nginx
+  ingressClassName: {{ .Values.ingressClassName }}
+  {{- if eq .Values.ingressClassNameType "nlb" }}
   tls:
   - hosts:
     {{- if .Values.taginfo.ingressDomain }}
@@ -17,6 +34,7 @@ spec:
     - taginfo.{{ .Values.domain }}
     {{- end }}
     secretName: {{ template "osm-seed.fullname" . }}-secret-taginfo
+  {{- end }}
   rules:
   - host: {{ if .Values.taginfo.ingressDomain }}{{ .Values.taginfo.ingressDomain }}{{ else }}taginfo.{{ .Values.domain }}{{ end }}
     http: