Update ingress and service config to support aws ALB

Author: Rub21

osm-seed/templates/nominatim-api/nominatim-ingress.yaml

@@ -4,9 +4,25 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-nominatim-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
-    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.alb.scheme | default "internet-facing" }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.alb.targetType | default "ip" }}
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
   tls:

osm-seed/templates/nominatim-api/nominatim-service.yaml

@@ -9,50 +9,27 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
     {{- end }}
+    # ClusterIP
     {{- if eq .Values.serviceType "ClusterIP" }}
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.nominatimApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  {{- if and .Values.nominatimApi.enabled .Values.nominatimApi.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.nominatimApi.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: {{ .Values.serviceType }}
   ports:
     - port: 80
       protocol: TCP
       name: http
       targetPort: api
-    # - port: 5432
-    #   protocol: TCP
-    #   name: postgres
-    #   targetPort: postgres
-  {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    - port: 443
-      protocol: TCP
-      name: https
-      targetPort: apache
-  {{- end }}
   selector:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-nominatim
-  {{- end }}
 {{- end }}
 ---
 {{- if and .Values.nominatimApi.enabled .Values.nominatimUI.enabled }}
@@ -66,15 +43,6 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
 spec:
-  {{- if and .Values.nominatimUI.enabled .Values.nominatimUI.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.nominatimUI.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: ClusterIP
   ports:
     - port: 80
@@ -85,5 +53,4 @@ spec:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-nominatim
-  {{- end }}
 {{- end }}

osm-seed/templates/osmcha-app/ingress.yaml

@@ -4,8 +4,25 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-osmcha-app
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.alb.scheme | default "internet-facing" }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.alb.targetType | default "ip" }}
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
   tls:

osm-seed/templates/osmcha-app/service.yaml

@@ -9,18 +9,15 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
+    # NLB
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
     {{- end }}
+    # ClusterIP
     {{- if eq .Values.serviceType "ClusterIP" }}
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.osmchaApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   type: {{ .Values.serviceType }}

osm-seed/templates/overpass-api/overpass-api-ingress.yaml

@@ -4,11 +4,25 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-overpass-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
     nginx.ingress.kubernetes.io/proxy-body-size: 200m
-    nginx.ingress.kubernetes.io/proxy-connect-timeout: "1200"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "1200"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "1200"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.alb.scheme | default "internet-facing" }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.alb.targetType | default "ip" }}
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
   tls:

osm-seed/templates/overpass-api/overpass-api-service.yaml

@@ -9,29 +9,17 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
     {{- end }}
+    # ClusterIP
     {{- if eq .Values.serviceType "ClusterIP" }}
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.overpassApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  {{- if and .Values.overpassApi.enabled .Values.overpassApi.externalService.enabled }}
-  # External service (no selector)
-  ports:
-    - name: http
-      port: 80
-      targetPort: {{ .Values.overpassApi.externalService.port | default "80" }} 
-      protocol: TCP
-  {{- else }}
-  # Internal service
   type: {{ .Values.serviceType }}
   ports:
     - port: 80
@@ -48,5 +36,4 @@ spec:
     app: {{ template "osm-seed.name" . }}
     release: {{ .Release.Name }}
     run: {{ .Release.Name }}-overpass-api
-  {{- end }}
 {{- end }}

osm-seed/templates/taginfo/taginfo-ingress.yaml

@@ -4,10 +4,28 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-taginfo-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.alb.scheme | default "internet-facing" }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.alb.targetType | default "ip" }}
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
+  {{- if eq .Values.ingressClassNameType "nlb" }}
   tls:
   - hosts:
     {{- if .Values.taginfo.ingressDomain }}
@@ -16,6 +34,7 @@ spec:
     - taginfo.{{ .Values.domain }}
     {{- end }}
     secretName: {{ template "osm-seed.fullname" . }}-secret-taginfo
+  {{- end }}
   rules:
   - host: {{ if .Values.taginfo.ingressDomain }}{{ .Values.taginfo.ingressDomain }}{{ else }}taginfo.{{ .Values.domain }}{{ end }}
     http:

osm-seed/templates/taginfo/taginfo-service.yaml

@@ -9,18 +9,15 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
     {{- end }}
+    # ClusterIP
     {{- if eq .Values.serviceType "ClusterIP" }}
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.taginfo.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   type: {{ .Values.serviceType }}

osm-seed/templates/tasking-manager-api/tm-ingress.yaml

@@ -4,10 +4,28 @@ kind: Ingress
 metadata:
   name: {{ template "osm-seed.fullname" . }}-ingress-tm-api
   annotations:
+    ## NLB 
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    nginx.ingress.kubernetes.io/proxy-body-size: 5m
+    nginx.ingress.kubernetes.io/proxy-body-size: 200m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    {{- end }}
+    # ALB
+    {{- if eq .Values.ingressClassNameType "alb" }}
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/group.name: {{ .Release.Name }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.alb.scheme | default "internet-facing" }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.alb.targetType | default "ip" }}
+    alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
+    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
+    alb.ingress.kubernetes.io/ssl-redirect: '443'
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
+  {{- if eq .Values.ingressClassNameType "nlb" }}
   tls:
   - hosts:
     {{- if .Values.tmApi.ingressDomain }}
@@ -16,6 +34,7 @@ spec:
     - tm-api.{{ .Values.domain }}
     {{- end }}
     secretName: {{ template "osm-seed.fullname" . }}-secret-tm-api
+  {{- end }}
   rules:
   - host: {{ if .Values.tmApi.ingressDomain }}{{ .Values.tmApi.ingressDomain }}{{ else }}tm-api.{{ .Values.domain }}{{ end }}
     http:

osm-seed/templates/tasking-manager-api/tm-service.yaml

@@ -9,21 +9,18 @@ metadata:
     environment: {{ .Values.environment }}
     release: {{ .Release.Name }}
   annotations:
-    {{- if and (eq .Values.serviceType "LoadBalancer") .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.AWS_SSL_ARN }}
-    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
-    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https    
+    # NLB
+    {{- if eq .Values.ingressClassNameType "nlb" }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
     {{- end }}
+    # ClusterIP
     {{- if eq .Values.serviceType "ClusterIP" }}
     cert-manager.io/cluster-issuer: {{ .Release.Name }}-letsencrypt-prod-issuer
-    {{- else }}
-    fake.annotation: fake
-    {{- end }}
-    {{- with .Values.tmApi.serviceAnnotations }}
-    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  type: {{ .Values.serviceType }}
+  type: {{ if eq .Values.ingressClassNameType "nlb" }}{{ default "LoadBalancer" .Values.serviceType }}{{ else }}ClusterIP{{ end }}
   ports:
     - port: 80
       targetPort: http