Skip to content

web: Define ingress paths with authentication

Antoine R. Dumont requested to merge web-improve-ingress-rules into production

This allows to add the extra basic-authentication part in the ingress.

That will match what's currently deployed in the apache in front of gunicorn in vault.internal.staging.swh.network and moma.

It's not deploying anything yet. Next step would be to decomission webapp.internal.staging.swh.network in favor of the webapp cassandra running in staging (with some adaptations in the values).

make swh-helm-diff
[swh] Generate config in production branch for environment staging...
Switched to branch 'web-improve-ingress-rules'
[swh] Generate config in web-improve-ingress-rules branch for environment staging...
Switched to branch 'production'
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production...
Switched to branch 'web-improve-ingress-rules'
[swh] Generate config in web-improve-ingress-rules branch for environment production...


------------- diff for environment staging -------------

--- /tmp/swh-chart.swh.CWDCbMEC/staging.before  2023-10-12 16:45:46.314322051 +0200
+++ /tmp/swh-chart.swh.CWDCbMEC/staging.after   2023-10-12 16:45:47.058321513 +0200
@@ -44203,45 +44203,47 @@
             name: storage
             port:
               number: 5002
     host: storage-cassandra.internal.staging.swh.network
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
-  name: swh-web-ingress
+  name: swh-web-ingress-default
   annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
-  - http:
+  - host: webapp-cassandra.internal.staging.swh.network
+    http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
+
       - path: /static
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 80
-    host: webapp-cassandra.internal.staging.swh.network
+
   tls:
   - hosts:
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:
@@ -66229,45 +66231,47 @@
             name: storage
             port:
               number: 5002
     host: storage-cassandra-next-version.internal.staging.swh.network
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
-  name: swh-web-ingress
+  name: swh-web-ingress-default
   annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
-  - http:
+  - host: webapp-cassandra-next-version.internal.staging.swh.network
+    http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
+
       - path: /static
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 80
-    host: webapp-cassandra-next-version.internal.staging.swh.network
+
   tls:
   - hosts:
     - webapp-cassandra-next-version.internal.staging.swh.network
     secretName: swh-web-crt
 ---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:


------------- diff for environment production -------------

--- /tmp/swh-chart.swh.CWDCbMEC/production.before       2023-10-12 16:45:47.514321184 +0200
+++ /tmp/swh-chart.swh.CWDCbMEC/production.after        2023-10-12 16:45:48.002320831 +0200
@@ -40440,45 +40440,47 @@
             name: graphql
             port:
               number: 5013
     host: webapp-cassandra.internal.softwareheritage.org
 ---
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
-  name: swh-web-ingress
+  name: swh-web-ingress-default
   annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   rules:
-  - http:
+  - host: webapp-cassandra.internal.softwareheritage.org
+    http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 5004
+
       - path: /static
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 80
-    host: webapp-cassandra.internal.softwareheritage.org
+
   tls:
   - hosts:
     - webapp-cassandra.internal.softwareheritage.org
     secretName: swh-web-crt
 ---
 # Source: swh/charts/keda/templates/metrics-server/apiservice.yaml
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
   annotations:

Refs. swh/infra/sysadm-environment#4780 (closed)

Edited by Antoine R. Dumont

Merge request reports