Moved to traefik for default ingress.

Author: pantierra

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added support for annotations on the PgSTAC bootstrap job via `pgstacBootstrap.jobAnnotations` in values.yaml [#381](https://github.com/developmentseed/eoapi-k8s/pull/381)
 
+### Changed
+
+- Moved to traefik for the default ingress solution [#384](https://github.com/developmentseed/eoapi-k8s/pull/384)
+
 ### Fixed
 
 - Fixed Helm template to check queryables `file` field with schema validation [#380](https://github.com/developmentseed/eoapi-k8s/pull/380)

charts/eoapi/README.md

@@ -98,7 +98,7 @@ apiServices:
 # Configure ingress
 ingress:
   enabled: true
-  className: "nginx"  # or "traefik"
+  className: "traefik"  # Default, or "nginx" for legacy setups
   host: "your-domain.com"  # Optional
 
 # Database options

charts/eoapi/profiles/core.yaml

@@ -167,7 +167,7 @@ observability:
 ######################
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"  # Traefik with nginx provider support
   pathType: "Prefix"
   host: ""
   tls:

charts/eoapi/profiles/experimental.yaml

@@ -358,7 +358,7 @@ autoscaling:
 ######################
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"  # Traefik with nginx provider support
   pathType: "Prefix"
   host: "localhost"
   tls:

charts/eoapi/profiles/production.yaml

@@ -343,7 +343,7 @@ knative:
 ######################
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"  # Traefik with nginx provider support
   pathType: "Prefix"
   host: "eoapi.example.com"  # CHANGE THIS to your domain
   tls:

charts/eoapi/templates/networking/ingress-browser.yaml

@@ -16,15 +16,12 @@ metadata:
     {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
     {{- end }}
-    {{- if eq .Values.ingress.className "nginx" }}
+    # Use nginx annotations for both nginx and traefik
+    # Traefik 3.5+ understands nginx annotations via the nginx provider
+    {{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}
     nginx.ingress.kubernetes.io/rewrite-target: /browser/$2
     nginx.ingress.kubernetes.io/use-regex: "true"
     {{- end }}
-    # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490
-    {{- if eq .Values.ingress.className "traefik" }}
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd
-    {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingress.className }}
@@ -36,8 +33,8 @@ spec:
       http:
         paths:
           {{- if and $.Values.browser.enabled (or (not (hasKey $.Values.browser "ingress")) $.Values.browser.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: "/browser{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}"
             backend:
               service:
                 name: {{ .Release.Name }}-browser
@@ -52,8 +49,8 @@ spec:
       http:
         paths:
           {{- if and .Values.browser.enabled (or (not (hasKey .Values.browser "ingress")) .Values.browser.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: "/browser{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}"
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: "/browser{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}"
             backend:
               service:
                 name: {{ .Release.Name }}-browser

charts/eoapi/templates/networking/ingress.yaml

@@ -12,18 +12,16 @@ metadata:
   labels:
     app: {{ .Release.Name }}-ingress
   annotations:
-    {{- if eq .Values.ingress.className "nginx" }}
+    # Use nginx annotations for both nginx and traefik
+    # Traefik 3.5+ understands nginx annotations via the nginx provider
+    # Ensure Traefik is deployed with --experimental.kubernetesIngressNGINX and --providers.kubernetesIngressNGINX
+    {{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}
     nginx.ingress.kubernetes.io/rewrite-target: /$2
     nginx.ingress.kubernetes.io/use-regex: "true"
     {{- end }}
     {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
     {{- end }}
-    # Temporary annotations for Traefik until uvicorn support real prefix in ASGI: https://github.com/encode/uvicorn/discussions/2490
-    {{- if eq .Values.ingress.className "traefik" }}
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-    traefik.ingress.kubernetes.io/router.middlewares: {{ $.Release.Namespace }}-{{ $.Release.Name }}-strip-prefix-middleware@kubernetescrd
-    {{- end }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingress.className }}
@@ -35,8 +33,8 @@ spec:
       http:
         paths:
           {{- if and $.Values.raster.enabled (or (not (hasKey $.Values.raster "ingress")) $.Values.raster.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.raster.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.raster.ingress.path }}{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ $.Release.Name }}-raster
@@ -45,8 +43,8 @@ spec:
           {{- end }}
 
           {{- if and $.Values.stac.enabled (or (not (hasKey $.Values.stac "ingress")) $.Values.stac.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.stac.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.stac.ingress.path }}{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 {{- if index $.Values "stac-auth-proxy" "enabled" }}
@@ -59,8 +57,8 @@ spec:
           {{- end }}
 
           {{- if and $.Values.vector.enabled (or (not (hasKey $.Values.vector "ingress")) $.Values.vector.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.vector.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.vector.ingress.path }}{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ $.Release.Name }}-vector
@@ -69,8 +67,8 @@ spec:
           {{- end }}
 
           {{- if and $.Values.multidim.enabled (or (not (hasKey $.Values.multidim "ingress")) $.Values.multidim.ingress.enabled) }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.multidim.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.multidim.ingress.path }}{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ $.Release.Name }}-multidim
@@ -79,8 +77,8 @@ spec:
           {{- end }}
 
           {{- if and $.Values.mockOidcServer.enabled $.Values.mockOidcServer.ingress.enabled }}
-          - pathType: {{ if eq $.Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ $.Values.mockOidcServer.ingress.path }}{{ if eq $.Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ $.Values.mockOidcServer.ingress.path }}{{ if or (eq $.Values.ingress.className "nginx") (eq $.Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ $.Release.Name }}-mock-oidc-server
@@ -105,8 +103,8 @@ spec:
       http:
         paths:
           {{- if and .Values.raster.enabled (or (not (hasKey .Values.raster "ingress")) .Values.raster.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.raster.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.raster.ingress.path }}{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ .Release.Name }}-raster
@@ -115,8 +113,8 @@ spec:
           {{- end }}
 
           {{- if and .Values.stac.enabled (or (not (hasKey .Values.stac "ingress")) .Values.stac.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.stac.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.stac.ingress.path }}{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 {{- if index .Values "stac-auth-proxy" "enabled" }}
@@ -129,8 +127,8 @@ spec:
           {{- end }}
 
           {{- if and .Values.vector.enabled (or (not (hasKey .Values.vector "ingress")) .Values.vector.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.vector.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.vector.ingress.path }}{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ .Release.Name }}-vector
@@ -139,8 +137,8 @@ spec:
           {{- end }}
 
           {{- if and .Values.multidim.enabled (or (not (hasKey .Values.multidim "ingress")) .Values.multidim.ingress.enabled) }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.multidim.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.multidim.ingress.path }}{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ .Release.Name }}-multidim
@@ -149,8 +147,8 @@ spec:
           {{- end }}
 
           {{- if and .Values.mockOidcServer.enabled .Values.mockOidcServer.ingress.enabled }}
-          - pathType: {{ if eq .Values.ingress.className "nginx" }}ImplementationSpecific{{ else }}Prefix{{ end }}
-            path: {{ .Values.mockOidcServer.ingress.path }}{{ if eq .Values.ingress.className "nginx" }}(/|$)(.*){{ end }}
+          - pathType: {{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}ImplementationSpecific{{ else }}Prefix{{ end }}
+            path: {{ .Values.mockOidcServer.ingress.path }}{{ if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "traefik") }}(/|$)(.*){{ end }}
             backend:
               service:
                 name: {{ .Release.Name }}-mock-oidc-server

charts/eoapi/templates/networking/traefik-middleware.yaml

@@ -1,4 +1,9 @@
 {{- if and .Values.ingress.enabled (eq .Values.ingress.className "traefik") }}
+{{- /*
+  NOTE: This middleware is not needed when using Traefik's nginx provider with nginx annotations.
+  The nginx annotations (nginx.ingress.kubernetes.io/rewrite-target) handle path rewrites.
+  This middleware is kept for backward compatibility or if using pure Traefik mode without nginx provider.
+*/}}
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:

charts/eoapi/tests/ingress_tests.yaml

@@ -33,10 +33,9 @@ tests:
           path: spec.ingressClassName
           value: "nginx"
 
-  - it: "stac ingress with traefik controller"
+  - it: "stac ingress with traefik controller (using nginx provider)"
     set:
       ingress.className: "traefik"
-      ingress.pathType: "Prefix"
       ingress.host: "eoapi.local"
       raster.enabled: false
       stac.enabled: true
@@ -48,15 +47,15 @@ tests:
           of: Ingress
       - equal:
           path: spec.rules[0].http.paths[0].path
-          value: "/stac"
+          value: "/stac(/|$)(.*)"
       - equal:
           path: spec.rules[0].http.paths[0].pathType
-          value: "Prefix"
+          value: "ImplementationSpecific"
       - equal:
           path: metadata.annotations
           value:
-            traefik.ingress.kubernetes.io/router.entrypoints: web
-            traefik.ingress.kubernetes.io/router.middlewares: NAMESPACE-RELEASE-NAME-strip-prefix-middleware@kubernetescrd
+            nginx.ingress.kubernetes.io/rewrite-target: /$2
+            nginx.ingress.kubernetes.io/use-regex: "true"
       - equal:
           path: spec.ingressClassName
           value: "traefik"

charts/eoapi/values.yaml

@@ -32,9 +32,11 @@ service:
 
 ingress:
   # Unified ingress configuration for both nginx and traefik
+  # Traefik 3.5+ supports nginx annotations via the nginx provider
+  # Set --experimental.kubernetesIngressNGINX and --providers.kubernetesIngressNGINX when deploying Traefik
   enabled: true
   # ingressClassName: "nginx" or "traefik"
-  className: "nginx"
+  className: "traefik"
   rootPath: ""        # Root path for doc server
   # Single host domain configuration (default)
   host: ""