Remove config the use ALB/WAF

Author: Rub21

.gitignore

@@ -31,4 +31,5 @@ images/tiler-server/vtiles_languages.geojson
 hetzner/*/.envs.*.production
 .vscode
 hetzner/traefik/cloudflare-ips.txt
-hetzner/traefik/traefik.yml
+hetzner/traefik/traefik.yml
+.vscode/

ohm/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: osm-seed
-    version: '0.1.0-0.dev.git.984.he0afc57'
+    version: '0.1.0-0.dev.git.984.h985db07'
     repository: https://osm-seed.github.io/osm-seed-chart/

values.production.template.yaml

@@ -14,37 +14,9 @@ osm-seed:
   # ====================================================================================================
   AWS_S3_BUCKET: {{PRODUCTION_S3_BUCKET}}
 
-  # AWS SSL ARN
-  AWS_SSL_ARN: {{PRODUCTION_AWS_SSL_ARN}}
-
-  # Specify serviceType.
-  #
-  # serviceType can be one of three values: 'NodePort', 'ClusterIP' or 'LoadBalancer'
-  # Use `NodePort` for local testing on minikube.
-  #
-  # The recommended setting is `ClusterIP`, and then following the instructions to
-  # point a DNS record to the cluster IP address. This will setup the ingress rules
-  # for all services as subdomains and configure SSL using Lets Encrypt.
-  #
-  # If you specify `LoadBalancer` as the service type, if you also specify
-  # an `AWS_SSL_ARN` that is a wildcart certificate, that will be configured
-  # as the SSL certificate for your services. Else, you will need to configure
-  # SSL separately. 
+  # Traffic is routed via Cloudflare Tunnel, which connects directly to ClusterIP Services.
+  # No Ingress resources or load balancers (ALB/NLB) are needed.
   serviceType: ClusterIP
-  ingressClassNameType: "alb" # ALB works with ACM
-  ingressClassName: alb
-  alb:
-    certificateArn: {{PRODUCTION_AWS_SSL_ARN}}
-    enableWaf:
-      enabled: true
-      wafAclArn: {{PRODUCTION_AWS_WAF_WEBACL_ARN}}
-  # Domain that is pointed to the clusterIP
-  # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP
-  # Then, the cluster configuration will setup services at their respective subdomains:
-  # - web.osmseed.example.com
-  # - overpass.osmseed.example.com
-  # - nominatim.osmseed.example.com
-  # - etc.
   domain: openhistoricalmap.org
 
   # ====================================================================================================

values.staging.template.yaml

@@ -6,7 +6,7 @@ osm-seed:
     # ====================================================================================================
     # ====================================================================================================
 
-    # The version of the image group in osm-seed, get it here: https://hub.docker.com/r/developmentseed/osmseed-web/tags/
+    # The version of the image group in osm-seed, get it here: https://github.com/orgs/osm-seed/packages
     # osmSeedVersion: ohm-b8a0ed1
 
     environment: staging
@@ -18,46 +18,11 @@ osm-seed:
     # ====================================================================================================
     AWS_S3_BUCKET: {{STAGING_S3_BUCKET}}
 
-    # ====================================================
-    # AWS: Specify ARN for SSL certificate, currently assumes a single wildcard cert
-    # ====================================================
-  
-    AWS_SSL_ARN: {{STAGING_AWS_SSL_ARN}}
-  
-    # Specify serviceType.
-    #
-    # serviceType can be one of three values: 'NodePort', 'ClusterIP' or 'LoadBalancer'
-    # Use `NodePort` for local testing on minikube.
-    #
-    # The recommended setting is `ClusterIP`, and then following the instructions to
-    # point a DNS record to the cluster IP address. This will setup the ingress rules
-    # for all services as subdomains and configure SSL using Lets Encrypt.
-    #
-    # If you specify `LoadBalancer` as the service type, if you also specify
-    # an `AWS_SSL_ARN` that is a wildcart certificate, that will be configured
-    # as the SSL certificate for your services. Else, you will need to configure
-    # SSL separately. 
+    # Traffic is routed via Cloudflare Tunnel, which connects directly to ClusterIP Services.
+    # No Ingress resources or load balancers (ALB/NLB) are needed.
     serviceType: ClusterIP
-    ingressClassNameType: "alb"
-    ingressClassName: alb
-    alb:
-      certificateArn: {{STAGING_AWS_SSL_ARN}}
-      enableWaf:
-        enabled: true
-        wafAclArn: {{STAGING_AWS_WAF_WEBACL_ARN}}
-    # Domain that is pointed to the clusterIP
-    # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP
-    # Then, the cluster configuration will setup services at their respective subdomains:
-    # - web.osmseed.example.com
-    # - overpass.osmseed.example.com
-    # - nominatim.osmseed.example.com
-    # - etc.
     domain: ohmstaging.org
 
-    # ====================================================================================================
-    # Configuration for Lets Encrypt setup
-    # ====================================================================================================
-  
     # Admin Email address used when generating Lets Encrypt certificates.
     # You will be notified of expirations, etc. on this email address.
     adminEmail: [email protected]
@@ -155,8 +120,6 @@ osm-seed:
         enabled: true
         name: ohm-s3-bucket-access-staging    
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: www.ohmstaging.org
       env:
         MAILER_ADDRESS: {{MAILER_ADDRESS}}
@@ -610,8 +573,6 @@ osm-seed:
         ip: {{STAGING_TILER_SERVER_HOST}}
         port: 9091
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: vtiles.ohmstaging.org
       env:
         TILER_SERVER_PORT: 9090
@@ -716,8 +677,6 @@ osm-seed:
       enabled: false
       priorityClass: medium-priority
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '300'
       ingressDomain: tm-api.ohmstaging.org
       healthCheckPath: /health
       env:
@@ -790,8 +749,6 @@ osm-seed:
         ip: {{STAGING_NOMINATIM_HOST}}
         port: 8083
       priorityClass: medium-priority
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '300'
       ingressDomain: nominatim.ohmstaging.org
       replicaCount: 1
       env:
@@ -840,8 +797,6 @@ osm-seed:
         ip: {{STAGING_OVERPASS_HOST}}
         port: 8086
       priorityClass: medium-priority
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: overpass-api.ohmstaging.org
       env:
         OVERPASS_META: 'attic'
@@ -876,8 +831,6 @@ osm-seed:
       serviceAccount:
         enabled: true
         name: ohm-s3-bucket-access-staging 
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: taginfo.ohmstaging.org
       env:
         URL_PLANET_FILE_STATE: https://s3.amazonaws.com/planet.openhistoricalmap.org/planet/state.txt