Disable ALB in helm deployment

Author: Rub21

.github/workflows/chartpress.yaml

@@ -4,7 +4,7 @@ on:
     branches:
       - 'main'
       - 'staging'
-      - 'cloudflare_tunnel'
+      - 'disable_alb'
 jobs:
   build:
     runs-on: ubuntu-22.04
@@ -71,7 +71,7 @@ jobs:
           OHM_SLACK_WEBHOOK_URL: ${{ secrets.OHM_SLACK_WEBHOOK_URL }}
       ################ Staging secrets ################ 
       - name: Staging - substitute secrets
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         uses: bluwy/substitute-string-action@v1
         with:
           _input-file: 'values.staging.template.yaml'
@@ -189,14 +189,14 @@ jobs:
           PRODUCTION_OPENSTREETMAP_AUTH_SECRET: ${{ secrets.PRODUCTION_OPENSTREETMAP_AUTH_SECRET }}
 
       - name: AWS Credentials
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
       - name: Setup Kubectl and Helm Dependencies
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: |
           sudo pip install awscli --ignore-installed six
           sudo curl -L -o /usr/bin/kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/kubectl
@@ -210,22 +210,22 @@ jobs:
           helm version
 
       - name: Update kube-config staging
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         run: aws eks --region us-east-1 update-kubeconfig --name osmseed-staging
       - name: Update kube-config prod
         if: github.ref == 'refs/heads/main'
         run: aws eks --region us-east-1 update-kubeconfig --name osmseed-production-v2
       - name: Add Helm repository
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: |
           helm repo add osm-seed https://osm-seed.github.io/osm-seed-chart/
           helm repo update
       - name: Install helm dependencies for
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/disable_alb'
         run: cd ohm && helm dep up
       # Staging
       - name: Staging - helm deploy
-        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/cloudflare_tunnel'
+        if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/disable_alb'
         run: helm upgrade --install staging --wait ohm/ -f values.staging.yaml -f ohm/values.yaml
       # Production
       - name: Production - helm deploy

.gitignore

@@ -31,4 +31,5 @@ images/tiler-server/vtiles_languages.geojson
 hetzner/*/.envs.*.production
 .vscode
 hetzner/traefik/cloudflare-ips.txt
-hetzner/traefik/traefik.yml
+hetzner/traefik/traefik.yml
+.vscode/

ohm/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: osm-seed
-    version: '0.1.0-0.dev.git.984.he0afc57'
-    repository: https://osm-seed.github.io/osm-seed-chart/
+    version: '0.1.0-0.dev.git.984.h985db07'
+    repository: https://osm-seed.github.io/osm-seed-chart/

values.production.template.yaml

@@ -14,37 +14,9 @@ osm-seed:
   # ====================================================================================================
   AWS_S3_BUCKET: {{PRODUCTION_S3_BUCKET}}
 
-  # AWS SSL ARN
-  AWS_SSL_ARN: {{PRODUCTION_AWS_SSL_ARN}}
-
-  # Specify serviceType.
-  #
-  # serviceType can be one of three values: 'NodePort', 'ClusterIP' or 'LoadBalancer'
-  # Use `NodePort` for local testing on minikube.
-  #
-  # The recommended setting is `ClusterIP`, and then following the instructions to
-  # point a DNS record to the cluster IP address. This will setup the ingress rules
-  # for all services as subdomains and configure SSL using Lets Encrypt.
-  #
-  # If you specify `LoadBalancer` as the service type, if you also specify
-  # an `AWS_SSL_ARN` that is a wildcart certificate, that will be configured
-  # as the SSL certificate for your services. Else, you will need to configure
-  # SSL separately. 
+  # Traffic is routed via Cloudflare Tunnel, which connects directly to ClusterIP Services.
+  # No Ingress resources or load balancers (ALB/NLB) are needed.
   serviceType: ClusterIP
-  ingressClassNameType: "alb" # ALB works with ACM
-  ingressClassName: alb
-  alb:
-    certificateArn: {{PRODUCTION_AWS_SSL_ARN}}
-    enableWaf:
-      enabled: true
-      wafAclArn: {{PRODUCTION_AWS_WAF_WEBACL_ARN}}
-  # Domain that is pointed to the clusterIP
-  # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP
-  # Then, the cluster configuration will setup services at their respective subdomains:
-  # - web.osmseed.example.com
-  # - overpass.osmseed.example.com
-  # - nominatim.osmseed.example.com
-  # - etc.
   domain: openhistoricalmap.org
 
   # ====================================================================================================

values.staging.template.yaml

@@ -6,7 +6,7 @@ osm-seed:
     # ====================================================================================================
     # ====================================================================================================
 
-    # The version of the image group in osm-seed, get it here: https://hub.docker.com/r/developmentseed/osmseed-web/tags/
+    # The version of the image group in osm-seed, get it here: https://github.com/orgs/osm-seed/packages
     # osmSeedVersion: ohm-b8a0ed1
 
     environment: staging
@@ -18,46 +18,11 @@ osm-seed:
     # ====================================================================================================
     AWS_S3_BUCKET: {{STAGING_S3_BUCKET}}
 
-    # ====================================================
-    # AWS: Specify ARN for SSL certificate, currently assumes a single wildcard cert
-    # ====================================================
-  
-    AWS_SSL_ARN: {{STAGING_AWS_SSL_ARN}}
-  
-    # Specify serviceType.
-    #
-    # serviceType can be one of three values: 'NodePort', 'ClusterIP' or 'LoadBalancer'
-    # Use `NodePort` for local testing on minikube.
-    #
-    # The recommended setting is `ClusterIP`, and then following the instructions to
-    # point a DNS record to the cluster IP address. This will setup the ingress rules
-    # for all services as subdomains and configure SSL using Lets Encrypt.
-    #
-    # If you specify `LoadBalancer` as the service type, if you also specify
-    # an `AWS_SSL_ARN` that is a wildcart certificate, that will be configured
-    # as the SSL certificate for your services. Else, you will need to configure
-    # SSL separately. 
+    # Traffic is routed via Cloudflare Tunnel, which connects directly to ClusterIP Services.
+    # No Ingress resources or load balancers (ALB/NLB) are needed.
     serviceType: ClusterIP
-    ingressClassNameType: "alb"
-    ingressClassName: alb
-    alb:
-      certificateArn: {{STAGING_AWS_SSL_ARN}}
-      enableWaf:
-        enabled: true
-        wafAclArn: {{STAGING_AWS_WAF_WEBACL_ARN}}
-    # Domain that is pointed to the clusterIP
-    # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP
-    # Then, the cluster configuration will setup services at their respective subdomains:
-    # - web.osmseed.example.com
-    # - overpass.osmseed.example.com
-    # - nominatim.osmseed.example.com
-    # - etc.
     domain: ohmstaging.org
 
-    # ====================================================================================================
-    # Configuration for Lets Encrypt setup
-    # ====================================================================================================
-  
     # Admin Email address used when generating Lets Encrypt certificates.
     # You will be notified of expirations, etc. on this email address.
     adminEmail: [email protected]
@@ -155,8 +120,6 @@ osm-seed:
         enabled: true
         name: ohm-s3-bucket-access-staging    
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: www.ohmstaging.org
       env:
         MAILER_ADDRESS: {{MAILER_ADDRESS}}
@@ -610,8 +573,6 @@ osm-seed:
         ip: {{STAGING_TILER_SERVER_HOST}}
         port: 9091
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: vtiles.ohmstaging.org
       env:
         TILER_SERVER_PORT: 9090
@@ -716,8 +677,6 @@ osm-seed:
       enabled: false
       priorityClass: medium-priority
       replicaCount: 1
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '300'
       ingressDomain: tm-api.ohmstaging.org
       healthCheckPath: /health
       env:
@@ -790,8 +749,6 @@ osm-seed:
         ip: {{STAGING_NOMINATIM_HOST}}
         port: 8083
       priorityClass: medium-priority
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '300'
       ingressDomain: nominatim.ohmstaging.org
       replicaCount: 1
       env:
@@ -840,8 +797,6 @@ osm-seed:
         ip: {{STAGING_OVERPASS_HOST}}
         port: 8086
       priorityClass: medium-priority
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: overpass-api.ohmstaging.org
       env:
         OVERPASS_META: 'attic'
@@ -876,8 +831,6 @@ osm-seed:
       serviceAccount:
         enabled: true
         name: ohm-s3-bucket-access-staging 
-      serviceAnnotations:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
       ingressDomain: taginfo.ohmstaging.org
       env:
         URL_PLANET_FILE_STATE: https://s3.amazonaws.com/planet.openhistoricalmap.org/planet/state.txt
@@ -1133,3 +1086,4 @@ ohm:
       enabled: true
       label_key: nodegroup_type
       label_value: web_medium
+