fix: reverting cognito

[robertaandersen]

...

Attach a link to issue if relevant

What

Specify what you're trying to achieve

Why

Specify why you need to achieve this

Screenshots / Gifs

Attach Screenshots / Gifs to help reviewers understand the scope of the pull request

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Updated ingress settings to disable global authentication across development, staging, and production environments.
  • Expanded API paths to include /api/swagger and /api/public.
  • Increased maximum replicas for various services to enhance scalability.
  • Introduced new environment variables and init container commands for improved service functionality.

• Bug Fixes

  • Ensured consistent ingress configurations across all environments without altering existing logic or structure.
  • Standardized health check paths and updated resource limits for improved service reliability.

[coderabbitai]

Walkthrough

The pull request introduces modifications to the serviceSetup function across multiple files to include the annotation nginx.ingress.kubernetes.io/enable-global-auth: 'false' in the ingress configurations for various environments. The production environment's ingress configuration for the web service also sees a change in the proxy-buffer-size annotation value. Additionally, the maximum replicas for several services have been adjusted in the YAML configuration files, and health check paths and resource limits have been standardized or updated.

Changes

File Path	Change Summary
apps/air-discount-scheme/api/infra/api.ts	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' to prod ingress configuration.
apps/air-discount-scheme/backend/infra/air-discount-scheme-backend.ts	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' to extraAnnotations for dev and staging.
apps/air-discount-scheme/web/infra/web.ts	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' to prod ingress and changed proxy-buffer-size from '16k' to '8k'.
charts/islandis/values.dev.yaml	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' and updated max replicas for several services.
charts/islandis/values.prod.yaml	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' to ingress configurations for multiple services.
charts/islandis/values.staging.yaml	Added nginx.ingress.kubernetes.io/enable-global-auth: 'false' to air-discount-scheme-backend, updated health check paths, resource limits, and max replicas for services.

Possibly related PRs

• chore(dsl): Remove global auth annotations #16433: This PR removes the global auth annotation, which directly relates to the changes made in the main PR regarding the ingress configuration for the prod environment.
• fix(search-indexer): Disable global auth on dev and staging #16443: This PR adds annotations to disable global authentication for the dev and staging environments, which is similar to the changes made in the main PR for the prod environment.

Suggested labels

automerge

Suggested reviewers

• busla
• thordurhhh
• Toti91

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 31cb818 and 65905d2.

📒 Files selected for processing (1)

• apps/air-discount-scheme/backend/infra/air-discount-scheme-backend.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/air-discount-scheme/backend/infra/air-discount-scheme-backend.ts

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (6)

charts/islandis/values.staging.yaml (3)

Line range hint 1024-1026: Significant increase in api service resources and scaling.

The following changes have been made to the api service configuration:

• CPU limit increased from 400m to 1200m
• Memory limit increased from 896Mi to 3200Mi
• Maximum replicas increased from 50 to 60

These changes substantially increase the resources allocated to the api service.

Please provide information on the reasons for this significant resource increase. Are there specific performance issues or expected load increases that necessitate these changes? Have you considered gradually scaling up the resources to find an optimal configuration?

---

Line range hint 1186-1188: Increased maximum replicas for application-system-api service.

The maximum number of replicas for the application-system-api service has been increased from 50 to 60.

Can you provide insights into the reasons for this increase in maximum replicas? Are there specific load patterns or performance requirements driving this change? Have you considered the potential impact on resource utilization and costs?

---

Line range hint 3730-3740: Current web service configuration review.

While there are no changes in this PR for the web service, it's worth noting that the current configuration maintains:

• A high number of maximum replicas (50)
• Significant resource allocations (1000m CPU, 768Mi memory limits)

Consider implementing a periodic review process for the web service's resource utilization and scaling patterns. This could help optimize the configuration over time, potentially reducing costs without compromising performance. Are there any monitoring tools in place to track the actual resource usage and traffic patterns for this service?

charts/islandis/values.dev.yaml (3)

Line range hint 1037-1039: Approved: Increased maximum replicas for better scalability

The maximum number of replicas for the api service has been increased from 50 to 60. This change will allow for better scalability and handling of higher loads.

To ensure optimal resource utilization:

1. Monitor the actual resource usage and scaling patterns after this change.
2. Consider setting up alerts for when the number of replicas approaches the new maximum.
3. Review and adjust resource requests and limits if necessary to accommodate the potential increase in total resource usage.

---

Line range hint 1456-1458: Approved: Increased maximum replicas for improved scalability

The maximum number of replicas for the application-system-api service has been increased from 60 to 70. This change aligns with the overall trend of scaling up services and will allow for better handling of increased loads.

To ensure optimal performance and resource utilization:

1. Monitor the actual resource usage and scaling patterns after this change.
2. Set up alerts for when the number of replicas approaches the new maximum.
3. Regularly review and adjust resource requests and limits to accommodate the potential increase in total resource usage.
4. Consider load testing to ensure the system can handle the increased number of replicas effectively.

---

Line range hint 1724-1726: Approved: Increased maximum replicas for worker scalability

The maximum number of replicas for the application-system-api-worker service has been increased from 3 to 5. This change will allow for better scalability of the worker service.

To ensure optimal worker performance:

1. Monitor the worker's task queue length and processing times to ensure the increased capacity is utilized effectively.
2. Review the worker's resource usage patterns to confirm that the current resource allocations are sufficient for the increased number of replicas.
3. Consider implementing or reviewing any rate limiting mechanisms to prevent overwhelming downstream services or databases with the increased worker capacity.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between bae11e1 and 31cb818.

📒 Files selected for processing (6)

• apps/air-discount-scheme/api/infra/api.ts (1 hunks)
• apps/air-discount-scheme/backend/infra/air-discount-scheme-backend.ts (1 hunks)
• apps/air-discount-scheme/web/infra/web.ts (1 hunks)
• charts/islandis/values.dev.yaml (1 hunks)
• charts/islandis/values.prod.yaml (3 hunks)
• charts/islandis/values.staging.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/air-discount-scheme/api/infra/api.ts
• apps/air-discount-scheme/backend/infra/air-discount-scheme-backend.ts
• apps/air-discount-scheme/web/infra/web.ts

🧰 Additional context used

🔇 Additional comments (4)

charts/islandis/values.prod.yaml (3)

131-131: Verify the security implications of disabling global auth for the backend service.

The ingress annotation nginx.ingress.kubernetes.io/enable-global-auth: 'false' has been added to the air-discount-scheme-backend service, disabling global authentication. This change mirrors the one made to the API service and carries similar security considerations.

Please ensure that:

1. This change is intentional and necessary for the backend service.
2. Appropriate authentication mechanisms are in place to secure the backend.
3. Exposing the backend service without global auth does not introduce vulnerabilities.

You can use the following command to review the complete ingress configuration for this service:

kubectl get ingress -n air-discount-scheme -o yaml | sed -n '/air-discount-scheme-backend/,/---/p'

---

227-229: Review and verify changes to web service ingress configuration.

Two new annotations have been added to the air-discount-scheme-web service ingress:

1. nginx.ingress.kubernetes.io/enable-global-auth: 'false': This disables global authentication for the web service.
2. nginx.ingress.kubernetes.io/proxy-buffer-size: '8k': This sets the proxy buffer size to 8k.

Please confirm the following:

1. The disabling of global auth is intentional and doesn't compromise the security of the web service.
2. Alternative authentication methods are in place if needed.
3. The 8k proxy buffer size is appropriate for the web service's needs and doesn't cause any performance issues.

You can use these commands to verify the current configuration and compare with other services:

# Check the full ingress configuration for the web service
kubectl get ingress -n air-discount-scheme -o yaml | sed -n '/air-discount-scheme-web/,/---/p'

# Compare proxy buffer sizes across different ingresses
kubectl get ingress -A -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.namespace}{"\t"}{.metadata.annotations.nginx\.ingress\.kubernetes\.io/proxy-buffer-size}{"\n"}{end}' | sort

---

45-45: Verify the security implications of disabling global auth.

A new ingress annotation nginx.ingress.kubernetes.io/enable-global-auth: 'false' has been added, which disables global authentication for this ingress. While this might be intentional, it could potentially expose the service if not properly secured through other means.

Please confirm that:

1. This change is intentional and necessary.
2. Alternative authentication mechanisms are in place if required.
3. The service is safe to be exposed without global auth.

You can use the following command to check other ingress configurations and compare:

charts/islandis/values.dev.yaml (1)

Line range hint 133-141: Verify security implications of disabling global auth and exposing new endpoints

The following changes have been made to the air-discount-scheme-backend service:

1. Global authentication has been disabled with the annotation nginx.ingress.kubernetes.io/enable-global-auth: 'false'.
2. New paths /api/swagger and /api/public have been exposed.

Please ensure that:

1. Disabling global authentication is intentional and doesn't introduce security vulnerabilities.
2. The newly exposed endpoints (/api/swagger and /api/public) have appropriate security measures in place.

To check the security implications, run the following commands: