Merge pull request #149 from xenit-eu/XENOPS-1164

[Xenops 1164] remove defaultbackend and replace with nginx-default

CHANGELOG.md

@@ -6,6 +6,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 chronology things are added/fixed/changed and - where possible - links to the PRs involved.
 
 ### Changes
+[XENOPS-1164]  date: 10 May 2024
+* remove defaultBackend from ingress rules, this should not be set by individual namespace resources
+* defaultBackend will point to new nginx-default-service providing 404 if page not found.
+* defaultBackend will be mapped to default ingress root path for the alfresco host only
+
+
+
 [XENOPS-1161] 
 * change liveness probe threshold to trigger after readiness probe failure to avoid looping restarts on slow systems 
 

README.md

@@ -257,6 +257,7 @@ For more information take a look at
 
 * Required: false
 * Default: None
+* Remark: Do not use this to set the root`/` path, that should be set by the defaultBackend
 * Example:
 
 ```yaml
@@ -274,7 +275,7 @@ For more information take a look at
 #### `ingress.defaultBackend.service`
 
 * Required: true
-* Default: acs-service
+* Default: nginx-default-service
 * Description: the default service name that ingress will point to
 
 #### `ingress.defaultBackend.port`
@@ -288,6 +289,8 @@ For more information take a look at
 * Required: false
 * Default: `true`
 * Description: Enable 403 handler for alfresco api solr endpoints
+
+
 #### `ingress.blockAcsSolrApi.paths`
 
 * Required: false

xenit-alfresco/templates/ingress/alfresco-ingress.yaml

@@ -20,15 +20,19 @@ spec:
       # Provide a unique secret to store the SSL credentials
       secretName: tls-alfresco-{{ .Release.Name }}-secret
   {{- end }}
-  defaultBackend:
-    service:
-      name: {{ .Values.ingress.defaultBackend.service }}
-      port:
-        number: {{ .Values.ingress.defaultBackend.port }}
   rules:
   - host: {{ required "A host where your alfresco services can be reached on must be specified in values.ingress.host" .Values.ingress.host }}
     http:
       paths:
+      {{- if .Values.ingress.defaultBackend }}
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Values.ingress.defaultBackend.service }}
+            port:
+              number: {{ .Values.ingress.defaultBackend.port }}
+      {{- end }}
       {{- if .Values.acs.ingress.enabled }}
       - path: /alfresco
         pathType: Prefix
@@ -71,7 +75,7 @@ spec:
         pathType: Prefix
         backend:
           service:
-            name: nginx-403-service
+            name: nginx-default-service
             port:
               number: 30403
       {{- end }}

xenit-alfresco/templates/ingress/nginx-default-config.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-default-configmap
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: nginx-default
+data:
+  nginx.conf: |
+    worker_processes  1;
+    
+    events {
+      worker_connections  1024;
+    }
+    http{
+      log_format xenit_json escape=json '{ "time":"$time_iso8601","timestamp":$msec,"responseStatus":$status,"type":"access","requestTime":"$request_time","requestMethod":"$request_method","remoteAddr":"$remote_addr","requestUri":"$request" }';
+      access_log /var/log/nginx/access.log xenit_json;
+      server {
+        listen 80;
+        server_name _;
+        {{- if .Values.ingress.blockAcsSolrApi.enabled -}}
+        {{- range $.Values.ingress.blockAcsSolrApi.paths }}
+        location {{ . }} {
+          return 403 'Forbidden';
+        }
+        {{- end }}
+        {{- end }} 
+        location / {
+          return 404 'Sorry, this page is not served here.';
+        }
+      }
+    }
+

xenit-alfresco/templates/ingress/nginx-403-deployment.yaml → xenit-alfresco/templates/ingress/nginx-default-deployment.yaml

@@ -1,20 +1,19 @@
-{{- if .Values.ingress.blockAcsSolrApi.enabled -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-403
+  name: nginx-default
   namespace: {{ .Release.Namespace | quote }}
   labels:
-    app: nginx-403
+    app: nginx-default
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: nginx-403
+      app: nginx-default
   template:
     metadata:
       labels:
-        app: nginx-403
+        app: nginx-default
     spec:
       containers:
         - name: nginx
@@ -28,5 +27,4 @@ spec:
       volumes:
         - name: config-volume
           configMap:
-            name: nginx-403-configmap
-{{- end }}
+            name: nginx-default-configmap

xenit-alfresco/templates/ingress/nginx-403-service.yaml → xenit-alfresco/templates/ingress/nginx-default-service.yaml

@@ -1,17 +1,15 @@
-{{- if .Values.ingress.blockAcsSolrApi.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-403-service
+  name: nginx-default-service
   namespace: {{ .Release.Namespace | quote }}
 spec:
   {{- if .Values.general.serviceType }}
   type: {{ .Values.general.serviceType }}
   {{- end }}
   selector:
-    app: nginx-403
+    app: nginx-default
   ports:
     - port: 30403
       targetPort: 80
       protocol: TCP
-{{- end }}

xenit-alfresco/values.yaml

@@ -24,8 +24,8 @@ ingress:
     kubernetes.io/ingress.class: "nginx"
     cert-manager.io/cluster-issuer: "letsencrypt-production"
   defaultBackend:
-    service: acs-service
-    port: 30000
+    service: nginx-default-service
+    port: 30403
   blockAcsSolrApi:
     enabled: true
     paths: