some usefull fixes

config/ingress/pt-cm.yaml

@@ -0,0 +1,172 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-pt-conf
+data:
+  nginx.tmpl: |
+    load_module /opt/ptaf/lib/ngx_wrapper.so;
+    worker_processes  {{.WorkerProcesses}};
+    {{- if .WorkerRlimitNofile}}
+    worker_rlimit_nofile {{.WorkerRlimitNofile}};{{end}}
+    {{- if .WorkerCPUAffinity}}
+    worker_cpu_affinity {{.WorkerCPUAffinity}};{{end}}
+    {{- if .WorkerShutdownTimeout}}
+    worker_shutdown_timeout {{.WorkerShutdownTimeout}};{{end}}
+    daemon off;
+    
+    error_log  /var/log/nginx/error.log {{.ErrorLogLevel}};
+    pid        /var/lib/nginx/nginx.pid;
+    
+    {{- if .OpenTracingLoadModule}}
+    load_module modules/ngx_http_opentracing_module.so;
+    {{- end}}
+    
+    {{- if .MainSnippets}}
+    {{range $value := .MainSnippets}}
+    {{$value}}{{end}}
+    {{- end}}
+    
+    events {
+        worker_connections  {{.WorkerConnections}};
+    }
+    
+    http {
+        ptaf_config tcp://eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJ0b2tlbl9pZCI6IjRhZTk1OWY1LTQ3N2UtNDZkZi05YzI3LTRkYzI1ZjU2ZjgyYiIsInRlbmFudF9pZCI6ImU4YzUxNGU2LWYyYjEtNDg3YS1hOTdjLTZmZjk4YjRlNTAzNCIsInJvbGVzIjpbImNvcmUiLCJ3c2MtYWdlbnQiXX0.09cHWzhb9nVtJHy3FCE_9USrXUnXmXbf-XdeA9n96ZBDORfnFFaF77SbiABvW-u4e_2_q4Js5_myhUp9bR-hsA@10.126.120.237:8443
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+    
+        {{- if .HTTPSnippets}}
+        {{range $value := .HTTPSnippets}}
+        {{$value}}{{end}}
+        {{- end}}
+    
+        {{if .LogFormat -}}
+        log_format  main {{if .LogFormatEscaping}}escape={{ .LogFormatEscaping }} {{end}}
+                         {{range $i, $value := .LogFormat -}}
+                         {{with $value}}'{{if $i}} {{end}}{{$value}}'
+                         {{end}}{{end}};
+        {{- else -}}
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+        {{- end}}
+    
+        {{if .AccessLogOff}}
+        access_log off;
+        {{else}}
+        access_log  /var/log/nginx/access.log  main;
+        {{end}}
+    
+        sendfile        on;
+        #tcp_nopush     on;
+    
+        keepalive_timeout {{.KeepaliveTimeout}};
+        keepalive_requests {{.KeepaliveRequests}};
+    
+        #gzip  on;
+    
+        server_names_hash_max_size {{.ServerNamesHashMaxSize}};
+        {{if .ServerNamesHashBucketSize}}server_names_hash_bucket_size {{.ServerNamesHashBucketSize}};{{end}}
+    
+        variables_hash_bucket_size {{.VariablesHashBucketSize}};
+        variables_hash_max_size {{.VariablesHashMaxSize}};
+    
+        map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''      close;
+        }
+        map $http_upgrade $vs_connection_header {
+            default upgrade;
+            ''      $default_connection_header;
+        }
+        {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
+        {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
+        {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
+        {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
+    
+        {{if .OpenTracingEnabled}}
+        opentracing on;
+        {{end}}
+        {{if .OpenTracingLoadModule}}
+        opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json;
+        {{end}}
+    
+        server {
+            # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes
+            set $default_connection_header "";
+    
+            listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+    
+            listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+    
+            ssl_certificate /etc/nginx/secrets/default;
+            ssl_certificate_key /etc/nginx/secrets/default;
+    
+            server_name _;
+            server_tokens "{{.ServerTokens}}";
+            {{if .DefaultServerAccessLogOff}}
+            access_log off;
+            {{end}}
+    
+            {{if .OpenTracingEnabled}}
+            opentracing off;
+            {{end}}
+    
+            {{if .HealthStatus}}
+            location {{.HealthStatusURI}} {
+                default_type text/plain;
+                return 200 "healthy\n";
+            }
+            {{end}}
+    
+            location / {
+               return 404;
+            }
+        }
+    
+
+    
+        include /etc/nginx/config-version.conf;
+        include /etc/nginx/conf.d/*.conf;
+    
+
+    
+    }
+    
+    stream {
+        {{if .StreamLogFormat -}}
+        log_format  stream-main {{if .StreamLogFormatEscaping}}escape={{ .StreamLogFormatEscaping }} {{end}}
+                                {{range $i, $value := .StreamLogFormat -}}
+                                {{with $value}}'{{if $i}} {{end}}{{$value}}'
+                                {{end}}{{end}};
+        {{- else -}}
+        log_format  stream-main  '$remote_addr [$time_local] '
+                          '$protocol $status $bytes_sent $bytes_received '
+                          '$session_time "$ssl_preread_server_name"';
+        {{- end}}
+    
+        access_log  /var/log/nginx/stream-access.log  stream-main;
+    
+        {{range $value := .StreamSnippets}}
+        {{$value}}{{end}}
+    
+        {{if .TLSPassthrough}}
+        map $ssl_preread_server_name $dest_internal_passthrough  {
+            default unix:/var/lib/nginx/passthrough-https.sock;
+            include /etc/nginx/tls-passthrough-hosts.conf;
+        }
+    
+        server {
+            listen 443;
+    
+            ssl_preread on;
+    
+            proxy_protocol on;
+            proxy_pass $dest_internal_passthrough;
+        }
+        {{end}}
+    
+        include /etc/nginx/stream-conf.d/*.conf;
+    }
+

config/ingress/values.yaml

@@ -1,4 +1,30 @@
-ingress:
+controller:
-  tls:
+  podSecurityContext:
-    enabled: true
+    fsGroup: 0
-    secret: default/standoff
+  image:
+    repository: dmitryrbk/ptaf4-ingress
+    tag: "v4.0.4"
+    pullPolicy: IfNotPresent
+  defaultTLS:
+    secret: "default/standoff"
+  wildcardTLS:
+    secret: "default/standoff"
+  serviceAccount:
+    imagePullSecrets:
+      - name: hubkey
+  volumeMounts:
+    - name: config-volume
+      mountPath: /nginx.tmpl
+      subPath: nginx.tmpl
+      readOnly: false
+  volumes:
+    - name: config-volume
+      configMap:
+        name: ingress-pt-conf
+        items:
+          - key: nginx.tmpl
+            path: nginx.tmpl
+  service:
+    externalIPs:
+      - 10.126.120.135
+    externalTrafficPolicy: Cluster

config/keycloak/values.yaml

@@ -39,10 +39,10 @@ ingress:
   enabled: true
   rules:
     -
-      host: 'auth.rbkmoney.standoff.city'
+      host: 'rbkmoney.standoff.city'
       paths: 
         - /
   tls:
     - hosts:
-        - auth.rbkmoney.standoff.city
+        - rbkmoney.standoff.city
       secretName: "default/standoff"

config/payform/appConfig.json

@@ -1,7 +1,7 @@
 {
     "applePayMerchantID": "merchant.money.rbk.checkout",
     "brandless": false,
-    "capiEndpoint": "https://api.rbk.money/",
+    "capiEndpoint": "https://api.rbkmoney.standoff.city",
     "fixedTheme": "",
     "googlePayGatewayMerchantID": "rbkmoneycheckout",
     "googlePayMerchantID": "15442243338125315447",

config/payform/values.yaml

@@ -3,7 +3,9 @@ replicaCount: 1
 ingress:
   enabled: true
   annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+  host: checkout.rbkmoney.standoff.city
-  host: rbkmoney.standoff.city
+  path: /
-  path: /web(/|$)(.*)
+  tls:
+    enabled: true
+    

helmfile.yaml

@@ -28,7 +28,7 @@ templates:
         host: api.rbkmoney.standoff.city
         tls:
           enabled: true
-          secret: default/standoff
+          secret: stand-wild
 
 helmfiles:
 - # Path to the helmfile state file being processed BEFORE releases in this state file
@@ -257,6 +257,7 @@ releases:
 - name: wapi-pcidss-v0
   <<: *default
   <<: *ingress
+  installed: false
   set:
   - name: fetchKeycloakPubkey
     file: config/api-common/fetch-keycloak-pubkey.sh
@@ -273,6 +274,7 @@ releases:
 - name: wapi
   <<: *default
   <<: *ingress
+  installed: false
   set:
   - name: fetchKeycloakPubkey
     file: config/api-common/fetch-keycloak-pubkey.sh
@@ -292,7 +294,16 @@ releases:
     - default/keycloak
 - name: payform
   <<: *default
-  <<: *ingress
+  values:
+  - ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: nginx
+      host: checkout.rbkmoney.standoff.city
+      path: /
+      tls:
+        enabled: true
+        secret: stand-wild
   set:
   - name: appconfig
     file: config/payform/appConfig.json

services/capi-pcidss-v1/templates/ingress.yaml

@@ -1,7 +1,11 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
+{{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
   name: {{ include "capi-pcidss-v1.fullname" . }}
   labels:
     {{- include "capi-pcidss-v1.labels" . | nindent 4 }}

services/capi-pcidss-v1/values.yaml

@@ -59,4 +59,9 @@ affinity: {}
 ingress:
   host: api.rbk.dev
   path: /v1/processing/payment-resources
-
+  annotations:
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+       more_set_headers "Access-Control-Allow-Origin: $http_origin";

services/capi-pcidss-v2/templates/ingress.yaml

@@ -1,7 +1,11 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
+{{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}  
   name: {{ include "capi-pcidss-v2.fullname" . }}
   labels:
     {{- include "capi-pcidss-v2.labels" . | nindent 4 }}

services/capi-pcidss-v2/values.yaml

@@ -59,4 +59,10 @@ affinity: {}
 ingress:
   host: api.rbk.dev
   path: /v2/processing/payment-resources
-
+  annotations:
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+       more_set_headers "Access-Control-Allow-Origin: $http_origin";

services/payform/values.yaml

@@ -61,13 +61,13 @@ tolerations: []
 affinity: {}
 
 ingress:
-  enabled: false
+  # enabled: false
-  annotations: {}
+  # annotations: {}
     # nginx.ingress.kubernetes.io/rewrite-target: /
     # kubernetes.io/tls-acme: "true"
-  host: api.rbk.dev
+  # host: api.rbk.dev
-  path: /
+  # path: /
-  tls: []
+  # tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local