Setting Ingress annotations during OTXECM deploy (Content Server focus)

HFCDev

Hi,

More a discussion rather than requesting advice, but this may help someone. I've been doing my test deploys primarily to Google Cloud (mainly because I was able to get access to a PP deck outlining the details of this). One thing I do in order to get https working is I use ingress-shim annotations in my deployment to be able to use cert-manager from jetstack to automagically get the nginx ingress pod to request and be granted a certificate from LetsEncrypt.

The ingress-shim I was talking about amounts to one line added to your otxecm/values.yaml, mainly

cert-manager.io/cluster-issuer: letsencrypt

This would get added under the global→ingressAnnotations section

Details of how to do this are elsewhere, and my git repo which has all the artefacts to do this can be found here: https://gitlab.com/hughf/containerll

But what I discovered is that you cannot pass a parameter like this in the params args to helm. If you try to do helm install myotxecm otxecm —set cert-manager.io/cluster-usser=letsencrypt, the parameter will get mangled by helm. In my case, when I did a kubectl get Ingress <my-ingress-name> -o yaml, the annotation showed up not as cert-manager.io/cluster-issuer: letsencrypt but rather cert-manager: map[io/cluster-issuer:letsencrypt]. I spent 2 hours trying to find out why cert-manager wasn't generating a certificate for me until I found this.

So for parameters that have slashes and dashes or brackets, you have to alter the values.yaml directly. I bring this up because many I've been talking to, take the path of using the entire set of OT helm charts as-is, and update parameters within by passing a bunch of —set param=value pairs (my git project does this by creating a properties file with all the params then using bash to create the appropriate helm command).

Something else I discovered, and I don't know whether this is a Google Cloud thing or more general, but the following annotations needed to be commented out:

nginx.ingress.kubernetes.io/server-snippet: add_header X-Robots-Tag "noindex, nofollow";

and

nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_origin) {more_set_headers "Access-Control-Allow-Headers: $sent_http_access_control_allow_headers, X-XHR-Logon, X-Requested-With";}

Anyway, what would be cool is a way to automatically punch directly into the values.yaml at runtime. I was thinking of using a tool like yq to do that but haven't really pursued that yet.

Hopefully this will either help someone or get a discussion going.

-Hugh

HFCDev

I do have a theory as to why if you pass a parameter to helm as, say —set globals.ingressAnnotations.cert-manager.io/cluster-issuer=letsencrypt, it gets interpreted as

globals:
   ingressAnnotations:
      cert-manager:
         io/cluster-issuser: letsencrypt

It seems that the dot (.) is a delimiter when converting parameters to yaml. I noticed the same thing in a yaml parser in github written in golang (like helm is). Not sure if there is a way to pass to helm a parameter like

globals:
   ingressAnnotations:
      cert-manager.io/cluster-issuer: letsencrypt

If anyone in OT could comment, or someone with more familiarity with go-lang, please enlighten.

-Hugh