Reverse Proxy Configuration - bcgov/eagle-dev-guides GitHub Wiki

Reverse Proxy Configuration

The eao-nginx reverse proxy routes traffic to EPIC platform services. It runs as an nginx container deployed via Helm charts.

Architecture

graph LR
    subgraph "External"
        U[Users]
    end
    
    subgraph "OpenShift Routes"
        R1[eagle-dev.apps...]
        R2[projects.eao.gov.bc.ca]
    end
    
    subgraph "rproxy"
        N[nginx:8080]
    end
    
    subgraph "Services"
        EP[eagle-public]
        EA[eagle-admin]
        API[eagle-api]
        PA[penguin-analytics]
        TS[typesense]
    end
    
    U --> R1 & R2
    R1 & R2 --> N
    N -->|/| EP
    N -->|/admin/| EA
    N -->|/api| API
    N -->|/analytics| PA
    N -->|/search-api/| TS

Routing

Path Service Description
/ eagle-public:8080 Public frontend
/admin/ eagle-admin:8080 Admin frontend
/api eagle-api:3000 API backend
/api/analytics penguin-analytics-api:3000 Legacy analytics path (cached clients)
/analytics penguin-analytics-api:3000 Analytics ingestion
/search-api/ typesense-typesense:8108 Typesense search API (dev only)
/eguide eagle-api:3000 E-guide service (prod only)
/nginx_status nginx Health check

Note: /api/analytics exists as a compatibility route. Clients with stale cached env.js (pre-v2.4.1) send analytics to /api/analytics instead of /analytics. Both paths proxy to penguin-analytics. Added in rproxy v1.0.5.

Environments

Environment Namespace URL Auth
Dev 6cdc9e-dev https://eagle-dev.apps.silver.devops.gov.bc.ca Basic (admin/fooey)
Test 6cdc9e-test https://eagle-test.apps.silver.devops.gov.bc.ca Basic (admin/fooey)
Test (vanity) 6cdc9e-test https://test.projects.eao.gov.bc.ca Basic (admin/fooey)
Prod 6cdc9e-prod https://projects.eao.gov.bc.ca None (public)

Configuration

Environment Variables

Set via Helm values, substituted at container startup via envsubst:

nginx:
  epic:
    serverName: "eagle-dev.apps.silver.devops.gov.bc.ca"
    proxy:
      root: "http://eagle-public:8080"
      api: "http://eagle-api:3000"
      admin: "http://eagle-admin:8080"
      analytics: "http://penguin-analytics-api:3000"

HTTP Basic Auth

Dev and test environments use basic auth to restrict access:

httpBasic:
  enabled: true
  username: ""  # Injected via GitHub secrets
  password: ""  # Injected via GitHub secrets

Credentials are injected at deploy time - never stored in values files.

Deployment

GitHub Actions Workflows

Workflow Trigger Action
deploy-to-dev Push to master Build → Scan → Deploy
deploy-to-test Manual Tag release → Deploy
deploy-to-prod Manual Deploy tagged version

Deploy Commands

# Dev (automatic, or manual trigger)
gh workflow run deploy-to-dev.yaml --repo bcgov/eao-nginx

# Test (creates git tag and release)
gh workflow run deploy-to-test.yaml --repo bcgov/eao-nginx -f version=v1.0.0

# Prod (uses existing release)
gh workflow run deploy-to-prod.yaml --repo bcgov/eao-nginx -f version=v1.0.0

Manual Helm Deployment

helm upgrade --install rproxy ./helm/rproxy \
  -n 6cdc9e-dev \
  -f ./helm/rproxy/values-dev.yaml \
  --set httpBasic.username=admin \
  --set httpBasic.password=fooey

Troubleshooting

Check Deployment Status

oc get deployment rproxy -n 6cdc9e-dev
oc get pods -l app.kubernetes.io/name=rproxy -n 6cdc9e-dev

View Logs

oc logs -l app.kubernetes.io/name=rproxy -n 6cdc9e-dev --tail=100

Test nginx Configuration

oc exec deployment/rproxy -n 6cdc9e-dev -- nginx -t

Verify Routing

# Health check
curl https://eagle-dev.apps.silver.devops.gov.bc.ca/nginx_status

# Test with auth
curl -u admin:fooey https://eagle-dev.apps.silver.devops.gov.bc.ca/

Common Issues

Issue Cause Solution
502 Bad Gateway Backend service down Check target service pods
401 Unauthorized Wrong credentials Verify GitHub secrets
503 Service Unavailable No endpoints Check service selectors match pod labels

Rollback

# View history
helm history rproxy -n 6cdc9e-dev

# Rollback to previous version
helm rollback rproxy -n 6cdc9e-dev

Related