📈(frontend) setup a reverse proxy for analytics

Proxy analytics requests through our backend to minimize
ad-blockers impact. I configured the Helm Charts following
PostHog official documentation.

src/helm/env.d/dev/values.meet.yaml.gotmpl

@@ -95,3 +95,8 @@ ingress:
 ingressAdmin:
   enabled: true
   host: meet.127.0.0.1.nip.io
+
+posthog:
+  ingress:
+    enabled: false
+

src/helm/env.d/preprod/values.meet.yaml.gotmpl

@@ -125,3 +125,12 @@ ingressAdmin:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
     nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth
+
+posthog:
+  ingress:
+    enabled: true
+    host: product.visio-preprod.beta.numerique.gouv.fr
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/upstream-vhost: eu.i.posthog.com
+      nginx.ingress.kubernetes.io/backend-protocol: https

src/helm/env.d/production/values.meet.yaml.gotmpl

@@ -126,3 +126,12 @@ ingressAdmin:
     cert-manager.io/cluster-issuer: letsencrypt
     nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
     nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth
+
+posthog:
+  ingress:
+    enabled: true
+    host: product.visio.numerique.gouv.fr
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/upstream-vhost: eu.i.posthog.com
+      nginx.ingress.kubernetes.io/backend-protocol: https

src/helm/env.d/staging/values.meet.yaml.gotmpl

@@ -137,3 +137,12 @@ ingressAdmin:
       - secretName: transitional-tls
         hosts:
           - {{ .Values.newDomain }}
+
+posthog:
+  ingress:
+    enabled: true
+    host: product.visio-staging.beta.numerique.gouv.fr
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/upstream-vhost: eu.i.posthog.com
+      nginx.ingress.kubernetes.io/backend-protocol: https

src/helm/meet/templates/_helpers.tpl

@@ -157,6 +157,15 @@ Requires top level scope
 {{ include "meet.fullname" . }}-webrtc
 {{- end }}
 
+{{/*
+Full name for the Posthog
+
+Requires top level scope
+*/}}
+{{- define "meet.posthog.fullname" -}}
+{{ include "meet.fullname" . }}-posthog
+{{- end }}
+
 {{/*
 Usage : {{ include "meet.secret.dockerconfigjson.name" (dict "fullname" (include "meet.fullname" .) "imageCredentials" .Values.path.to.the.image1) }}
 */}}

src/helm/meet/templates/ingress_posthog.yaml

@@ -0,0 +1,115 @@
+{{- if .Values.posthog.ingress.enabled -}}
+{{- $fullName := include "meet.fullname" . -}}
+{{- if and .Values.posthog.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.posthog.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.posthog.ingress.annotations "kubernetes.io/ingress.class" .Values.posthog.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-posthog
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "meet.labels" . | nindent 4 }}
+  {{- with .Values.posthog.ingress.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.posthog.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.posthog.ingress.className }}
+  {{- end }}
+  {{- if .Values.posthog.ingress.tls.enabled }}
+  tls:
+    {{- if .Values.posthog.ingress.host }}
+    - secretName: {{ $fullName }}-posthog-tls
+      hosts:
+        - {{ .Values.posthog.ingress.host | quote }}
+    {{- end }}
+    {{- range .Values.posthog.ingress.tls.additional }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- if .Values.posthog.ingress.host }}
+    - host: {{ .Values.posthog.ingress.host | quote }}
+      http:
+        paths:
+          - path: {{ .Values.posthog.ingress.path }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "meet.posthog.fullname" . }}-proxy
+                port:
+                  number: {{ .Values.posthog.service.port }}
+              {{- else }}
+              serviceName: {{ include "meet.posthog.fullname" . }}-proxy
+              servicePort: {{ .Values.posthog.service.port }}
+            {{- end }}
+          - path: {{ .Values.posthog.ingress.pathAssets }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "meet.posthog.fullname" . }}-assets-proxy
+                port:
+                  number: {{ .Values.posthog.assetsService.port }}
+              {{- else }}
+              serviceName: {{ include "meet.posthog.fullname" . }}
+              servicePort: {{ .Values.posthog.assetsService.port }}
+            {{- end }}
+    {{- end }}
+    {{- range .Values.posthog.ingress.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: {{ $.Values.posthog.ingress.path | quote }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+          {{- end }}
+            backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "meet.posthog.fullname" . }}-proxy
+                port:
+                  number: {{ $.Values.posthog.service.port }}
+            {{- else }}
+              serviceName: {{ include "meet.posthog.fullname" . }}-proxy
+              servicePort: {{ $.Values.posthog.service.port }}
+          {{- end }}
+          - path: {{ .Values.posthog.ingress.pathAssets }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+          {{- end }}
+            backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ include "meet.posthog.fullname" . }}-assets-proxy
+                port:
+                  number: {{ $.Values.posthog.assetsService.service.port }}
+            {{- else }}
+              serviceName: {{ include "meet.posthog.fullname" . }}-assets-proxy
+              servicePort: {{ $.Values.posthog.assetsService.service.port }}
+          {{- end }}
+        {{- with $.Values.posthog.assetsService.customBackends }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+  {{- end }}
+{{- end }}
+

src/helm/meet/templates/posthog_assets_svc.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.posthog.ingress.enabled -}}
+{{- $envVars := include "meet.common.env" (list . .Values.posthog) -}}
+{{- $fullName := include "meet.posthog.fullname" . -}}
+{{- $component := "posthog" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}-assets-proxy
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "meet.common.labels" (list . $component) | nindent 4 }}
+  annotations:
+    {{- toYaml $.Values.posthog.assetsService.annotations | nindent 4 }}
+spec:
+  type: {{ .Values.posthog.assetsService.type }}
+  externalName: {{ .Values.posthog.assetsService.externalName }}
+  ports:
+    - port: {{ .Values.posthog.assetsService.port }}
+      targetPort: {{ .Values.posthog.assetsService.targetPort }}
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "meet.common.selectorLabels" (list . $component) | nindent 4 }}
+{{- end }}

src/helm/meet/templates/posthog_svc.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.posthog.ingress.enabled -}}
+{{- $envVars := include "meet.common.env" (list . .Values.posthog) -}}
+{{- $fullName := include "meet.posthog.fullname" . -}}
+{{- $component := "posthog" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}-proxy
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "meet.common.labels" (list . $component) | nindent 4 }}
+  annotations:
+    {{- toYaml $.Values.posthog.service.annotations | nindent 4 }}
+spec:
+  type: {{ .Values.posthog.service.type }}
+  externalName: {{ .Values.posthog.service.externalName }}
+  ports:
+    - port: {{ .Values.posthog.service.port }}
+      targetPort: {{ .Values.posthog.service.targetPort }}
+      protocol: TCP
+      name: https
+  selector:
+    {{- include "meet.common.selectorLabels" (list . $component) | nindent 4 }}
+{{- end }}

src/helm/meet/values.yaml

@@ -263,3 +263,33 @@ frontend:
 
   ## @param frontend.extraVolumes Additional volumes to mount on the frontend.
   extraVolumes: []
+
+## @section Posthog
+
+posthog:
+
+  ingress:
+    enabled: false
+    className: null
+    host: meet.example.com
+    path: /
+    pathAssets: /static
+    hosts: [ ]
+    tls:
+      enabled: true
+      additional: [ ]
+
+    customBackends: [ ]
+    annotations: {}
+
+  service:
+    type: ExternalName
+    externalName: eu.i.posthog.com
+    port: 443
+    annotations: {}
+
+  assetsService:
+    type: ExternalName
+    externalName: eu-assets.i.posthog.com
+    port: 443
+    annotations: {}