[DEV-14834] Disable HTTP/1.1 by default

[NathanOkolita]

Summary

This PR introduces a new variable, enforce_http_2_only, which controls whether HTTP/1.1 traffic is allowed. By default, HTTP/1.1 requests are denied with a 429 status code. The flag provides flexibility to temporarily allow HTTP/1.1 traffic when necessary.

Argo Application Behavior Changes

To ensure this setting (and future Terraform-driven changes) apply to existing clusters, we updated how Argo applications are managed.

Previously:

• Argo application values were set only at creation time.
• Files such as ipa_application.yaml, ipa_smoketest.yaml, insights_application.yaml, and insights_smoketest.yaml were not updated afterward.
• As a result, only changes committed directly to GitHub were applied.
• Changes made in tf_cod were not propagated to existing clusters.

Now:

• User-defined HELM_VALUES in those files are preserved.
• Values generated by tf_cod (injected as HELM_TF_COD_VALUES) are updated in GitHub.
• Argo then applies those updated values to the cluster.

This ensures Terraform-driven configuration changes are consistently propagated while preserving any user-defined overrides.

---

Note

High Risk
Defaulting ingress to HTTP/2-only can break clients/load balancers that still use HTTP/1.1. The new GitHub read/merge path for Argo app files changes how config updates propagate and could overwrite or mis-parse existing YAML if the fetch/decode logic fails.

Overview
Introduces enforce_http_2_only (default true) to disable HTTP/1.1 ingress by turning off the NGINX controller httpPort and injecting an NGINX server-snippets rule that rejects non-HTTP/2 requests (status 426) in both AWS and Azure stacks.

Changes Argo application YAML generation (modules/common/application-deployment) to fetch the existing *_application.yaml from GitHub (via new external provider + fetch_github_file.py) and reuse the existing HELM_VALUES when present, while still updating HELM_TF_COD_VALUES; root modules now pass var.git_pat through as github_token to intake/insights/smoketests/additional apps.

^{Written by Cursor Bugbot for commit 24be63d. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Heredoc delimiter not unique despite comment claiming otherwise

Low Severity

The comment on line 64 states "Unique delimiter so 'EOT' (or similar) inside HELM_VALUES doesn't end the heredoc and truncate," but the code immediately below still uses <<EOT as the delimiter. EOT is the most commonly used heredoc delimiter in Terraform. The comment explicitly identifies the risk but the mitigation was never actually implemented — a more distinctive delimiter like <<ARGOCD_APPLICATION_CONTENT would match the documented intent and guard against premature heredoc termination if HELM_VALUES content ever contains a bare EOT line.

 

[ltellesfl]

Looks good