refactor: replace full Nginx config file with httpSnippet and serverSnippet in Loki values.

JOELNATHAN544 · JOELNATHAN544 · commit 5b624618b5f5 · 2026-02-27T11:46:29.000+01:00
diff --git a/lgtm-stack/terraform/values/loki-values.yaml b/lgtm-stack/terraform/values/loki-values.yaml
@@ -148,65 +148,18 @@ gateway:
       readOnly: true
 
   nginxConfig:
-    file: |2
+    httpSnippet: |
+      # Determine if authentication is required based on the tenant ID
+      # The 'default' tenant is used by global infra and smoke tests, so we bypass auth for it.
+      map {{ print "$" }}http_x_scope_orgid {{ print "$" }}auth_realm {
+        "default" "off";
+        ""        "off";
+        default   "Loki Tenant Authentication";
+      }
+    serverSnippet: |
+      auth_basic {{ print "$" }}auth_realm;
+      auth_basic_user_file /etc/nginx/secrets/.htpasswd;
 
-        worker_processes  5;
-        error_log  /dev/stderr;
-        pid        /tmp/nginx.pid;
-        worker_rlimit_nofile 8192;
-        events {
-          worker_connections  4096;
-        }
-        http {
-          client_body_temp_path /tmp/client_temp;
-          proxy_temp_path       /tmp/proxy_temp_path;
-          fastcgi_temp_path     /tmp/fastcgi_temp;
-          uwsgi_temp_path       /tmp/uwsgi_temp;
-          scgi_temp_path        /tmp/scgi_temp;
-          default_type application/octet-stream;
-          log_format main '{{ print "$" }}remote_addr - {{ print "$" }}remote_user [{{ print "$" }}time_local] "{{ print "$" }}request" {{ print "$" }}status';
-          access_log /dev/stderr main;
-
-          # Determine if authentication is required based on the tenant ID
-          # The 'default' tenant is used by global infra and smoke tests, so we bypass auth for it.
-          map {{ print "$" }}http_x_scope_orgid {{ print "$" }}auth_realm {
-            "default" "off";
-            ""        "off";
-            default   "Loki Tenant Authentication";
-          }
-
-          server {
-            listen 8080;
-
-            # Health check path (must be open for k8s probes)
-            location = / {
-              return 200 'OK';
-              auth_basic off;
-            }
-
-            # Log push paths (selecitvely authenticated via map)
-            location ~ ^/(loki/api/v1/push|otlp/v1/logs|api/prom/push) {
-              auth_basic {{ print "$" }}auth_realm;
-              auth_basic_user_file /etc/nginx/secrets/.htpasswd;
-              proxy_pass http://monitoring-loki-distributor.observability.svc.cluster.local:3100;
-              proxy_http_version 1.1;
-            }
-
-            # Log query/read paths (selectively authenticated via map)
-            location / {
-              auth_basic {{ print "$" }}auth_realm;
-              auth_basic_user_file /etc/nginx/secrets/.htpasswd;
-              proxy_pass http://monitoring-loki-query-frontend.observability.svc.cluster.local:3100;
-              proxy_http_version 1.1;
-            }
-
-            # Readiness path for distributor
-            location = /ready {
-              proxy_pass http://monitoring-loki-distributor.observability.svc.cluster.local:3100;
-              auth_basic off;
-            }
-          }
-        }
 
 backend:
   replicas: 0
