Feat/UI nginx configmap (#206)

* feat: add configurable nginx for UI with large JWT support

- Add ConfigMap-based nginx configuration for Helm deployments
- Increase buffer sizes for JWT tokens with many OIDC groups (up to 180)
- Support both Helm (ConfigMap) and standalone (envsubst) modes
- Configure proxy timeouts and headers

* new helm package

Author: aa1ex

helm/charts/envoy-xds-controller/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.82"
+version: "0.83.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.14.0"
+appVersion: "v0.15.0"
 
 home: https://github.com/kaasops/envoy-xds-controller
 sources:

helm/charts/envoy-xds-controller/templates/ui/configmap.yaml

@@ -0,0 +1,71 @@
+{{- if and .Values.ui.enabled .Values.ui.nginxConfigMap.enabled -}}
+{{- $nginx := .Values.ui.nginxConfigMap | default dict -}}
+{{- $proxySetHeader := $nginx.proxySetHeader | default dict -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "chart.fullname" . }}-ui-nginx-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart.labels-ui" . | nindent 4 }}
+data:
+  template.conf: |
+    server {
+        # Dynamic config
+        listen {{ .Values.ui.port }};
+        server_name _;
+        root   /usr/share/nginx/html;
+
+        # Increase buffer sizes for large JWT tokens (users with many OIDC groups)
+        # Default is 4 8k, but tokens with 100+ groups can exceed 8KB
+        large_client_header_buffers {{ $nginx.largeClientHeaderBuffers | default "8 32k" }};
+        proxy_buffer_size {{ $nginx.proxyBufferSize | default "32k" }};
+        proxy_buffers {{ $nginx.proxyBuffers | default "8 32k" }};
+        proxy_busy_buffers_size {{ $nginx.proxyBusyBuffersSize | default "64k" }};
+
+        # Proxy timeouts
+        proxy_connect_timeout {{ $nginx.proxyConnectTimeout | default "60s" }};
+        proxy_read_timeout {{ $nginx.proxyReadTimeout | default "60s" }};
+        proxy_send_timeout {{ $nginx.proxySendTimeout | default "60s" }};
+
+        location = / {
+            return 301 /nodeIDs;
+        }
+        location /nodeIDs {
+            index  index.html index.htm;
+            try_files $uri $uri/ /index.html;
+        }
+        location /accessGroups {
+            index  index.html index.htm;
+            try_files $uri $uri/ /index.html;
+        }
+        location /callback {
+            index  index.html index.htm;
+            try_files $uri $uri/ /index.html;
+        }
+        location /api/v1 {
+            {{- if $proxySetHeader.xRealIP | default false }}
+            proxy_set_header X-Real-IP $remote_addr;
+            {{- end }}
+            {{- if $proxySetHeader.xForwardedFor | default false }}
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            {{- end }}
+            {{- if $proxySetHeader.xForwardedProto | default false }}
+            proxy_set_header X-Forwarded-Proto $scheme;
+            {{- end }}
+            proxy_pass {{ .Values.ui.cacheAPI }};
+        }
+        location /grpc-api/ {
+            {{- if $proxySetHeader.xRealIP | default false }}
+            proxy_set_header X-Real-IP $remote_addr;
+            {{- end }}
+            {{- if $proxySetHeader.xForwardedFor | default false }}
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            {{- end }}
+            {{- if $proxySetHeader.xForwardedProto | default false }}
+            proxy_set_header X-Forwarded-Proto $scheme;
+            {{- end }}
+            proxy_pass {{ .Values.ui.resourceAPI }}/;
+        }
+    }
+{{- end }}

helm/charts/envoy-xds-controller/templates/ui/deployment.yaml

@@ -36,11 +36,21 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ include "chart.serviceAccountName" . }}
+      {{- if .Values.ui.nginxConfigMap.enabled }}
+      volumes:
+      - name: nginx-config
+        configMap:
+          name: {{ include "chart.fullname" . }}-ui-nginx-config
+      {{- end }}
       containers:
       - image: {{ .Values.ui.image.repository }}:{{ default .Chart.AppVersion .Values.ui.image.tag }}
-        {{- if .Values.ui.args }}
-        args:
-          {{- toYaml .Values.ui.args | nindent 10 }}
+        name: envoy-xds-controller-ui
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.ui.nginxConfigMap.enabled }}
+        volumeMounts:
+        - name: nginx-config
+          mountPath: /etc/nginx/templates/nginx.conf
+          subPath: template.conf
         {{- end }}
         env:
           - name: API_PROXY_PASS
@@ -85,8 +95,6 @@ spec:
           - name: http
             containerPort: {{ .Values.ui.port }}
             protocol: TCP
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: envoy-xds-controller-ui
         resources:
 {{ toYaml .Values.ui.resources | indent 12 }}
 {{- end }}

helm/charts/envoy-xds-controller/values.yaml

@@ -46,7 +46,6 @@ ui:
     repository: kaasops/envoy-xds-controller-ui
     tag: "" # rewrites Chart.AppVersion
     pullPolicy: IfNotPresent
-  args: []
   envs: {}
   cacheAPI: "http://exc-envoy-xds-controller-cache-api:9999"
   resourceAPI: "http://exc-envoy-xds-controller-resource-api:10000"
@@ -58,6 +57,30 @@ ui:
       cpu: 100m
       memory: 50Mi
   port: 8080
+  # Nginx configuration via ConfigMap
+  # When enabled: nginx config is managed via ConfigMap (allows runtime configuration)
+  # When disabled: uses embedded config from Docker image (default)
+  nginxConfigMap:
+    enabled: false
+    # Buffer sizes for large client headers (e.g., JWT tokens with many OIDC groups)
+    # Format: <number> <size> where size is the max size of ONE header line
+    # Each header line (e.g., Cookie with JWT) must fit in ONE buffer!
+    # For 180 groups × 40 chars = ~7KB groups → JWT token ~15-25KB → need 32k per buffer
+    # Default nginx: 4 8k (each header max 8KB)
+    largeClientHeaderBuffers: "8 32k"
+    proxyBufferSize: "32k"
+    proxyBuffers: "8 32k"
+
+    proxyBusyBuffersSize: "64k"
+    # Proxy timeouts for backend API requests
+    proxyConnectTimeout: "60s"
+    proxyReadTimeout: "60s"
+    proxySendTimeout: "60s"
+    # Proxy headers (useful when UI is behind Ingress/Load Balancer)
+    proxySetHeader:
+      xRealIP: true
+      xForwardedFor: true
+      xForwardedProto: true
   ingress:
     enabled: false
     annotations: