Revert "Refactor nginx config in prod (#7417)" (#7706)

This reverts commit 381ffce.

Author: JoaoPedroPP

components/konflux-ui/production/base/proxy/auth.conf

@@ -7,11 +7,3 @@ configMapGenerator:
   - name: proxy
     files:
       - nginx.conf
-  - name: proxy-nginx-templates
-    files:
-      - auth.conf
-  - name: proxy-nginx-static
-    files:
-      - tekton-results.conf
-      - tekton-results-workspaces.conf
-      - kubearchive.conf

components/konflux-ui/production/base/proxy/kubearchive.conf

@@ -139,7 +139,24 @@ http {
             include /mnt/nginx-generated-config/auth.conf;
         }
 
+        # Deprecated
+        location /api/k8s/plugins/tekton-results/workspaces/ {
+            auth_request /oauth2/auth;
+
+            rewrite /api/k8s/plugins/tekton-results/workspaces/.+?/(.+) /$1 break;
+            proxy_read_timeout 30m;
+            include /mnt/nginx-generated-config/tekton-results.conf;
+            include /mnt/nginx-generated-config/auth.conf;
+        }
 
+        location /api/k8s/plugins/tekton-results/ {
+            auth_request /oauth2/auth;
+
+            rewrite /api/k8s/plugins/tekton-results/(.+) /$1 break;
+            proxy_read_timeout 30m;
+            include /mnt/nginx-generated-config/tekton-results.conf;
+            include /mnt/nginx-generated-config/auth.conf;
+        }
 
         # GET requests to /api/k8s/api/v1/namespaces and /api/k8s/api/v1/namespaces/
         # are handled from the namespace-lister.
@@ -183,5 +200,6 @@ http {
         }
 
         include /mnt/nginx-additional-location-configs/*.conf;
+        include /mnt/nginx-generated-config/kubearchive.conf;
     }
 }

components/konflux-ui/production/base/proxy/kustomization.yaml

@@ -54,23 +54,48 @@ spec:
             memory: 64Mi
       - name: generate-nginx-configs
         image: registry.access.redhat.com/ubi9/ubi@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072
+        envFrom:
+          - configMapRef:
+              name: proxy-init-config
         command:
           - sh
           - -c
           - |
             set -e
 
-            # Generate auth.conf with bearer token replacement
-            token=$(cat /mnt/api-token/token)
-            sed "s/__BEARER_TOKEN__/$token/g" /mnt/nginx-templates/auth.conf > /mnt/nginx-generated-config/auth.conf
+            auth_conf=/mnt/nginx-generated-config/auth.conf
+            
+            if [[ "$IMPERSONATE" == "true" ]]; then
+              token=$(cat /mnt/api-token/token)
+              echo 'auth_request_set $user  $upstream_http_x_auth_request_email;' > "$auth_conf"
+              echo 'proxy_set_header Impersonate-User $user;' >> "$auth_conf"
+              echo 'proxy_set_header Impersonate-Group system:authenticated;' >> "$auth_conf"
+              echo "proxy_set_header Authorization \"Bearer $token\";" >> "$auth_conf"
+            else
+              echo "# impersonation was disabled by config" > "$auth_conf"
+            fi
 
-            chmod 640 /mnt/nginx-generated-config/auth.conf
+            chmod 640 "$auth_conf"
+
+            echo \
+              "proxy_pass ${TEKTON_RESULTS_URL:?tekton results url must be provided};" \
+              > /mnt/nginx-generated-config/tekton-results.conf
+
+            if [[ "$KUBEARCHIVE_URL" != "" ]]; then
+              echo "location /api/k8s/plugins/kubearchive/ {" > /mnt/nginx-generated-config/kubearchive.conf
+              echo "auth_request /oauth2/auth;" >> /mnt/nginx-generated-config/kubearchive.conf
+              echo "rewrite /api/k8s/plugins/kubearchive/(.+) /\$1 break;" >> /mnt/nginx-generated-config/kubearchive.conf
+              echo "proxy_read_timeout 30m;" >> /mnt/nginx-generated-config/kubearchive.conf
+              echo "proxy_pass ${KUBEARCHIVE_URL};" >> /mnt/nginx-generated-config/kubearchive.conf
+              echo "include /mnt/nginx-generated-config/auth.conf;" >> /mnt/nginx-generated-config/kubearchive.conf
+              echo "}" >> /mnt/nginx-generated-config/kubearchive.conf
+            else
+              echo "# KubeArchive disabled by config" > /mnt/nginx-generated-config/kubearchive.conf
+            fi
 
         volumeMounts:
         - name: nginx-generated-config
           mountPath: /mnt/nginx-generated-config
-        - name: nginx-templates
-          mountPath: /mnt/nginx-templates
         - name: api-token
           mountPath: /mnt/api-token
         securityContext:
@@ -142,8 +167,6 @@ spec:
             mountPath: /mnt
           - name: nginx-generated-config
             mountPath: /mnt/nginx-generated-config
-          - name: nginx-static
-            mountPath: /mnt/nginx-additional-location-configs
           - name: static-content
             mountPath: /opt/app-root/src/static-content
         securityContext:
@@ -205,14 +228,6 @@ spec:
               - key: nginx.conf
                 path: nginx.conf 
           name: proxy
-        - configMap:
-            defaultMode: 420
-            name: proxy-nginx-templates
-          name: nginx-templates
-        - configMap:
-            defaultMode: 420
-            name: proxy-nginx-static
-          name: nginx-static
         - name: logs
           emptyDir: {}
         - name: nginx-tmp

components/konflux-ui/production/base/proxy/nginx.conf

@@ -9,6 +9,11 @@ configMapGenerator:
   - name: dex
     files:
       - dex-config.yaml
+  - name: proxy-init-config
+    literals:
+      - IMPERSONATE=true
+      - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080
+      - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081
 
 patches:
   - path: add-service-certs-patch.yaml

components/konflux-ui/production/base/proxy/proxy.yaml

@@ -8,10 +8,10 @@ configMapGenerator:
   - name: dex
     files:
       - dex-config.yaml
-  - name: proxy-nginx-static
-    files:
-      - kubearchive.conf
-    behavior: merge
+  - name: proxy-init-config
+    literals:
+      - IMPERSONATE=true
+      - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080
 
 patches:
   - path: add-service-certs-patch.yaml