diff --git a/components/konflux-ui/production/base/proxy/auth.conf b/components/konflux-ui/production/base/proxy/auth.conf new file mode 100644 index 00000000000..6b5cad3adaf --- /dev/null +++ b/components/konflux-ui/production/base/proxy/auth.conf @@ -0,0 +1,5 @@ +# Auth configuration with impersonation enabled +auth_request_set $user $upstream_http_x_auth_request_email; +proxy_set_header Impersonate-User $user; +proxy_set_header Impersonate-Group system:authenticated; +proxy_set_header Authorization "Bearer __BEARER_TOKEN__"; diff --git a/components/konflux-ui/production/base/proxy/kubearchive.conf b/components/konflux-ui/production/base/proxy/kubearchive.conf new file mode 100644 index 00000000000..d87f2dbf983 --- /dev/null +++ b/components/konflux-ui/production/base/proxy/kubearchive.conf @@ -0,0 +1,7 @@ +location /api/k8s/plugins/kubearchive/ { + auth_request /oauth2/auth; + rewrite /api/k8s/plugins/kubearchive/(.+) /$1 break; + proxy_read_timeout 30m; + proxy_pass https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081; + include /mnt/nginx-generated-config/auth.conf; +} diff --git a/components/konflux-ui/production/base/proxy/kustomization.yaml b/components/konflux-ui/production/base/proxy/kustomization.yaml index 526e2783a38..002b37864d0 100644 --- a/components/konflux-ui/production/base/proxy/kustomization.yaml +++ b/components/konflux-ui/production/base/proxy/kustomization.yaml @@ -7,3 +7,11 @@ configMapGenerator: - name: proxy files: - nginx.conf + - name: proxy-nginx-templates + files: + - auth.conf + - name: proxy-nginx-static + files: + - tekton-results.conf + - tekton-results-workspaces.conf + - kubearchive.conf diff --git a/components/konflux-ui/production/base/proxy/nginx.conf b/components/konflux-ui/production/base/proxy/nginx.conf index 10015d2a8f5..e322a0859ed 100644 --- a/components/konflux-ui/production/base/proxy/nginx.conf +++ b/components/konflux-ui/production/base/proxy/nginx.conf @@ -139,24 +139,7 @@ http { include /mnt/nginx-generated-config/auth.conf; } - # Deprecated - location /api/k8s/plugins/tekton-results/workspaces/ { - auth_request /oauth2/auth; - - rewrite /api/k8s/plugins/tekton-results/workspaces/.+?/(.+) /$1 break; - proxy_read_timeout 30m; - include /mnt/nginx-generated-config/tekton-results.conf; - include /mnt/nginx-generated-config/auth.conf; - } - location /api/k8s/plugins/tekton-results/ { - auth_request /oauth2/auth; - - rewrite /api/k8s/plugins/tekton-results/(.+) /$1 break; - proxy_read_timeout 30m; - include /mnt/nginx-generated-config/tekton-results.conf; - include /mnt/nginx-generated-config/auth.conf; - } # GET requests to /api/k8s/api/v1/namespaces and /api/k8s/api/v1/namespaces/ # are handled from the namespace-lister. @@ -200,6 +183,5 @@ http { } include /mnt/nginx-additional-location-configs/*.conf; - include /mnt/nginx-generated-config/kubearchive.conf; } } diff --git a/components/konflux-ui/production/base/proxy/proxy.yaml b/components/konflux-ui/production/base/proxy/proxy.yaml index 43b2cb0ddf4..e434566bfb9 100644 --- a/components/konflux-ui/production/base/proxy/proxy.yaml +++ b/components/konflux-ui/production/base/proxy/proxy.yaml @@ -54,48 +54,23 @@ spec: memory: 64Mi - name: generate-nginx-configs image: registry.access.redhat.com/ubi9/ubi@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072 - envFrom: - - configMapRef: - name: proxy-init-config command: - sh - -c - | set -e - auth_conf=/mnt/nginx-generated-config/auth.conf - - if [[ "$IMPERSONATE" == "true" ]]; then - token=$(cat /mnt/api-token/token) - echo 'auth_request_set $user $upstream_http_x_auth_request_email;' > "$auth_conf" - echo 'proxy_set_header Impersonate-User $user;' >> "$auth_conf" - echo 'proxy_set_header Impersonate-Group system:authenticated;' >> "$auth_conf" - echo "proxy_set_header Authorization \"Bearer $token\";" >> "$auth_conf" - else - echo "# impersonation was disabled by config" > "$auth_conf" - fi + # Generate auth.conf with bearer token replacement + token=$(cat /mnt/api-token/token) + sed "s/__BEARER_TOKEN__/$token/g" /mnt/nginx-templates/auth.conf > /mnt/nginx-generated-config/auth.conf - chmod 640 "$auth_conf" - - echo \ - "proxy_pass ${TEKTON_RESULTS_URL:?tekton results url must be provided};" \ - > /mnt/nginx-generated-config/tekton-results.conf - - if [[ "$KUBEARCHIVE_URL" != "" ]]; then - echo "location /api/k8s/plugins/kubearchive/ {" > /mnt/nginx-generated-config/kubearchive.conf - echo "auth_request /oauth2/auth;" >> /mnt/nginx-generated-config/kubearchive.conf - echo "rewrite /api/k8s/plugins/kubearchive/(.+) /\$1 break;" >> /mnt/nginx-generated-config/kubearchive.conf - echo "proxy_read_timeout 30m;" >> /mnt/nginx-generated-config/kubearchive.conf - echo "proxy_pass ${KUBEARCHIVE_URL};" >> /mnt/nginx-generated-config/kubearchive.conf - echo "include /mnt/nginx-generated-config/auth.conf;" >> /mnt/nginx-generated-config/kubearchive.conf - echo "}" >> /mnt/nginx-generated-config/kubearchive.conf - else - echo "# KubeArchive disabled by config" > /mnt/nginx-generated-config/kubearchive.conf - fi + chmod 640 /mnt/nginx-generated-config/auth.conf volumeMounts: - name: nginx-generated-config mountPath: /mnt/nginx-generated-config + - name: nginx-templates + mountPath: /mnt/nginx-templates - name: api-token mountPath: /mnt/api-token securityContext: @@ -167,6 +142,8 @@ spec: mountPath: /mnt - name: nginx-generated-config mountPath: /mnt/nginx-generated-config + - name: nginx-static + mountPath: /mnt/nginx-additional-location-configs - name: static-content mountPath: /opt/app-root/src/static-content securityContext: @@ -228,6 +205,14 @@ spec: - key: nginx.conf path: nginx.conf name: proxy + - configMap: + defaultMode: 420 + name: proxy-nginx-templates + name: nginx-templates + - configMap: + defaultMode: 420 + name: proxy-nginx-static + name: nginx-static - name: logs emptyDir: {} - name: nginx-tmp diff --git a/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf b/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf new file mode 100644 index 00000000000..51a9783f980 --- /dev/null +++ b/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf @@ -0,0 +1,9 @@ +# Deprecated +location /api/k8s/plugins/tekton-results/workspaces/ { + auth_request /oauth2/auth; + + rewrite /api/k8s/plugins/tekton-results/workspaces/.+?/(.+) /$1 break; + proxy_read_timeout 30m; + include /mnt/nginx-generated-config/tekton-results.conf; + include /mnt/nginx-generated-config/auth.conf; +} diff --git a/components/konflux-ui/production/base/proxy/tekton-results.conf b/components/konflux-ui/production/base/proxy/tekton-results.conf new file mode 100644 index 00000000000..b6fc7cd5921 --- /dev/null +++ b/components/konflux-ui/production/base/proxy/tekton-results.conf @@ -0,0 +1,8 @@ +location /api/k8s/plugins/tekton-results/ { + auth_request /oauth2/auth; + + rewrite /api/k8s/plugins/tekton-results/(.+) /$1 break; + proxy_read_timeout 30m; + proxy_pass https://tekton-results-api-service.tekton-results.svc.cluster.local:8080; + include /mnt/nginx-generated-config/auth.conf; +} diff --git a/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml b/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml index b2d48e1284f..a927dc3b6f9 100644 --- a/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml @@ -9,11 +9,6 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf b/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf new file mode 100644 index 00000000000..3816bfef13d --- /dev/null +++ b/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf @@ -0,0 +1 @@ +# KubeArchive disabled by config diff --git a/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml b/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml index e41f5b8e617..eff1e630bd4 100644 --- a/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml @@ -8,10 +8,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - name: proxy-nginx-static + files: + - kubearchive.conf + behavior: merge patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf b/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf new file mode 100644 index 00000000000..3816bfef13d --- /dev/null +++ b/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf @@ -0,0 +1 @@ +# KubeArchive disabled by config diff --git a/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml b/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml index e06b50961f3..0a3d368d374 100644 --- a/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml +++ b/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - name: proxy-nginx-static + files: + - kubearchive.conf + behavior: merge patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml b/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml index b3f99b9f9a4..68c263f83d6 100644 --- a/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml +++ b/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml @@ -8,11 +8,6 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml b/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml index b3f99b9f9a4..68c263f83d6 100644 --- a/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml @@ -8,11 +8,6 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf b/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf new file mode 100644 index 00000000000..3816bfef13d --- /dev/null +++ b/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf @@ -0,0 +1 @@ +# KubeArchive disabled by config diff --git a/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml b/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml index d48d8e17972..0f8ea96b539 100644 --- a/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml +++ b/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - name: proxy-nginx-static + files: + - kubearchive.conf + behavior: merge patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prod-p01/kubearchive.conf b/components/konflux-ui/production/stone-prod-p01/kubearchive.conf new file mode 100644 index 00000000000..3816bfef13d --- /dev/null +++ b/components/konflux-ui/production/stone-prod-p01/kubearchive.conf @@ -0,0 +1 @@ +# KubeArchive disabled by config diff --git a/components/konflux-ui/production/stone-prod-p01/kustomization.yaml b/components/konflux-ui/production/stone-prod-p01/kustomization.yaml index e06b50961f3..0a3d368d374 100644 --- a/components/konflux-ui/production/stone-prod-p01/kustomization.yaml +++ b/components/konflux-ui/production/stone-prod-p01/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - name: proxy-nginx-static + files: + - kubearchive.conf + behavior: merge patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prod-p02/kustomization.yaml b/components/konflux-ui/production/stone-prod-p02/kustomization.yaml index 131e9aa8798..4e2a7843e47 100644 --- a/components/konflux-ui/production/stone-prod-p02/kustomization.yaml +++ b/components/konflux-ui/production/stone-prod-p02/kustomization.yaml @@ -9,11 +9,6 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-init-config - literals: - - IMPERSONATE=true - - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml