From f4b70a4d875e93477d402b7bf1e3f5c5e5a4f831 Mon Sep 17 00:00:00 2001 From: Joao Pedro Poloni Ponce Date: Mon, 18 Aug 2025 15:48:19 -0300 Subject: [PATCH] Revert "Refactor nginx config in prod (#7417)" This reverts commit 381ffce6c06b1f7cffb7cefb4b4de460f7f71c9c. --- .../production/base/proxy/auth.conf | 5 -- .../production/base/proxy/kubearchive.conf | 7 --- .../production/base/proxy/kustomization.yaml | 8 ---- .../production/base/proxy/nginx.conf | 18 +++++++ .../production/base/proxy/proxy.yaml | 47 ++++++++++++------- .../base/proxy/tekton-results-workspaces.conf | 9 ---- .../production/base/proxy/tekton-results.conf | 8 ---- .../kflux-ocp-p01/kustomization.yaml | 5 ++ .../production/kflux-osp-p01/kubearchive.conf | 1 - .../kflux-osp-p01/kustomization.yaml | 8 ++-- .../kflux-prd-rh02/kubearchive.conf | 1 - .../kflux-prd-rh02/kustomization.yaml | 8 ++-- .../kflux-prd-rh03/kustomization.yaml | 5 ++ .../kflux-rhel-p01/kustomization.yaml | 5 ++ .../stone-prd-rh01/kubearchive.conf | 1 - .../stone-prd-rh01/kustomization.yaml | 8 ++-- .../stone-prod-p01/kubearchive.conf | 1 - .../stone-prod-p01/kustomization.yaml | 8 ++-- .../stone-prod-p02/kustomization.yaml | 5 ++ 19 files changed, 85 insertions(+), 73 deletions(-) delete mode 100644 components/konflux-ui/production/base/proxy/auth.conf delete mode 100644 components/konflux-ui/production/base/proxy/kubearchive.conf delete mode 100644 components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf delete mode 100644 components/konflux-ui/production/base/proxy/tekton-results.conf delete mode 100644 components/konflux-ui/production/kflux-osp-p01/kubearchive.conf delete mode 100644 components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf delete mode 100644 components/konflux-ui/production/stone-prd-rh01/kubearchive.conf delete mode 100644 components/konflux-ui/production/stone-prod-p01/kubearchive.conf diff --git a/components/konflux-ui/production/base/proxy/auth.conf b/components/konflux-ui/production/base/proxy/auth.conf deleted file mode 100644 index 6b5cad3adaf..00000000000 --- a/components/konflux-ui/production/base/proxy/auth.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Auth configuration with impersonation enabled -auth_request_set $user $upstream_http_x_auth_request_email; -proxy_set_header Impersonate-User $user; -proxy_set_header Impersonate-Group system:authenticated; -proxy_set_header Authorization "Bearer __BEARER_TOKEN__"; diff --git a/components/konflux-ui/production/base/proxy/kubearchive.conf b/components/konflux-ui/production/base/proxy/kubearchive.conf deleted file mode 100644 index d87f2dbf983..00000000000 --- a/components/konflux-ui/production/base/proxy/kubearchive.conf +++ /dev/null @@ -1,7 +0,0 @@ -location /api/k8s/plugins/kubearchive/ { - auth_request /oauth2/auth; - rewrite /api/k8s/plugins/kubearchive/(.+) /$1 break; - proxy_read_timeout 30m; - proxy_pass https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081; - include /mnt/nginx-generated-config/auth.conf; -} diff --git a/components/konflux-ui/production/base/proxy/kustomization.yaml b/components/konflux-ui/production/base/proxy/kustomization.yaml index 002b37864d0..526e2783a38 100644 --- a/components/konflux-ui/production/base/proxy/kustomization.yaml +++ b/components/konflux-ui/production/base/proxy/kustomization.yaml @@ -7,11 +7,3 @@ configMapGenerator: - name: proxy files: - nginx.conf - - name: proxy-nginx-templates - files: - - auth.conf - - name: proxy-nginx-static - files: - - tekton-results.conf - - tekton-results-workspaces.conf - - kubearchive.conf diff --git a/components/konflux-ui/production/base/proxy/nginx.conf b/components/konflux-ui/production/base/proxy/nginx.conf index e322a0859ed..10015d2a8f5 100644 --- a/components/konflux-ui/production/base/proxy/nginx.conf +++ b/components/konflux-ui/production/base/proxy/nginx.conf @@ -139,7 +139,24 @@ http { include /mnt/nginx-generated-config/auth.conf; } + # Deprecated + location /api/k8s/plugins/tekton-results/workspaces/ { + auth_request /oauth2/auth; + + rewrite /api/k8s/plugins/tekton-results/workspaces/.+?/(.+) /$1 break; + proxy_read_timeout 30m; + include /mnt/nginx-generated-config/tekton-results.conf; + include /mnt/nginx-generated-config/auth.conf; + } + location /api/k8s/plugins/tekton-results/ { + auth_request /oauth2/auth; + + rewrite /api/k8s/plugins/tekton-results/(.+) /$1 break; + proxy_read_timeout 30m; + include /mnt/nginx-generated-config/tekton-results.conf; + include /mnt/nginx-generated-config/auth.conf; + } # GET requests to /api/k8s/api/v1/namespaces and /api/k8s/api/v1/namespaces/ # are handled from the namespace-lister. @@ -183,5 +200,6 @@ http { } include /mnt/nginx-additional-location-configs/*.conf; + include /mnt/nginx-generated-config/kubearchive.conf; } } diff --git a/components/konflux-ui/production/base/proxy/proxy.yaml b/components/konflux-ui/production/base/proxy/proxy.yaml index e434566bfb9..43b2cb0ddf4 100644 --- a/components/konflux-ui/production/base/proxy/proxy.yaml +++ b/components/konflux-ui/production/base/proxy/proxy.yaml @@ -54,23 +54,48 @@ spec: memory: 64Mi - name: generate-nginx-configs image: registry.access.redhat.com/ubi9/ubi@sha256:66233eebd72bb5baa25190d4f55e1dc3fff3a9b77186c1f91a0abdb274452072 + envFrom: + - configMapRef: + name: proxy-init-config command: - sh - -c - | set -e - # Generate auth.conf with bearer token replacement - token=$(cat /mnt/api-token/token) - sed "s/__BEARER_TOKEN__/$token/g" /mnt/nginx-templates/auth.conf > /mnt/nginx-generated-config/auth.conf + auth_conf=/mnt/nginx-generated-config/auth.conf + + if [[ "$IMPERSONATE" == "true" ]]; then + token=$(cat /mnt/api-token/token) + echo 'auth_request_set $user $upstream_http_x_auth_request_email;' > "$auth_conf" + echo 'proxy_set_header Impersonate-User $user;' >> "$auth_conf" + echo 'proxy_set_header Impersonate-Group system:authenticated;' >> "$auth_conf" + echo "proxy_set_header Authorization \"Bearer $token\";" >> "$auth_conf" + else + echo "# impersonation was disabled by config" > "$auth_conf" + fi - chmod 640 /mnt/nginx-generated-config/auth.conf + chmod 640 "$auth_conf" + + echo \ + "proxy_pass ${TEKTON_RESULTS_URL:?tekton results url must be provided};" \ + > /mnt/nginx-generated-config/tekton-results.conf + + if [[ "$KUBEARCHIVE_URL" != "" ]]; then + echo "location /api/k8s/plugins/kubearchive/ {" > /mnt/nginx-generated-config/kubearchive.conf + echo "auth_request /oauth2/auth;" >> /mnt/nginx-generated-config/kubearchive.conf + echo "rewrite /api/k8s/plugins/kubearchive/(.+) /\$1 break;" >> /mnt/nginx-generated-config/kubearchive.conf + echo "proxy_read_timeout 30m;" >> /mnt/nginx-generated-config/kubearchive.conf + echo "proxy_pass ${KUBEARCHIVE_URL};" >> /mnt/nginx-generated-config/kubearchive.conf + echo "include /mnt/nginx-generated-config/auth.conf;" >> /mnt/nginx-generated-config/kubearchive.conf + echo "}" >> /mnt/nginx-generated-config/kubearchive.conf + else + echo "# KubeArchive disabled by config" > /mnt/nginx-generated-config/kubearchive.conf + fi volumeMounts: - name: nginx-generated-config mountPath: /mnt/nginx-generated-config - - name: nginx-templates - mountPath: /mnt/nginx-templates - name: api-token mountPath: /mnt/api-token securityContext: @@ -142,8 +167,6 @@ spec: mountPath: /mnt - name: nginx-generated-config mountPath: /mnt/nginx-generated-config - - name: nginx-static - mountPath: /mnt/nginx-additional-location-configs - name: static-content mountPath: /opt/app-root/src/static-content securityContext: @@ -205,14 +228,6 @@ spec: - key: nginx.conf path: nginx.conf name: proxy - - configMap: - defaultMode: 420 - name: proxy-nginx-templates - name: nginx-templates - - configMap: - defaultMode: 420 - name: proxy-nginx-static - name: nginx-static - name: logs emptyDir: {} - name: nginx-tmp diff --git a/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf b/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf deleted file mode 100644 index 51a9783f980..00000000000 --- a/components/konflux-ui/production/base/proxy/tekton-results-workspaces.conf +++ /dev/null @@ -1,9 +0,0 @@ -# Deprecated -location /api/k8s/plugins/tekton-results/workspaces/ { - auth_request /oauth2/auth; - - rewrite /api/k8s/plugins/tekton-results/workspaces/.+?/(.+) /$1 break; - proxy_read_timeout 30m; - include /mnt/nginx-generated-config/tekton-results.conf; - include /mnt/nginx-generated-config/auth.conf; -} diff --git a/components/konflux-ui/production/base/proxy/tekton-results.conf b/components/konflux-ui/production/base/proxy/tekton-results.conf deleted file mode 100644 index b6fc7cd5921..00000000000 --- a/components/konflux-ui/production/base/proxy/tekton-results.conf +++ /dev/null @@ -1,8 +0,0 @@ -location /api/k8s/plugins/tekton-results/ { - auth_request /oauth2/auth; - - rewrite /api/k8s/plugins/tekton-results/(.+) /$1 break; - proxy_read_timeout 30m; - proxy_pass https://tekton-results-api-service.tekton-results.svc.cluster.local:8080; - include /mnt/nginx-generated-config/auth.conf; -} diff --git a/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml b/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml index a927dc3b6f9..b2d48e1284f 100644 --- a/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-ocp-p01/kustomization.yaml @@ -9,6 +9,11 @@ configMapGenerator: - name: dex files: - dex-config.yaml + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf b/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf deleted file mode 100644 index 3816bfef13d..00000000000 --- a/components/konflux-ui/production/kflux-osp-p01/kubearchive.conf +++ /dev/null @@ -1 +0,0 @@ -# KubeArchive disabled by config diff --git a/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml b/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml index eff1e630bd4..e41f5b8e617 100644 --- a/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-osp-p01/kustomization.yaml @@ -8,10 +8,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-nginx-static - files: - - kubearchive.conf - behavior: merge + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf b/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf deleted file mode 100644 index 3816bfef13d..00000000000 --- a/components/konflux-ui/production/kflux-prd-rh02/kubearchive.conf +++ /dev/null @@ -1 +0,0 @@ -# KubeArchive disabled by config diff --git a/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml b/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml index 0a3d368d374..e06b50961f3 100644 --- a/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml +++ b/components/konflux-ui/production/kflux-prd-rh02/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-nginx-static - files: - - kubearchive.conf - behavior: merge + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml b/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml index 68c263f83d6..b3f99b9f9a4 100644 --- a/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml +++ b/components/konflux-ui/production/kflux-prd-rh03/kustomization.yaml @@ -8,6 +8,11 @@ configMapGenerator: - name: dex files: - dex-config.yaml + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml b/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml index 68c263f83d6..b3f99b9f9a4 100644 --- a/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml +++ b/components/konflux-ui/production/kflux-rhel-p01/kustomization.yaml @@ -8,6 +8,11 @@ configMapGenerator: - name: dex files: - dex-config.yaml + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf b/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf deleted file mode 100644 index 3816bfef13d..00000000000 --- a/components/konflux-ui/production/stone-prd-rh01/kubearchive.conf +++ /dev/null @@ -1 +0,0 @@ -# KubeArchive disabled by config diff --git a/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml b/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml index 0f8ea96b539..d48d8e17972 100644 --- a/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml +++ b/components/konflux-ui/production/stone-prd-rh01/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-nginx-static - files: - - kubearchive.conf - behavior: merge + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prod-p01/kubearchive.conf b/components/konflux-ui/production/stone-prod-p01/kubearchive.conf deleted file mode 100644 index 3816bfef13d..00000000000 --- a/components/konflux-ui/production/stone-prod-p01/kubearchive.conf +++ /dev/null @@ -1 +0,0 @@ -# KubeArchive disabled by config diff --git a/components/konflux-ui/production/stone-prod-p01/kustomization.yaml b/components/konflux-ui/production/stone-prod-p01/kustomization.yaml index 0a3d368d374..e06b50961f3 100644 --- a/components/konflux-ui/production/stone-prod-p01/kustomization.yaml +++ b/components/konflux-ui/production/stone-prod-p01/kustomization.yaml @@ -9,10 +9,10 @@ configMapGenerator: - name: dex files: - dex-config.yaml - - name: proxy-nginx-static - files: - - kubearchive.conf - behavior: merge + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 patches: - path: add-service-certs-patch.yaml diff --git a/components/konflux-ui/production/stone-prod-p02/kustomization.yaml b/components/konflux-ui/production/stone-prod-p02/kustomization.yaml index 4e2a7843e47..131e9aa8798 100644 --- a/components/konflux-ui/production/stone-prod-p02/kustomization.yaml +++ b/components/konflux-ui/production/stone-prod-p02/kustomization.yaml @@ -9,6 +9,11 @@ configMapGenerator: - name: dex files: - dex-config.yaml + - name: proxy-init-config + literals: + - IMPERSONATE=true + - TEKTON_RESULTS_URL=https://tekton-results-api-service.tekton-results.svc.cluster.local:8080 + - KUBEARCHIVE_URL=https://kubearchive-api-server.product-kubearchive.svc.cluster.local:8081 patches: - path: add-service-certs-patch.yaml