feat: migrate to opala (MAPCO-7171)

.release-please-manifest.json

@@ -1,3 +1 @@
-{
-  ".": "2.1.7"
-}
+{ ".": "2.1.7" }

helm/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: nginx
+  repository: oci://acrarolibotnonprod.azurecr.io/helm/common
+  version: 2.1.0
+digest: sha256:18e8ad9d643309745bcdd30df03b0e01ec004d295ce2d5a7a81fc8c40e0e9206
+generated: "2025-09-02T12:36:32.560619638+03:00"

helm/Chart.yaml

@@ -4,3 +4,7 @@ description: Helm chart for heights service
 type: application
 version: 2.1.7
 appVersion: 2.1.7
+dependencies:
+  - name: nginx
+    version: 2.1.0
+    repository: oci://acrarolibotnonprod.azurecr.io/helm/common

helm/config/default.conf

@@ -1,5 +1,12 @@
 
 {{- $serviceName := include "service.fullname" . -}}
+{{- $opalaEnabled := .Values.nginx.authorization.enabled }}
+{{- $accessControlMaxAge := .Values.nginx.nginx.maxAge }}
+
+split_clients "$otel_trace_id" $ratio_sampler {
+              {{ .Values.nginx.opentelemetry.ratio }}%              on;
+              *                off;
+}
 
 upstream heights {
     server {{ $serviceName }}:{{ .Values.env.port }};
@@ -38,6 +45,8 @@ server {
     }
 
     location / {
+        {{ include "heightsNginx.otelTrace" . | nindent 8 }}
+
         if ($request_method = 'OPTIONS') {
             add_header 'Access-Control-Allow-Origin' '*';
             add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS';
@@ -48,7 +57,7 @@ server {
             #
             # Tell client that this pre-flight info is valid for 20 days
             #
-            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }};
             add_header 'Content-Type' 'text/plain charset=UTF-8';
             add_header 'Content-Length' 0;
             return 204;
@@ -58,12 +67,37 @@ server {
             add_header 'Access-Control-Allow-Origin' '*' always;
             add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS' always;
             add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
+            add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }};
         }
 
         proxy_hide_header Set-Cookie;  # ensures the header will not be passed back to the client
         proxy_ignore_headers Set-Cookie;  # ensures that the header will not automatically disable caching within nginx
         proxy_set_header  Cookie ""; # ensures that a client cannot pass any prior cookies to the webapp and spoil your cache
-        proxy_set_header  X-Client-Id $jwt_payload_sub;
+
+        set $original_method $request_method;
+        set $original_args $args;
+
+        {{- if $opalaEnabled }}
+        set $domain {{ .Values.nginx.authorization.domain }};
+        auth_request /_validate_jwt;
+
+        otel_span_attr opa.result $opa_result;
+        otel_span_attr opa.reason $opa_reason;
+        {{ end }}
+
         proxy_pass        http://heights;
     }
+
+    {{- if $opalaEnabled }}
+    location = /_validate_jwt {
+      internal;
+      js_content auth.opaAuth;
+    }
+
+    location = /opa {
+      internal;
+      proxy_set_header Content-Type application/json;
+      proxy_pass {{ .Values.nginx.authorization.url }};
+    }    
+    {{ end }}
 }

helm/config/log_format.conf

@@ -2,7 +2,7 @@ map $msec $nanosec {
     ~(.*)\.(.*) $1$2000000;
 }
 
-log_format main escape=json 
+log_format json escape=json 
 '{'
     '"Timestamp":"$nanosec",'
     '"Attributes":{'
@@ -35,8 +35,8 @@ log_format main escape=json
         '"service.name":"{{ .Values.image.repository }}",'
         '"service.version":"{{ .Values.image.tag }}"'
     '},'
-    #'"TraceId":"$opentelemetry_trace_id",' ## this is a byte sequence (hex-encoded in JSON)
-    #'"SpanId":"$opentelemetry_span_id",'
+    '"TraceId":"$otel_trace_id",' ## this is a byte sequence (hex-encoded in JSON)
+    '"SpanId":"$otel_span_id",'
     '"SeverityText":"INFO",'
     '"SeverityNumber":"9",'
     '"InstrumentationScope":"access.log",'

helm/config/nginx.conf

@@ -1,23 +1,34 @@
 #user  nginx;
+load_module modules/ngx_http_js_module.so;
+load_module modules/ngx_otel_module.so;
 worker_processes 4;
 
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-load_module modules/ngx_http_js_module.so;
+error_log  /var/log/nginx/error.log warn;
+pid        /tmp/nginx.pid;
 
 events {
     worker_connections  1024;
 }
 
 http {
+    otel_service_name {{ .Values.nginx.opentelemetry.serviceName }};
+    otel_exporter {
+        endpoint {{ .Values.nginx.opentelemetry.exporterHost }}:{{ .Values.nginx.opentelemetry.exporterPort }};
+    }
+
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    js_import main from /etc/nginx/jwt.js;
-    js_set $jwt_payload_sub main.jwt_payload_sub;
-    include /etc/nginx/log_format.conf;
+    {{ if .Values.nginx.authorization.enabled }}
+    js_import auth from /etc/nginx/auth.js;
+    js_set $jwt_payload_sub auth.jwtPayloadSub;
+
+    js_var $opa_result;
+    js_var $opa_reason;
+    {{ end }}
 
-    access_log  /var/log/nginx/access.log main;
+    include /etc/nginx/log_format.conf;
+    access_log  /var/log/nginx/access.log json;
 
     sendfile        on;
     #tcp_nopush     on;

helm/templates/_helpers.tpl

@@ -150,3 +150,16 @@ Returns metrics url from global if exists or from chart's values
     {{- .Values.env.metrics.url -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Generate OpenTelemetry trace configuration
+*/}}
+{{- define "heightsNginx.otelTrace" -}}
+{{- if eq .Values.nginx.opentelemetry.samplerMethod "AlwaysOn" -}}
+otel_trace on;
+{{- else if eq .Values.nginx.opentelemetry.samplerMethod "TraceIdRatioBased" -}}
+otel_trace $ratio_sampler;
+{{- else -}}
+otel_trace off;
+{{- end -}}
+{{- end -}}