From 03248a6011c9bce3612c900bf63b7f89044acfab Mon Sep 17 00:00:00 2001 From: shimoncohen Date: Sun, 5 Apr 2026 16:00:38 +0300 Subject: [PATCH 1/4] helm(nginx): update dependency version --- helm/Chart.lock | 6 +++--- helm/Chart.yaml | 2 +- helm/config/default.conf | 15 ++++++++------- helm/values.yaml | 1 - 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/helm/Chart.lock b/helm/Chart.lock index 344ccf1..22edf7f 100644 --- a/helm/Chart.lock +++ b/helm/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: nginx repository: oci://acrarolibotnonprod.azurecr.io/helm/common - version: 2.1.2 -digest: sha256:83c525d0b74b939863f38f4a6716d1e7a3b1b955433cda7ee0e36f1af473d798 -generated: "2026-03-30T12:20:07.932221448+03:00" + version: 2.1.3 +digest: sha256:9e8503f8abd4676dd6a914d7723c1d717b361b71820487f7187e4a8fbbc192fb +generated: "2026-04-05T15:57:53.98833129+03:00" diff --git a/helm/Chart.yaml b/helm/Chart.yaml index f30f670..16aabb0 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -6,5 +6,5 @@ version: 2.2.0 appVersion: 2.2.0 dependencies: - name: nginx - version: 2.1.2 + version: 2.1.3 repository: oci://acrarolibotnonprod.azurecr.io/helm/common diff --git a/helm/config/default.conf b/helm/config/default.conf index 84b96d5..810aae0 100644 --- a/helm/config/default.conf +++ b/helm/config/default.conf @@ -1,7 +1,6 @@ {{- $serviceName := include "service.fullname" . -}} {{- $opalaEnabled := .Values.nginx.authorization.enabled }} -{{- $accessControlMaxAge := .Values.nginx.nginx.maxAge }} split_clients "$otel_trace_id" $ratio_sampler { {{ .Values.nginx.opentelemetry.ratio }}% on; @@ -32,6 +31,8 @@ server { # client_header_buffer_size 5M; # large_client_header_buffers 4 12288; # 12K # fastcgi_read_timeout 300; + add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }}; + add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }}; # OpenShift route is configured to time out HTTP requests that are longer than 30 seconds: # route.yaml -> annotations: -> haproxy.router.openshift.io/timeout: 30s @@ -48,26 +49,26 @@ server { {{ include "heightsNginx.otelTrace" . | nindent 8 }} if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }}; add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS'; # # Custom headers and headers various browsers *should* be OK with but aren't # - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }}; # # Tell client that this pre-flight info is valid for 20 days # - add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }}; + add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "86400" | squote }}; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } if ($request_method = 'POST') { - add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }} always; add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always; - add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }}; + add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }} always; + add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "3600" | squote }}; } proxy_hide_header Set-Cookie; # ensures the header will not be passed back to the client diff --git a/helm/values.yaml b/helm/values.yaml index bba45ad..2659b31 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -78,7 +78,6 @@ nginx: replicaCount: 1 image: repository: nginx - tag: latest port: 8080 targetPort: 80 nginx: From 486aa81cbe0c1e6456ff8038e1a8acb3dcfb22fa Mon Sep 17 00:00:00 2001 From: shimoncohen Date: Mon, 22 Jun 2026 17:17:07 +0300 Subject: [PATCH 2/4] helm(nginx): update dependency version --- helm/Chart.lock | 6 +++--- helm/Chart.yaml | 2 +- helm/config/location.conf | 10 ++++++++++ helm/templates/deployment.yaml | 1 + helm/templates/nginx-configmap.yaml | 2 +- helm/values.yaml | 28 ++++++++++++++++++---------- 6 files changed, 34 insertions(+), 15 deletions(-) create mode 100644 helm/config/location.conf diff --git a/helm/Chart.lock b/helm/Chart.lock index 22edf7f..dc5736d 100644 --- a/helm/Chart.lock +++ b/helm/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: nginx repository: oci://acrarolibotnonprod.azurecr.io/helm/common - version: 2.1.3 -digest: sha256:9e8503f8abd4676dd6a914d7723c1d717b361b71820487f7187e4a8fbbc192fb -generated: "2026-04-05T15:57:53.98833129+03:00" + version: 2.1.6 +digest: sha256:b7066446129a6686844dd1f9080495a4fafb7f8363ba895292596b0b3406c4ec +generated: "2026-06-22T13:11:00.791773316+03:00" diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 16aabb0..4d120d9 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -6,5 +6,5 @@ version: 2.2.0 appVersion: 2.2.0 dependencies: - name: nginx - version: 2.1.3 + version: 2.1.6 repository: oci://acrarolibotnonprod.azurecr.io/helm/common diff --git a/helm/config/location.conf b/helm/config/location.conf new file mode 100644 index 0000000..c8901a5 --- /dev/null +++ b/helm/config/location.conf @@ -0,0 +1,10 @@ +if ($request_method = 'POST') { + add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }} always; + add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }} always; + add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "3600" | squote }}; +} + +proxy_hide_header Set-Cookie; # ensures the header will not be passed back to the client +proxy_ignore_headers Set-Cookie; # ensures that the header will not automatically disable caching within nginx +proxy_set_header Cookie ""; # ensures that a client cannot pass any prior cookies to the webapp and spoil your cache \ No newline at end of file diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 55868fd..89afad8 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -31,6 +31,7 @@ spec: app: {{ $chartName }} release: {{ $releaseName }} run: {{ $releaseName }}-{{ $chartName }} + mapcolonies.io/alloy-api-logs: 'true' {{- include "heights.selectorLabels" . | nindent 8 }} {{- if .Values.resetOnConfigChange }} annotations: diff --git a/helm/templates/nginx-configmap.yaml b/helm/templates/nginx-configmap.yaml index 66cab39..6d66437 100644 --- a/helm/templates/nginx-configmap.yaml +++ b/helm/templates/nginx-configmap.yaml @@ -10,5 +10,5 @@ metadata: environment: {{ include "heights.environment" . }} release: {{ .Release.Name }} data: - default.conf: {{ tpl (.Files.Get "config/default.conf") . | quote }} + location.conf: {{ tpl (.Files.Get "config/location.conf") . | quote }} {{- end }} diff --git a/helm/values.yaml b/helm/values.yaml index 2659b31..34dc6a9 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -24,7 +24,7 @@ caKey: ca.crt image: repository: dem-heights - tag: v1.0.2 + tag: '' accessToken: attributeName: token @@ -77,11 +77,19 @@ nginx: fullnameOverride: "dem-serving-heights-nginx" replicaCount: 1 image: - repository: nginx + repository: common/nginx port: 8080 targetPort: 80 + backend: + host: heights + port: 8080 nginx: maxAge: '1728000' # 20 days + extensions: + server: + fileName: 'server.conf' + location: + fileName: 'location.conf' authorization: enabled: true domain: dem @@ -91,14 +99,14 @@ nginx: co.elastic.logs/module: 'nginx' co.elastic.logs/fileset.stdout: 'access' co.elastic.logs/fileset.stderr: 'error' - extraVolumes: - - name: nginx-config - configMap: - name: "{{ .Release.Name }}-nginx-configmap" - extraVolumeMounts: - - name: nginx-config - mountPath: "/etc/nginx/conf.d/default.conf" - subPath: default.conf + # extraVolumes: + # - name: nginx-config + # configMap: + # name: "{{ .Release.Name }}-nginx-configmap" + # extraVolumeMounts: + # - name: nginx-config + # mountPath: "/etc/nginx/conf.d/default.conf" + # subPath: default.conf resources: enabled: true value: From 5643cff5b5db74cea308a7c4e2bf419c411ffc33 Mon Sep 17 00:00:00 2001 From: shimoncohen Date: Tue, 23 Jun 2026 17:04:25 +0300 Subject: [PATCH 3/4] helm(nginx): update dependency version --- helm/Chart.lock | 6 +++--- helm/Chart.yaml | 2 +- helm/values.yaml | 32 ++++++++++++++++++++------------ 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/helm/Chart.lock b/helm/Chart.lock index dc5736d..9ca0ca4 100644 --- a/helm/Chart.lock +++ b/helm/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: nginx repository: oci://acrarolibotnonprod.azurecr.io/helm/common - version: 2.1.6 -digest: sha256:b7066446129a6686844dd1f9080495a4fafb7f8363ba895292596b0b3406c4ec -generated: "2026-06-22T13:11:00.791773316+03:00" + version: 2.2.1 +digest: sha256:6f95133922a8a078f60abf1df94bb7dba8ed126ea5d1b1c41d223ef2f34e709b +generated: "2026-06-23T14:46:16.278212039+03:00" diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 4d120d9..7fef69c 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -6,5 +6,5 @@ version: 2.2.0 appVersion: 2.2.0 dependencies: - name: nginx - version: 2.1.6 + version: 2.2.1 repository: oci://acrarolibotnonprod.azurecr.io/helm/common diff --git a/helm/values.yaml b/helm/values.yaml index 34dc6a9..9d6aa6e 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -23,7 +23,7 @@ caPath: /usr/local/share/ca-certificates caKey: ca.crt image: - repository: dem-heights + repository: dem/dem-heights tag: '' accessToken: @@ -78,6 +78,9 @@ nginx: replicaCount: 1 image: repository: common/nginx + mclabels: + environment: development + owner: dem port: 8080 targetPort: 80 backend: @@ -86,27 +89,32 @@ nginx: nginx: maxAge: '1728000' # 20 days extensions: - server: - fileName: 'server.conf' location: - fileName: 'location.conf' + enabled: true authorization: enabled: true domain: dem url: http://opa.service/v1/data/http/authz/decision + opentelemetry: + serviceName: nginx + samplerMethod: AlwaysOff + exporterPort: 4317 + ratio: 10 additionalPodAnnotations: co.elastic.logs/enabled: 'true' co.elastic.logs/module: 'nginx' co.elastic.logs/fileset.stdout: 'access' co.elastic.logs/fileset.stderr: 'error' - # extraVolumes: - # - name: nginx-config - # configMap: - # name: "{{ .Release.Name }}-nginx-configmap" - # extraVolumeMounts: - # - name: nginx-config - # mountPath: "/etc/nginx/conf.d/default.conf" - # subPath: default.conf + extraVolumes: + - name: nginx-config + configMap: + name: "{{ .Release.Name }}-nginx-configmap" + extraVolumeMounts: + - name: nginx-config + mountPath: "/etc/nginx/conf.d/extensions/location.conf" + subPath: location.conf + prometheusExporter: + enabled: true resources: enabled: true value: From 45d6a856918441299c56787a9e88a1fe3ce38b56 Mon Sep 17 00:00:00 2001 From: shimoncohen Date: Wed, 24 Jun 2026 15:02:48 +0300 Subject: [PATCH 4/4] helm: add nginx otel exporter host --- helm/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/helm/values.yaml b/helm/values.yaml index 9d6aa6e..16351a4 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -98,6 +98,7 @@ nginx: opentelemetry: serviceName: nginx samplerMethod: AlwaysOff + exporterHost: otel-collector exporterPort: 4317 ratio: 10 additionalPodAnnotations: