MapColonies · shimoncohen · Apr 5, 2026 · Jun 22, 2026 · Jun 23, 2026 · Jun 24, 2026
diff --git a/helm/Chart.lock b/helm/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: nginx
   repository: oci://acrarolibotnonprod.azurecr.io/helm/common
-  version: 2.1.2
-digest: sha256:83c525d0b74b939863f38f4a6716d1e7a3b1b955433cda7ee0e36f1af473d798
-generated: "2026-03-30T12:20:07.932221448+03:00"
+  version: 2.2.1
+digest: sha256:6f95133922a8a078f60abf1df94bb7dba8ed126ea5d1b1c41d223ef2f34e709b
+generated: "2026-06-23T14:46:16.278212039+03:00"
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -6,5 +6,5 @@ version: 2.2.0
 appVersion: 2.2.0
 dependencies:
   - name: nginx
-    version: 2.1.2
+    version: 2.2.1
     repository: oci://acrarolibotnonprod.azurecr.io/helm/common
diff --git a/helm/config/default.conf b/helm/config/default.conf
@@ -1,7 +1,6 @@
 
 {{- $serviceName := include "service.fullname" . -}}
 {{- $opalaEnabled := .Values.nginx.authorization.enabled }}
-{{- $accessControlMaxAge := .Values.nginx.nginx.maxAge }}
 
 split_clients "$otel_trace_id" $ratio_sampler {
               {{ .Values.nginx.opentelemetry.ratio }}%              on;
@@ -32,6 +31,8 @@ server {
     # client_header_buffer_size   5M;
     # large_client_header_buffers 4 12288; # 12K
     # fastcgi_read_timeout        300;
+    add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }};
+    add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }};
 
     # OpenShift route is configured to time out HTTP requests that are longer than 30 seconds:
     # route.yaml -> annotations: -> haproxy.router.openshift.io/timeout: 30s
@@ -48,26 +49,26 @@ server {
         {{ include "heightsNginx.otelTrace" . | nindent 8 }}
 
         if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }};
             add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS';
             #
             # Custom headers and headers various browsers *should* be OK with but aren't
             #
-            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+            add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }};
             #
             # Tell client that this pre-flight info is valid for 20 days
             #
-            add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }};
+            add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "86400" | squote }};
             add_header 'Content-Type' 'text/plain charset=UTF-8';
             add_header 'Content-Length' 0;
             return 204;
         }
 
         if ($request_method = 'POST') {
-            add_header 'Access-Control-Allow-Origin' '*' always;
+            add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }} always;
             add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS' always;
-            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
-            add_header 'Access-Control-Max-Age' {{ $accessControlMaxAge }};
+            add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }} always;
+            add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "3600" | squote }};
         }
 
         proxy_hide_header Set-Cookie;  # ensures the header will not be passed back to the client

diff --git a/helm/config/location.conf b/helm/config/location.conf
@@ -0,0 +1,10 @@
+if ($request_method = 'POST') {
+    add_header 'Access-Control-Allow-Origin' {{ .Values.nginx.nginx.allowedOrigins | default "*" | squote }} always;
+    add_header 'Access-Control-Allow-Methods' 'POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' {{ .Values.nginx.nginx.allowedHeaders | default "*" | squote }} always;
+    add_header 'Access-Control-Max-Age' {{ .Values.nginx.nginx.maxAge | default "3600" | squote }};
+}
+
+proxy_hide_header Set-Cookie;  # ensures the header will not be passed back to the client
+proxy_ignore_headers Set-Cookie;  # ensures that the header will not automatically disable caching within nginx
+proxy_set_header  Cookie ""; # ensures that a client cannot pass any prior cookies to the webapp and spoil your cache
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -31,6 +31,7 @@ spec:
         app: {{ $chartName }}
         release: {{ $releaseName }}
         run: {{ $releaseName }}-{{ $chartName }}
+        mapcolonies.io/alloy-api-logs: 'true'
         {{- include "heights.selectorLabels" . | nindent 8 }}
       {{- if .Values.resetOnConfigChange }}
       annotations:

diff --git a/helm/templates/nginx-configmap.yaml b/helm/templates/nginx-configmap.yaml
@@ -10,5 +10,5 @@ metadata:
     environment: {{ include "heights.environment" . }}
     release: {{ .Release.Name }}
 data:
-  default.conf: {{ tpl (.Files.Get "config/default.conf") . | quote }}
+  location.conf: {{ tpl (.Files.Get "config/location.conf") . | quote }}
 {{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -23,8 +23,8 @@ caPath: /usr/local/share/ca-certificates
 caKey: ca.crt
 
 image:
-  repository: dem-heights
-  tag: v1.0.2
+  repository: dem/dem-heights
+  tag: ''
 
 accessToken: 
   attributeName: token
@@ -77,16 +77,30 @@ nginx:
   fullnameOverride: "dem-serving-heights-nginx"
   replicaCount: 1
   image:
-    repository: nginx
-    tag: latest
+    repository: common/nginx
+  mclabels:
+    environment: development
+    owner: dem
   port: 8080
   targetPort: 80
+  backend:
+    host: heights
+    port: 8080
   nginx:
     maxAge: '1728000' # 20 days
+    extensions:
+      location:
+        enabled: true
   authorization:
     enabled: true
     domain: dem
     url: http://opa.service/v1/data/http/authz/decision
+  opentelemetry:
+    serviceName: nginx
+    samplerMethod: AlwaysOff
+    exporterHost: otel-collector
+    exporterPort: 4317
+    ratio: 10
   additionalPodAnnotations:
     co.elastic.logs/enabled: 'true'
     co.elastic.logs/module: 'nginx'
@@ -98,8 +112,10 @@ nginx:
         name: "{{ .Release.Name }}-nginx-configmap"
   extraVolumeMounts:
     - name: nginx-config
-      mountPath: "/etc/nginx/conf.d/default.conf"
-      subPath: default.conf
+      mountPath: "/etc/nginx/conf.d/extensions/location.conf"
+      subPath: location.conf
+  prometheusExporter:
+    enabled: true
   resources:
     enabled: true
     value: