From c78715bd2c479d567946b57da73fae10287e7f96 Mon Sep 17 00:00:00 2001
From: Oussama Miladi <35038682+omiladi@users.noreply.github.com>
Date: Wed, 20 May 2026 10:41:07 +0200
Subject: [PATCH] fix: use bitnami image for strangler

---
 .github/workflows/job-lint.yml           | 34 ++++++++++++++++-------
 apps/nginx-strangler/Dockerfile          | 35 ++++--------------------
 apps/nginx-strangler/conf.d/routing.conf |  3 ++
 apps/nginx-strangler/entrypoint.sh       | 11 ++++++++
 apps/nginx-strangler/nginx.conf          | 28 -------------------
 5 files changed, 44 insertions(+), 67 deletions(-)
 create mode 100644 apps/nginx-strangler/entrypoint.sh
 delete mode 100644 apps/nginx-strangler/nginx.conf

diff --git a/.github/workflows/job-lint.yml b/.github/workflows/job-lint.yml
index bbbae077d6..f7d4d5cf22 100644
--- a/.github/workflows/job-lint.yml
+++ b/.github/workflows/job-lint.yml
@@ -61,18 +61,32 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -y --no-install-recommends nginx gettext-base
           # Préparer un répertoire de test isolé avec la config substituée
-          mkdir -p /tmp/nginx-test/conf.d /tmp/nginx-test/logs
+          mkdir -p /tmp/nginx-test/server_blocks /tmp/nginx-test/logs
           envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' \
             < apps/nginx-strangler/conf.d/routing.conf \
-            > /tmp/nginx-test/conf.d/routing.conf
-          # Adapter nginx.conf pour l'environnement CI (user www-data, paths accessibles)
-          sed \
-            -e 's|^user .*|user www-data;|' \
-            -e 's|pid .*|pid /tmp/nginx-test/nginx.pid;|' \
-            -e 's|error_log .*|error_log /tmp/nginx-test/logs/error.log notice;|' \
-            -e 's|access_log .*|access_log /tmp/nginx-test/logs/access.log main;|' \
-            -e 's|include /etc/nginx/conf\.d/\*\.conf|include /tmp/nginx-test/conf.d/*.conf|' \
-            apps/nginx-strangler/nginx.conf > /tmp/nginx-test/nginx.conf
+            > /tmp/nginx-test/server_blocks/routing.conf
+          # Créer un nginx.conf minimal pour la validation
+          cat > /tmp/nginx-test/nginx.conf <<'EOF'
+          user www-data;
+          worker_processes auto;
+          pid /tmp/nginx-test/nginx.pid;
+          error_log /tmp/nginx-test/logs/error.log notice;
+          events {
+              worker_connections 1024;
+          }
+          http {
+              include /etc/nginx/mime.types;
+              default_type application/octet-stream;
+              log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                              '$status $body_bytes_sent "$http_referer" '
+                              '"$http_user_agent" "$http_x_forwarded_for" '
+                              'upstream=$upstream_addr rt=$request_time';
+              access_log /tmp/nginx-test/logs/access.log main;
+              sendfile on;
+              keepalive_timeout 65;
+              include /tmp/nginx-test/server_blocks/*.conf;
+          }
+          EOF
           nginx -t -c /tmp/nginx-test/nginx.conf
         env:
           LEGACY_UPSTREAM: "127.0.0.1:8080"
diff --git a/apps/nginx-strangler/Dockerfile b/apps/nginx-strangler/Dockerfile
index 30e3447dad..66a1c1fd51 100644
--- a/apps/nginx-strangler/Dockerfile
+++ b/apps/nginx-strangler/Dockerfile
@@ -1,36 +1,13 @@
-FROM nginx:1.27-alpine AS prod
+FROM docker.io/bitnamilegacy/nginx:1.29.1 AS prod
 
-# envsubst est inclus dans nginx:alpine via le paquet gettext
-# On supprime la config par défaut
-RUN rm /etc/nginx/conf.d/default.conf
-
-# Config principale
-COPY apps/nginx-strangler/nginx.conf /etc/nginx/nginx.conf
+USER 0
 
 # Template de routing (sera substitué au démarrage)
-COPY apps/nginx-strangler/conf.d/routing.conf /etc/nginx/templates/routing.conf.template
-
-# Donner à l'utilisateur nginx les droits d'écriture sur conf.d/ (pour envsubst au démarrage)
-# et sur les répertoires de logs/pid nécessaires en mode non-root
-RUN chown -R nginx:nginx \
-      /etc/nginx/nginx.conf \
-      /etc/nginx/conf.d \
-      /etc/nginx/templates \
-      /etc/nginx/mime.types \
-      /var/cache/nginx \
-      /var/log/nginx \
-    && touch /var/run/nginx.pid \
-    && chown nginx:nginx /var/run/nginx.pid
-
-USER nginx
+COPY --chown=1001:0 --chmod=660 apps/nginx-strangler/conf.d/routing.conf /opt/bitnami/nginx/conf/server_blocks/routing.conf.template
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
-  CMD wget -qO- http://127.0.0.1:8080/health || exit 1
+# Script d'entrypoint pour substitution des variables
+COPY --chown=1001:0 --chmod=770 apps/nginx-strangler/entrypoint.sh /docker-entrypoint-initdb.d/load-routing.sh
 
-# Entrypoint : envsubst substitue les variables d'env dans les templates,
-# puis démarre nginx en foreground
-# Les variables substituées : LEGACY_UPSTREAM, NESTJS_UPSTREAM
-CMD ["/bin/sh", "-c", \
-  "envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' < /etc/nginx/templates/routing.conf.template > /etc/nginx/conf.d/routing.conf && nginx -t && nginx -g 'daemon off;'"]
+USER 1001
 
 EXPOSE 8080
diff --git a/apps/nginx-strangler/conf.d/routing.conf b/apps/nginx-strangler/conf.d/routing.conf
index cbcf660691..1245ffdc4c 100644
--- a/apps/nginx-strangler/conf.d/routing.conf
+++ b/apps/nginx-strangler/conf.d/routing.conf
@@ -31,6 +31,9 @@ upstream server-nestjs {
 server {
     listen 8080;
 
+    # Taille des headers (nécessaire pour les tokens Keycloak)
+    large_client_header_buffers 4 32k;
+
     # Healthcheck de nginx-strangler lui-même
     location = /health {
       access_log off;
diff --git a/apps/nginx-strangler/entrypoint.sh b/apps/nginx-strangler/entrypoint.sh
new file mode 100644
index 0000000000..19a234e2e6
--- /dev/null
+++ b/apps/nginx-strangler/entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Substitue les variables d'environnement dans le template de routing
+# Les variables substituées : LEGACY_UPSTREAM, NESTJS_UPSTREAM
+envsubst '${LEGACY_UPSTREAM} ${NESTJS_UPSTREAM}' \
+  < /opt/bitnami/nginx/conf/server_blocks/routing.conf.template \
+  > /opt/bitnami/nginx/conf/server_blocks/routing.conf
+
+echo "Routing configuration generated with:"
+echo "  LEGACY_UPSTREAM=${LEGACY_UPSTREAM}"
+echo "  NESTJS_UPSTREAM=${NESTJS_UPSTREAM}"
diff --git a/apps/nginx-strangler/nginx.conf b/apps/nginx-strangler/nginx.conf
deleted file mode 100644
index 657e2100dd..0000000000
--- a/apps/nginx-strangler/nginx.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for" '
-                      'upstream=$upstream_addr rt=$request_time';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    keepalive_timeout  65;
-
-    # Taille des headers (nécessaire pour les tokens Keycloak)
-    large_client_header_buffers 4 32k;
-
-    include /etc/nginx/conf.d/*.conf;
-}