integrate konflux-ui with namespace-lister #5297
Conversation
|
Skipping CI for Draft Pull Request. |
filariow
force-pushed
the
integrate-namespace-lister-ui
branch
from
b9960bb to
79c08ab
Compare
|
/hold |
| rewrite ^/(.*)/$ /$1 permanent; | ||
| proxy_pass https://kubernetes.default.svc; | ||
| if ($request_method = GET) { | ||
| proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080; |
There was a problem hiding this comment.
please use https. certificates for namespace-lister can be generated using openshift https://docs.openshift.com/container-platform/4.15/security/certificates/service-serving-certificate.html
| # namespace-lister endpoint | ||
| rewrite ^/(.*)/$ /$1 permanent; | ||
| proxy_pass https://kubernetes.default.svc; | ||
| if ($request_method = GET) { |
There was a problem hiding this comment.
it's discouraged to use "if" in location blocks. can we use map instead?
| @@ -161,6 +161,24 @@ http { | |||
| include /mnt/nginx-generated-config/bearer.conf; | |||
| } | |||
|
|
|||
| location ~* /api/v1/namespaces(/?)$ { | |||
There was a problem hiding this comment.
the ui prefixes requests to the k8s api with /api/k8s/
| include /mnt/nginx-generated-config/bearer.conf; | ||
|
|
||
| # namespace-lister endpoint | ||
| rewrite ^/(.*)/$ /$1 permanent; |
There was a problem hiding this comment.
we should use break instead of permanent. we want to reverse proxy not redirect.
|
@sadlerap thanks for merging the conflicts |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: filariow, sadlerap The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
Signed-off-by: Francesco Ilario <[email protected]>
Signed-off-by: Francesco Ilario <[email protected]>
Signed-off-by: Francesco Ilario <[email protected]>
filariow
force-pushed
the
integrate-namespace-lister-ui
branch
from
7c062c9 to
539b099
Compare
| @@ -3,11 +3,13 @@ kind: Service | |||
| metadata: | |||
| name: namespace-lister | |||
| namespace: namespace-lister | |||
| annotations: | |||
| service.beta.openshift.io/serving-cert-secret-name: namespace-lister-tls | |||
There was a problem hiding this comment.
I would expect to see a change to namespace-lister deployment as well for mounting the tls certificates.
There was a problem hiding this comment.
namespace-lister is not supporting TLS at the moment. let's move this to a future PR.
There was a problem hiding this comment.
I've filed konflux-ci/namespace-lister#29 to enable it in namespace-lister.
| @@ -161,6 +161,25 @@ http { | |||
| include /mnt/nginx-generated-config/bearer.conf; | |||
| } | |||
|
|
|||
| location ~* /api/k8s/api/v1/namespaces(/?)$ { | |||
There was a problem hiding this comment.
I think this can be simplified by dropping the regex expression. wdyt?
There was a problem hiding this comment.
IIUC, If we remove this regex this will become the path every namespaced request will take, e.g. api/v1/namespaces/my-ns/pods will be processed by this rule
There was a problem hiding this comment.
Correct. We only want to match on requests for namespace resources, i.e. when the path is /api/k8s/api/v1/namespaces or /api/k8s/api/v1/namespaces/.
If I'm understanding nginx's docs correctly, we could set it up like this and have it work:
| location ~* /api/k8s/api/v1/namespaces(/?)$ { | |
| location = /api/k8s/api/v1/namespaces/ { |
This would match the path we want, both with and without the trailing slash. However, this has slightly different behavior than what we currently have: nginx will issue a 301 permanent redirect from /api/k8s/api/v1/namespaces to /api/k8s/api/v1/namespaces/, which I'm not sure I'm a fan of. To me, the regex is clearer in its intent.
Also, if we do decide to use regex matching here, we should probably do case-sensitive matching:
| location ~* /api/k8s/api/v1/namespaces(/?)$ { | |
| location ~ /api/k8s/api/v1/namespaces(/?)$ { |
Signed-off-by: Francesco Ilario <[email protected]>
filariow
force-pushed
the
integrate-namespace-lister-ui
branch
from
a062b59 to
38ff1ef
Compare
Signed-off-by: Francesco Ilario <[email protected]>
Signed-off-by: Francesco Ilario <[email protected]>
Signed-off-by: Francesco Ilario [email protected]