integrate konflux-ui with namespace-lister

components/konflux-ui/staging/base/proxy/nginx.conf

@@ -35,6 +35,11 @@ http {
         '' close;
     }
 
+    map $request_method $ns_target {
+      GET     namespacelister;
+      default kubeapi;
+    }
+
     server {
         listen 9443 ssl;
         ssl_certificate /mnt/tls.crt;
@@ -161,6 +166,39 @@ http {
             include /mnt/nginx-generated-config/bearer.conf;
         }
 
+        # GET requests to the following endpoints are handled from the namespace-lister.
+        # * /api/k8s/api/v1/namespaces
+        # * /api/k8s/api/v1/namespaces/
+        #
+        # Requests with other methods are handled by the Kube-API
+        location ~* ^/api/k8s/api/v1/namespaces(/?)$ {
+            try_files $uri @$ns_target;
+        }
+
+        location @namespacelister {
+            auth_request_set $email  $upstream_http_x_auth_request_email;
+            auth_request /oauth2/auth;
+            proxy_read_timeout 30m;
+            proxy_set_header X-Email $email;
+
+            rewrite ^.*$ /api/v1/namespaces break;
+
+            proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+        }
+
+        location @kubeapi {
+            auth_request_set $email  $upstream_http_x_auth_request_email;
+            auth_request /oauth2/auth;
+            proxy_read_timeout 30m;
+            proxy_set_header X-Email $email;
+
+            rewrite ^/api/k8s/(.*)/$ /$1 break;
+
+            proxy_pass https://kubernetes.default.svc;
+            proxy_set_header Impersonate-User $email;
+            include /mnt/nginx-generated-config/bearer.conf;
+        }
+
         location /health {
             # Used for liveness probes
             return 200;

components/namespace-lister/base/kustomization.yaml

@@ -4,17 +4,17 @@ resources:
 - deployment.yaml
 - namespace.yaml
 - rbac.yaml
-- proxy.yaml
-- route.yaml
 - service.yaml
+- network_policy.yaml
 namespace: namespace-lister
-configMapGenerator:
-- files:
-  - nginx.conf=nginx.conf
-  name: proxy-konflux
-  options:
-    disableNameSuffixHash: true
 images:
 - name: namespace-lister
   newName: quay.io/konflux-ci/namespace-lister
   newTag: fd195c941b3151c165ddf376ce5f44d57db3f071
+patches:
+- path: ./patches/with-header-auth-email.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: namespace-lister
+    namespace: namespace-lister

components/namespace-lister/base/network_policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+spec:
+  podSelector:
+    matchLabels:
+      apps: namespace-lister
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: konflux-ui
+    - podSelector:
+        matchLabels:
+          app: proxy
+    ports:
+    - protocol: TCP
+      port: 8080

components/namespace-lister/base/patches/with-header-auth.yaml → components/namespace-lister/base/patches/with-header-auth-email.yaml

@@ -2,4 +2,4 @@
   path: /spec/template/spec/containers/0/env/-
   value:
     name: AUTH_USERNAME_HEADER
-    value: Impersonate-User
+    value: X-Email

components/namespace-lister/base/service.yaml

@@ -5,9 +5,9 @@ metadata:
   namespace: namespace-lister
 spec:
   selector:
-    app: namespace-lister-proxy
+    apps: namespace-lister
   type: ClusterIP
   ports:
   - name: http
     targetPort: 8080
-    port: 12000
+    port: 8080

components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml

@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base/
-- rbac.yaml