{{- if not .Values.agent }} {{- $serviceName := include "cost-analyzer.serviceName" . -}} {{- $nginxPort := .Values.service.targetPort | default 9090 -}} {{- if .Values.saml.enabled }} {{- if .Values.oidc.enabled }} {{- fail "SAML and OIDC cannot both be enabled" }} {{- end }} {{- end }} apiVersion: v1 kind: ConfigMap metadata: name: nginx-conf namespace: {{ .Release.Namespace }} labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} data: nginx.conf: | gzip_static on; # Enable gzip encoding for content of the provided types of 50kb and higher. gzip on; gzip_min_length 50000; gzip_proxied expired no-cache no-store private auth; gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/otf font/ttf image/bmp image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/xml text/x-component text/x-cross-domain-policy; upstream api { {{- if.Values.kubecostFrontend.api }} {{- if.Values.kubecostFrontend.api.fqdn }} server {{ .Values.kubecostFrontend.api.fqdn }}; {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9001; {{- end }} {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9001; {{- end }} } upstream model { {{- if.Values.kubecostFrontend.model }} {{- if.Values.kubecostFrontend.model.fqdn }} server {{ .Values.kubecostFrontend.model.fqdn }}; {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9003; {{- end }} {{- else }} server {{ $serviceName }}.{{ .Release.Namespace }}:9003; {{- end }} } {{- if .Values.clusterController }} {{- if .Values.clusterController.enabled }} upstream clustercontroller { {{- if .Values.clusterController.fqdn }} server {{ .Values.clusterController.fqdn }}; {{- else }} server {{ template "kubecost.clusterControllerName" . }}-service.{{ .Release.Namespace }}:9731; {{- end }} } {{- end }} {{- end }} {{- if .Values.global.grafana.proxy }} upstream grafana { {{- if .Values.global.grafana.enabled }} {{- if .Values.global.grafana.fqdn }} server {{ .Values.global.grafana.fqdn }}; {{- else }} server {{ .Release.Name }}-grafana.{{ .Release.Namespace }}; {{- end }} {{- else }} server {{.Values.global.grafana.domainName}}; {{- end }} } {{- end }} server { server_name _; root /var/www; index index.html; large_client_header_buffers 4 32k; add_header Cache-Control "must-revalidate"; error_page 504 /custom_504.html; location = /custom_504.html { internal; } {{- if or .Values.saml.enabled .Values.oidc.enabled }} add_header Cache-Control "max-age=0"; location / { auth_request /auth; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; error_page 401 = /login; try_files $uri $uri/ /index.html; } {{- else }} add_header Cache-Control "max-age=300"; location / { try_files $uri $uri/ /index.html; } {{- end }} {{- if .Values.imageVersion }} add_header ETag "{{ $.Values.imageVersion }}"; {{- else }} add_header ETag "{{ $.Chart.Version }}"; {{- end }} {{- if .Values.kubecostFrontend.tls }} {{- if .Values.kubecostFrontend.tls.enabled }} {{- if .Values.kubecostFrontend.tls.specifyProtocols }} ssl_protocols {{ $.Values.kubecostFrontend.tls.protocols }}; {{- end }} ssl_certificate /etc/ssl/certs/kc.crt; ssl_certificate_key /etc/ssl/certs/kc.key; listen 443 ssl; {{- if .Values.kubecostFrontend.ipv6.enabled }} listen [::]:443 ssl; {{- end }} {{- else }} listen {{ $nginxPort }}; {{- if .Values.kubecostFrontend.ipv6.enabled }} listen [::]:{{ $nginxPort }}; {{- end }} {{- end }} {{- else }} listen {{ $nginxPort }}; {{- if .Values.kubecostFrontend.ipv6.enabled }} listen [::]:{{ $nginxPort }}; {{- end }} {{- end }} location /api/ { {{- if or .Values.saml.enabled .Values.oidc.enabled }} auth_request /auth; {{- end }} proxy_pass http://api/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /model/ { proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_pass http://model/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location ~ ^/(turndown|cluster)/ { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; {{- if .Values.clusterController }} {{- if .Values.clusterController.enabled }} {{- if or .Values.saml .Values.oidc }} {{- if or .Values.saml.enabled .Values.oidc.enabled }} auth_request /auth; {{- else if .Values.saml.rbac.enabled}} auth_request /authrbac; {{- end }} {{- end }} rewrite ^/(?:turndown|cluster)/(.*)$ /$1 break; proxy_pass http://clustercontroller; proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- else }} return 404; {{- end }} {{- else }} return 404; {{- end }} } location /oidc/ { proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_pass http://model/oidc/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /saml/ { proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_pass http://model/saml/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /login { proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_pass http://model/login; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Original-URI $request_uri; } location /logout { proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_pass http://model/logout; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } {{- if .Values.global.grafana.proxy }} location /grafana/ { {{- if .Values.saml.enabled }} auth_request /auth; {{- end }} proxy_pass http://grafana/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; } {{ end }} {{- if or .Values.saml.enabled .Values.oidc.enabled }} location /auth { proxy_pass http://model/isAuthenticated; } {{- end }} {{- if .Values.saml.rbac.enabled }} location /authrbac { proxy_pass http://model/isAdminAuthenticated; } {{- end }} } {{- end }}