From eeff38fa6d5bf2c6cd16bdcba535c33e5d31011c Mon Sep 17 00:00:00 2001
From: "Christian M. Adams" <chadams@redhat.com>
Date: Mon, 16 Oct 2023 13:03:55 -0400
Subject: [PATCH] Fully support Edge and Passthrough termination for routes
 using custom nginx.conf

---
 ...server-operator.clusterserviceversion.yaml |  4 +-
 roles/eda/templates/eda-ui.deployment.yaml.j2 | 12 +++
 roles/eda/templates/eda.configmap.yaml.j2     | 84 +++++++++++++++++++
 3 files changed, 98 insertions(+), 2 deletions(-)

diff --git a/config/manifests/bases/eda-server-operator.clusterserviceversion.yaml b/config/manifests/bases/eda-server-operator.clusterserviceversion.yaml
index 81eefc50..b6fe655d 100644
--- a/config/manifests/bases/eda-server-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/eda-server-operator.clusterserviceversion.yaml
@@ -518,8 +518,8 @@ spec:
         path: redis.node_selector
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
-      - description: Deployment strategy to use to replace existing pods with
-          new ones.
+      - description: Deployment strategy to use to replace existing pods with new
+          ones.
         displayName: Strategy
         path: redis.strategy
         x-descriptors:
diff --git a/roles/eda/templates/eda-ui.deployment.yaml.j2 b/roles/eda/templates/eda-ui.deployment.yaml.j2
index 56c8859a..6f5df73c 100644
--- a/roles/eda/templates/eda-ui.deployment.yaml.j2
+++ b/roles/eda/templates/eda-ui.deployment.yaml.j2
@@ -77,3 +77,15 @@ spec:
 {% if combined_ui.resource_requirements is defined %}
         resources: {{ combined_ui.resource_requirements }}
 {% endif %}
+        volumeMounts:
+          - name: {{ ansible_operator_meta.name }}-nginx-conf
+            mountPath: /etc/nginx/nginx.conf
+            subPath: nginx.conf
+            readOnly: true
+      volumes:
+        - name: {{ ansible_operator_meta.name }}-nginx-conf
+          configMap:
+            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
+            items:
+              - key: nginx_conf
+                path: nginx.conf
diff --git a/roles/eda/templates/eda.configmap.yaml.j2 b/roles/eda/templates/eda.configmap.yaml.j2
index b5f9b2f3..fc0fe0b2 100644
--- a/roles/eda/templates/eda.configmap.yaml.j2
+++ b/roles/eda/templates/eda.configmap.yaml.j2
@@ -28,3 +28,87 @@ data:
 {% for item in extra_settings | default([]) %}
   {{ item.setting | upper }}: "{{ item.value }}"
 {% endfor %}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
+data:
+  nginx_conf: |
+    events {
+        worker_connections 1024;
+    }
+
+    http {
+        include mime.types;
+
+        client_max_body_size 5M;
+        server_tokens off;
+
+        {% if route_tls_termination_mechanism | lower == 'passthrough' %}
+        server {
+            listen 8080 default_server;
+            listen [::]:8080 default_server;
+            server_name _;
+
+            # Redirect all HTTP links to the matching HTTPS page
+            return 301 https://$host:443$request_uri;
+        }
+        {% endif %}
+
+        server {
+            {% if route_tls_termination_mechanism | lower == 'passthrough' %}
+            # SSL configuration for passthrough TLS termination
+            listen 443 ssl;
+            listen [::]:443 ssl;
+            ssl_certificate /etc/ssl/nginx-selfsigned.crt;
+            ssl_certificate_key /etc/ssl/nginx-selfsigned.key;
+            ssl_session_cache shared:SSL:50m;
+            ssl_session_timeout 1d;
+            ssl_session_tickets off;
+            ssl_ciphers PROFILE=SYSTEM;
+            ssl_prefer_server_ciphers on;
+            {% else %}
+            listen 8080 default_server;
+            listen [::]:8080 default_server;
+            {% endif %}
+
+            server_name _;
+            access_log off;
+
+            include mime.types;
+
+            sendfile on;
+
+            root /usr/share/nginx/html;
+
+            location ~ ^/api/eda/v[0-9]+/ {
+                proxy_pass http://{{ ansible_operator_meta.name }}-api:8000;
+                proxy_set_header Origin http://{{ ansible_operator_meta.name }}-api:8000;
+            }
+
+            location ~ ^/api/eda/ws/[0-9a-z-]+ {
+                proxy_pass http://{{ ansible_operator_meta.name }}-api:8000;
+                proxy_set_header Origin http://{{ ansible_operator_meta.name }}-api:8000;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+            }
+
+            location ~* \.(json|woff|woff2|jpe?g|png|gif|ico|svg|css|js)$ {
+                add_header Cache-Control "public, max-age=31536000, s-maxage=31536000, immutable";
+                try_files $uri =404;
+                gzip_static on;
+            }
+
+            location / {
+                expires off;
+                add_header Cache-Control "public, max-age=0, s-maxage=0, must-revalidate" always;
+                try_files $uri /index.html =404;
+            }
+        }
+    }