|
| 1 | +{{- if and .Values.frontend.enabled .Values.keyManager.enabled }} |
| 2 | +apiVersion: v1 |
| 3 | +kind: ConfigMap |
| 4 | +metadata: |
| 5 | + name: {{ include "nebari-llm-serving.fullname" . }}-frontend-config |
| 6 | + namespace: {{ include "nebari-llm-serving.operatorNamespace" . }} |
| 7 | + labels: |
| 8 | + {{- include "nebari-llm-serving.labels" . | nindent 4 }} |
| 9 | + app.kubernetes.io/component: frontend |
| 10 | +data: |
| 11 | + # Served by nginx at /config.json. The SPA fetches this at startup so Keycloak |
| 12 | + # settings change without rebuilding the image. clientId defaults to the |
| 13 | + # nebari-operator SPA-client convention (<namespace>-<nebariapp-name>-spa); the |
| 14 | + # NebariApp for the UI is named "<fullname>-key-manager", so the SPA client is |
| 15 | + # "<operator-namespace>-<fullname>-key-manager-spa". |
| 16 | + config.json: | |
| 17 | + { |
| 18 | + "keycloak": { |
| 19 | + "url": {{ required "frontend.keycloak.url is required when frontend.enabled=true" .Values.frontend.keycloak.url | quote }}, |
| 20 | + "realm": {{ .Values.frontend.keycloak.realm | quote }}, |
| 21 | + "clientId": {{ default (printf "%s-%s-key-manager-spa" (include "nebari-llm-serving.operatorNamespace" .) (include "nebari-llm-serving.fullname" .)) .Values.frontend.keycloak.clientId | quote }} |
| 22 | + }{{ with .Values.frontend.title }}, |
| 23 | + "title": {{ . | quote }}{{ end }} |
| 24 | + } |
| 25 | +
|
| 26 | + # nginx configuration for the frontend pod. |
| 27 | + # |
| 28 | + # Traffic flow (production): |
| 29 | + # Browser → Gateway → frontend Service (nginx:{{ .Values.frontend.port }}) |
| 30 | + # ├─ /api/* → proxy_pass to the key-manager ClusterIP (cluster DNS, never |
| 31 | + # │ public); nginx forwards the Authorization: Bearer header as-is |
| 32 | + # │ and the key-manager validates it against Keycloak JWKS. |
| 33 | + # └─ /* → serve the SPA; keycloak-js handles OIDC PKCE in the browser. |
| 34 | + nginx.conf: | |
| 35 | + worker_processes auto; |
| 36 | + pid /tmp/nginx.pid; |
| 37 | +
|
| 38 | + events { |
| 39 | + worker_connections 1024; |
| 40 | + } |
| 41 | +
|
| 42 | + http { |
| 43 | + include /etc/nginx/mime.types; |
| 44 | + default_type application/octet-stream; |
| 45 | +
|
| 46 | + client_body_temp_path /tmp/client_temp; |
| 47 | + proxy_temp_path /tmp/proxy_temp_path; |
| 48 | + fastcgi_temp_path /tmp/fastcgi_temp; |
| 49 | + uwsgi_temp_path /tmp/uwsgi_temp; |
| 50 | + scgi_temp_path /tmp/scgi_temp; |
| 51 | +
|
| 52 | + sendfile on; |
| 53 | + keepalive_timeout 65; |
| 54 | +
|
| 55 | + access_log /dev/stdout; |
| 56 | + error_log /dev/stderr warn; |
| 57 | +
|
| 58 | + server { |
| 59 | + listen {{ .Values.frontend.port }}; |
| 60 | + server_name _; |
| 61 | +
|
| 62 | + root /usr/share/nginx/html; |
| 63 | + index index.html; |
| 64 | +
|
| 65 | + # Security headers. add_header does NOT inherit into a location that |
| 66 | + # sets its own add_header, so these cover the SPA document (location |
| 67 | + # /); the config.json block below repeats the ones that matter for it. |
| 68 | + # The framing headers matter because the UI exposes one-click "revoke |
| 69 | + # key" - deny embedding to block clickjacking. |
| 70 | + add_header X-Frame-Options "DENY" always; |
| 71 | + add_header Content-Security-Policy "frame-ancestors 'none'" always; |
| 72 | + add_header X-Content-Type-Options "nosniff" always; |
| 73 | +
|
| 74 | + gzip on; |
| 75 | + gzip_types text/plain text/css application/json application/javascript |
| 76 | + text/xml application/xml application/xml+rss text/javascript |
| 77 | + image/svg+xml; |
| 78 | + gzip_min_length 1024; |
| 79 | +
|
| 80 | + # Proxy /api/* to the key-manager ClusterIP - never exposed publicly. |
| 81 | + location /api/ { |
| 82 | + proxy_pass http://{{ include "nebari-llm-serving.fullname" . }}-key-manager.{{ include "nebari-llm-serving.operatorNamespace" . }}.svc.cluster.local:8080/api/; |
| 83 | + proxy_set_header Authorization $http_authorization; |
| 84 | + proxy_set_header X-Real-IP $remote_addr; |
| 85 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 86 | + proxy_set_header Host $host; |
| 87 | + proxy_http_version 1.1; |
| 88 | + } |
| 89 | +
|
| 90 | + # Cache content-hashed static assets aggressively. |
| 91 | + location ~* \.(js|css|png|svg|ico|woff2?|ttf|eot)$ { |
| 92 | + expires 1y; |
| 93 | + add_header Cache-Control "public, immutable"; |
| 94 | + try_files $uri =404; |
| 95 | + } |
| 96 | +
|
| 97 | + location /healthz { |
| 98 | + access_log off; |
| 99 | + return 200 "ok\n"; |
| 100 | + add_header Content-Type text/plain; |
| 101 | + } |
| 102 | +
|
| 103 | + # Runtime config: never cache, so Keycloak settings changes take |
| 104 | + # effect on the next page load instead of being pinned by a stale copy. |
| 105 | + location = /config.json { |
| 106 | + add_header Cache-Control "no-store" always; |
| 107 | + add_header X-Content-Type-Options "nosniff" always; |
| 108 | + try_files $uri =404; |
| 109 | + } |
| 110 | +
|
| 111 | + # SPA fallback. |
| 112 | + location / { |
| 113 | + try_files $uri $uri/ /index.html; |
| 114 | + } |
| 115 | + } |
| 116 | + } |
| 117 | +{{- end }} |
0 commit comments