From abba7d98245bba135739ae4394efba9e7f029d9d Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 14:28:20 +0100
Subject: [PATCH 1/8] integrate konflux-ui with namespace-lister

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 .../konflux-ui/staging/base/proxy/nginx.conf  | 18 +++++++++++++++
 .../namespace-lister/base/kustomization.yaml  |  9 ++++++++
 .../namespace-lister/base/network_policy.yaml | 22 +++++++++++++++++++
 components/namespace-lister/base/service.yaml | 13 +++++++++++
 4 files changed, 62 insertions(+)
 create mode 100644 components/namespace-lister/base/network_policy.yaml
 create mode 100644 components/namespace-lister/base/service.yaml

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index 2223cf23bb5..7a9a85e9ab8 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -161,6 +161,24 @@ http {
             include /mnt/nginx-generated-config/bearer.conf;
         }
 
+        location ~* /api/v1/namespaces(/?)$ {
+            # authenticate request
+            auth_request_set $email  $upstream_http_x_auth_request_email;
+            auth_request /oauth2/auth;
+
+            # Impersonate requesting user
+            proxy_set_header Impersonate-User $email;
+            include /mnt/nginx-generated-config/bearer.conf;
+
+            # namespace-lister endpoint
+            rewrite ^/(.*)/$ /$1 permanent;
+            proxy_pass https://kubernetes.default.svc;
+            if ($request_method = GET) {
+                proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+            }
+            proxy_read_timeout 30m;
+        }
+
         location /health {
             # Used for liveness probes
             return 200;
diff --git a/components/namespace-lister/base/kustomization.yaml b/components/namespace-lister/base/kustomization.yaml
index ef67e67607d..36326e2e052 100644
--- a/components/namespace-lister/base/kustomization.yaml
+++ b/components/namespace-lister/base/kustomization.yaml
@@ -4,8 +4,17 @@ resources:
 - deployment.yaml
 - namespace.yaml
 - rbac.yaml
+- service.yaml
+- network_policy.yaml
 namespace: namespace-lister
 images:
 - name: namespace-lister
   newName: quay.io/konflux-ci/namespace-lister
   newTag: fd195c941b3151c165ddf376ce5f44d57db3f071
+patches:
+- path: ./patches/with-header-auth.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: namespace-lister
+    namespace: namespace-lister
diff --git a/components/namespace-lister/base/network_policy.yaml b/components/namespace-lister/base/network_policy.yaml
new file mode 100644
index 00000000000..e76ac67cb16
--- /dev/null
+++ b/components/namespace-lister/base/network_policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+spec:
+  podSelector:
+    matchLabels:
+      apps: namespace-lister
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: konflux-ui
+    - podSelector:
+        matchLabels:
+          app: proxy
+    ports:
+    - protocol: TCP
+      port: 8080
diff --git a/components/namespace-lister/base/service.yaml b/components/namespace-lister/base/service.yaml
new file mode 100644
index 00000000000..e64ca15cf5f
--- /dev/null
+++ b/components/namespace-lister/base/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: namespace-lister
+  namespace: namespace-lister
+spec:
+  selector:
+    apps: namespace-lister
+  type: ClusterIP
+  ports:
+  - name: http
+    targetPort: 8080
+    port: 8080

From 52dccc3520200685db5b2f729dc7f5865736f91b Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 16:33:19 +0100
Subject: [PATCH 2/8] address review comments

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 .../konflux-ui/staging/base/proxy/nginx.conf     | 16 +++++++++-------
 .../namespace-lister/base/kustomization.yaml     |  2 +-
 ...der-auth.yaml => with-header-auth-email.yaml} |  2 +-
 components/namespace-lister/base/service.yaml    |  2 ++
 .../staging/stone-stg-rh01/kustomization.yaml    |  1 -
 .../staging/stone-stg-rh01/rbac.yaml             | 13 -------------
 6 files changed, 13 insertions(+), 23 deletions(-)
 rename components/namespace-lister/base/patches/{with-header-auth.yaml => with-header-auth-email.yaml} (77%)
 delete mode 100644 components/namespace-lister/staging/stone-stg-rh01/rbac.yaml

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index 7a9a85e9ab8..61fef740a74 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -161,22 +161,24 @@ http {
             include /mnt/nginx-generated-config/bearer.conf;
         }
 
-        location ~* /api/v1/namespaces(/?)$ {
+        location ~* /api/k8s/api/v1/namespaces(/?)$ {
             # authenticate request
             auth_request_set $email  $upstream_http_x_auth_request_email;
             auth_request /oauth2/auth;
 
             # Impersonate requesting user
-            proxy_set_header Impersonate-User $email;
+            proxy_set_header X-Email $email;
             include /mnt/nginx-generated-config/bearer.conf;
 
             # namespace-lister endpoint
-            rewrite ^/(.*)/$ /$1 permanent;
-            proxy_pass https://kubernetes.default.svc;
-            if ($request_method = GET) {
-                proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
-            }
+            rewrite ^/(.*)/$ /$1 break;
             proxy_read_timeout 30m;
+
+            map $request_method $target_service_url {
+              default https://kubernetes.default.svc;
+              GET     http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+            }
+            proxy_pass $target_service_url
         }
 
         location /health {
diff --git a/components/namespace-lister/base/kustomization.yaml b/components/namespace-lister/base/kustomization.yaml
index 36326e2e052..b17ca32774c 100644
--- a/components/namespace-lister/base/kustomization.yaml
+++ b/components/namespace-lister/base/kustomization.yaml
@@ -12,7 +12,7 @@ images:
   newName: quay.io/konflux-ci/namespace-lister
   newTag: fd195c941b3151c165ddf376ce5f44d57db3f071
 patches:
-- path: ./patches/with-header-auth.yaml
+- path: ./patches/with-header-auth-email.yaml
   target:
     group: apps
     kind: Deployment
diff --git a/components/namespace-lister/base/patches/with-header-auth.yaml b/components/namespace-lister/base/patches/with-header-auth-email.yaml
similarity index 77%
rename from components/namespace-lister/base/patches/with-header-auth.yaml
rename to components/namespace-lister/base/patches/with-header-auth-email.yaml
index 7d74e05eaf3..9fe2b3d2c25 100644
--- a/components/namespace-lister/base/patches/with-header-auth.yaml
+++ b/components/namespace-lister/base/patches/with-header-auth-email.yaml
@@ -2,4 +2,4 @@
   path: /spec/template/spec/containers/0/env/-
   value:
     name: AUTH_USERNAME_HEADER
-    value: Impersonate-User
+    value: X-Email
diff --git a/components/namespace-lister/base/service.yaml b/components/namespace-lister/base/service.yaml
index e64ca15cf5f..8e38eb59350 100644
--- a/components/namespace-lister/base/service.yaml
+++ b/components/namespace-lister/base/service.yaml
@@ -3,6 +3,8 @@ kind: Service
 metadata:
   name: namespace-lister
   namespace: namespace-lister
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: namespace-lister-tls
 spec:
   selector:
     apps: namespace-lister
diff --git a/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml b/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml
index 72c1a86266c..4f7380c54b3 100644
--- a/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml
+++ b/components/namespace-lister/staging/stone-stg-rh01/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base/
-- rbac.yaml
diff --git a/components/namespace-lister/staging/stone-stg-rh01/rbac.yaml b/components/namespace-lister/staging/stone-stg-rh01/rbac.yaml
deleted file mode 100644
index ee10079eb34..00000000000
--- a/components/namespace-lister/staging/stone-stg-rh01/rbac.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: namespace-lister-auth-delegator
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: namespace-lister
-  namespace: namespace-lister
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator

From d5b85288bfcab50be12762e008b93f0b793b48b8 Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 16:34:48 +0100
Subject: [PATCH 3/8] fix rewrite rule

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 components/konflux-ui/staging/base/proxy/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index 61fef740a74..378b9686cc3 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -171,7 +171,7 @@ http {
             include /mnt/nginx-generated-config/bearer.conf;
 
             # namespace-lister endpoint
-            rewrite ^/(.*)/$ /$1 break;
+            rewrite ^/api/k8s/(.*)/$ /$1 break;
             proxy_read_timeout 30m;
 
             map $request_method $target_service_url {

From e88b16f64adc59997187c080aaf59a9a2c069ac7 Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 18:50:25 +0100
Subject: [PATCH 4/8] Update
 components/konflux-ui/staging/base/proxy/nginx.conf

---
 components/konflux-ui/staging/base/proxy/nginx.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index 378b9686cc3..1f705db0fcf 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -168,7 +168,6 @@ http {
 
             # Impersonate requesting user
             proxy_set_header X-Email $email;
-            include /mnt/nginx-generated-config/bearer.conf;
 
             # namespace-lister endpoint
             rewrite ^/api/k8s/(.*)/$ /$1 break;

From 25b72ee49aac58ac0ad1423eb7859ee9701330f8 Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 19:37:25 +0100
Subject: [PATCH 5/8] fix nginx.conf

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 .../konflux-ui/staging/base/proxy/nginx.conf  | 44 +++++++++++++++----
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index 1f705db0fcf..c123b3fe0d7 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -35,6 +35,11 @@ http {
         '' close;
     }
 
+    map $request_method $is_get_request {
+      default 0;
+      GET     1;
+    }
+
     server {
         listen 9443 ssl;
         ssl_certificate /mnt/tls.crt;
@@ -161,23 +166,44 @@ http {
             include /mnt/nginx-generated-config/bearer.conf;
         }
 
+        # GET requests to the following endpoints are handled from the namespace-lister.
+        # * /api/k8s/api/v1/namespace
+        # * /api/k8s/api/v1/namespace/
+        #
+        # Requests with other methods are handled by the Kube-API
         location ~* /api/k8s/api/v1/namespaces(/?)$ {
             # authenticate request
             auth_request_set $email  $upstream_http_x_auth_request_email;
             auth_request /oauth2/auth;
-
-            # Impersonate requesting user
-            proxy_set_header X-Email $email;
-
-            # namespace-lister endpoint
+            
+            # common
             rewrite ^/api/k8s/(.*)/$ /$1 break;
             proxy_read_timeout 30m;
+            proxy_set_header X-Email $email;
 
-            map $request_method $target_service_url {
-              default https://kubernetes.default.svc;
-              GET     http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+            # namespace-lister
+            if ($is_get_request) {
+              proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+              break;
             }
-            proxy_pass $target_service_url
+              
+            # Kube-API
+            proxy_pass https://kubernetes.default.svc;
+            proxy_set_header Impersonate-User $email;
+            include /mnt/nginx-generated-config/bearer.conf;
+        }
+
+        # All namespaced requests are forwarded to Kube-API
+        location /api/k8s/api/v1/namespaces/ {
+          # Kube-API
+          auth_request_set $email  $upstream_http_x_auth_request_email;
+          auth_request /oauth2/auth;
+
+          rewrite /api/k8s/(.+) /$1 break;
+          proxy_pass https://kubernetes.default.svc;
+          proxy_read_timeout 30m;
+          proxy_set_header Impersonate-User $email;
+          include /mnt/nginx-generated-config/bearer.conf;
         }
 
         location /health {

From c56966a2daf0e230ea157cdbda220300df8f603b Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Thu, 16 Jan 2025 20:00:28 +0100
Subject: [PATCH 6/8] rollback tls changes

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 components/namespace-lister/base/service.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/components/namespace-lister/base/service.yaml b/components/namespace-lister/base/service.yaml
index 8e38eb59350..e64ca15cf5f 100644
--- a/components/namespace-lister/base/service.yaml
+++ b/components/namespace-lister/base/service.yaml
@@ -3,8 +3,6 @@ kind: Service
 metadata:
   name: namespace-lister
   namespace: namespace-lister
-  annotations:
-    service.beta.openshift.io/serving-cert-secret-name: namespace-lister-tls
 spec:
   selector:
     apps: namespace-lister

From 2d29e5355ef276fdb3b750a8529effc839e4cacd Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Fri, 17 Jan 2025 00:51:41 +0100
Subject: [PATCH 7/8] fix nginx.conf

Signed-off-by: Francesco Ilario <filario@redhat.com>
---
 .../konflux-ui/staging/base/proxy/nginx.conf  | 53 ++++++++-----------
 1 file changed, 23 insertions(+), 30 deletions(-)

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index c123b3fe0d7..b9c386baab0 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -35,9 +35,9 @@ http {
         '' close;
     }
 
-    map $request_method $is_get_request {
-      default 0;
-      GET     1;
+    map $request_method $ns_target {
+      GET     namespacelister;
+      default kubeapi;
     }
 
     server {
@@ -167,45 +167,38 @@ http {
         }
 
         # GET requests to the following endpoints are handled from the namespace-lister.
-        # * /api/k8s/api/v1/namespace
-        # * /api/k8s/api/v1/namespace/
+        # * /api/k8s/api/v1/namespaces
+        # * /api/k8s/api/v1/namespaces/
         #
         # Requests with other methods are handled by the Kube-API
-        location ~* /api/k8s/api/v1/namespaces(/?)$ {
-            # authenticate request
+        location ~* ^/api/k8s/api/v1/namespaces(/?)$ {
+            try_files $uri @$ns_target;
+        }
+
+        location @namespacelister {
             auth_request_set $email  $upstream_http_x_auth_request_email;
             auth_request /oauth2/auth;
-            
-            # common
-            rewrite ^/api/k8s/(.*)/$ /$1 break;
             proxy_read_timeout 30m;
             proxy_set_header X-Email $email;
 
-            # namespace-lister
-            if ($is_get_request) {
-              proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
-              break;
-            }
-              
-            # Kube-API
+            rewrite ^.*$ /api/v1/namespaces break;
+
+            proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:8080;
+        }
+
+        location @kubeapi {
+            auth_request_set $email  $upstream_http_x_auth_request_email;
+            auth_request /oauth2/auth;
+            proxy_read_timeout 30m;
+            proxy_set_header X-Email $email;
+
+            rewrite ^/api/k8s/(.*)/$ /$1 break;
+
             proxy_pass https://kubernetes.default.svc;
             proxy_set_header Impersonate-User $email;
             include /mnt/nginx-generated-config/bearer.conf;
         }
 
-        # All namespaced requests are forwarded to Kube-API
-        location /api/k8s/api/v1/namespaces/ {
-          # Kube-API
-          auth_request_set $email  $upstream_http_x_auth_request_email;
-          auth_request /oauth2/auth;
-
-          rewrite /api/k8s/(.+) /$1 break;
-          proxy_pass https://kubernetes.default.svc;
-          proxy_read_timeout 30m;
-          proxy_set_header Impersonate-User $email;
-          include /mnt/nginx-generated-config/bearer.conf;
-        }
-
         location /health {
             # Used for liveness probes
             return 200;

From bd05d536d6c9905b0003c6d5aef518f3e8e3f49f Mon Sep 17 00:00:00 2001
From: Francesco Ilario <filario@redhat.com>
Date: Mon, 20 Jan 2025 15:58:33 +0100
Subject: [PATCH 8/8] Update
 components/konflux-ui/staging/base/proxy/nginx.conf

Co-authored-by: Andy Sadler <ansadler@redhat.com>
---
 components/konflux-ui/staging/base/proxy/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/konflux-ui/staging/base/proxy/nginx.conf b/components/konflux-ui/staging/base/proxy/nginx.conf
index b9c386baab0..7077b1c475c 100644
--- a/components/konflux-ui/staging/base/proxy/nginx.conf
+++ b/components/konflux-ui/staging/base/proxy/nginx.conf
@@ -36,8 +36,8 @@ http {
     }
 
     map $request_method $ns_target {
-      GET     namespacelister;
-      default kubeapi;
+        GET     namespacelister;
+        default kubeapi;
     }
 
     server {