From 9d81055d1d4007b6a5fa66e64a35827e6a02d612 Mon Sep 17 00:00:00 2001
From: Dom Del Nano <ddelnano@gmail.com>
Date: Wed, 18 Sep 2024 09:57:53 -0700
Subject: [PATCH] Move nginx-config mount to /usr/local/openresty/nginx/conf.d
 to avoid entrypoint writing to RO mount

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
---
 k8s/cloud/base/proxy_deployment.yaml   |  2 +-
 k8s/cloud/base/proxy_nginx_config.yaml | 36 +++++++++++++-------------
 src/cloud/proxy/entrypoint.sh          |  2 +-
 3 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/k8s/cloud/base/proxy_deployment.yaml b/k8s/cloud/base/proxy_deployment.yaml
index 2c999271073..710f07ebd6e 100644
--- a/k8s/cloud/base/proxy_deployment.yaml
+++ b/k8s/cloud/base/proxy_deployment.yaml
@@ -79,7 +79,7 @@ spec:
         - name: certs
           mountPath: /certs
         - name: nginx-config
-          mountPath: /usr/local/openresty/nginx/conf
+          mountPath: /usr/local/openresty/nginx/conf.d
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
diff --git a/k8s/cloud/base/proxy_nginx_config.yaml b/k8s/cloud/base/proxy_nginx_config.yaml
index 1b37e0c6d3d..fb4359a3a81 100644
--- a/k8s/cloud/base/proxy_nginx_config.yaml
+++ b/k8s/cloud/base/proxy_nginx_config.yaml
@@ -85,7 +85,7 @@ data:
     etag on;
     expires 60m;
     add_header Cache-Control "public";
-    include /usr/local/openresty/nginx/conf/headers_common.conf;
+    include /usr/local/openresty/nginx/conf.d/headers_common.conf;
 
   pixie_api.conf: |-
     location /api/ {
@@ -232,7 +232,7 @@ data:
             ssl_certificate /certs/tls.crt;
             ssl_certificate_key /certs/tls.key;
 
-            include /usr/local/openresty/nginx/conf/pixie_health_check.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_health_check.conf;
 
             if ($http_x_forwarded_proto = "http") {
                 return 404;
@@ -250,10 +250,10 @@ data:
             listen 56000 ssl http2;
             server_name @PL_DOMAIN_NAME@ *.cluster.local;
 
-            include /usr/local/openresty/nginx/conf/pixie_compression.conf;
-            include /usr/local/openresty/nginx/conf/pixie_vars.conf;
-            include /usr/local/openresty/nginx/conf/pixie_server_defaults.conf;
-            include /usr/local/openresty/nginx/conf/pixie_api.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_server_defaults.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_api.conf;
 
             if ($http_x_forwarded_proto = "http") {
                 return 307 https://$host$request_uri;
@@ -276,13 +276,13 @@ data:
             server_name work.@PL_DOMAIN_NAME@;
 
             error_page 404 = @error404;
-            include /usr/local/openresty/nginx/conf/pixie_compression.conf;
-            include /usr/local/openresty/nginx/conf/pixie_vars.conf;
-            include /usr/local/openresty/nginx/conf/pixie_server_defaults.conf;
-            include /usr/local/openresty/nginx/conf/pixie_health_check.conf;
-            include /usr/local/openresty/nginx/conf/pixie_api.conf;
-            include /usr/local/openresty/nginx/conf/headers_common.conf;
-            include /usr/local/openresty/nginx/conf/private/*.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_server_defaults.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_health_check.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_api.conf;
+            include /usr/local/openresty/nginx/conf.d/headers_common.conf;
+            include /usr/local/openresty/nginx/conf.d/private/*.conf;
 
             # Disable caching by default.
             add_header Cache-Control "no-store";
@@ -342,14 +342,14 @@ data:
             location ~ ^/static(/.*)$ {
                 gzip_static off;
                 root   /assets;
-                include /usr/local/openresty/nginx/conf/pixie_cache.conf;
-                include /usr/local/openresty/nginx/conf/pixie_filter.conf;
+                include /usr/local/openresty/nginx/conf.d/pixie_cache.conf;
+                include /usr/local/openresty/nginx/conf.d/pixie_filter.conf;
                 try_files $1 "/index.html";
             }
 
             location /auth-complete {
                 root   /assets;
-                include /usr/local/openresty/nginx/conf/pixie_filter.conf;
+                include /usr/local/openresty/nginx/conf.d/pixie_filter.conf;
                 try_files $uri "/index.html";
             }
 
@@ -368,8 +368,8 @@ data:
             listen 56000 ssl http2;
             server_name segment.@PL_DOMAIN_NAME@;
 
-            include /usr/local/openresty/nginx/conf/pixie_compression.conf;
-            include /usr/local/openresty/nginx/conf/pixie_vars.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
+            include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
 
             set $segment_cdn "cdn.segment.com";
 
diff --git a/src/cloud/proxy/entrypoint.sh b/src/cloud/proxy/entrypoint.sh
index d8a04ddc319..37ce1e47eba 100644
--- a/src/cloud/proxy/entrypoint.sh
+++ b/src/cloud/proxy/entrypoint.sh
@@ -17,7 +17,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 if [ -n "$PL_DOMAIN_NAME" ]; then
-    sed -e "s/[@]PL_DOMAIN_NAME[@]/$PL_DOMAIN_NAME/" /usr/local/openresty/nginx/conf/nginx.conf.tmpl > /usr/local/openresty/nginx/conf/nginx.conf
+    sed -e "s/[@]PL_DOMAIN_NAME[@]/$PL_DOMAIN_NAME/" /usr/local/openresty/nginx/conf.d/nginx.conf.tmpl > /usr/local/openresty/nginx/conf/nginx.conf
 else
    echo "PL_DOMAIN_NAME undefined, exiting"
    exit 1