svtechnmaa · duchieu2k · Apr 13, 2026 · coderabbitai · Apr 14, 2026 · coderabbitai
diff --git a/kubernetes/report-ui/templates/refelx-grafana-ingress.yaml b/kubernetes/report-ui/templates/refelx-grafana-ingress.yaml
@@ -0,0 +1,136 @@
+{{- $basehref := .Values.backend.config.basehref | default "" -}}
+{{- $grafana_enabled := false -}}
+{{- if .Values.global }}
+  {{- if .Values.global.grafana }}
+    {{- $grafana_enabled = .Values.global.grafana.enabled }}
+  {{- end }}
+{{- end }}
+
+
+{{- if $grafana_enabled }}
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:  
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      if ($arg_user) {
+        set $user $arg_user;
+      }
+      if ($arg_hostgroup) {
+        set $hostgroup $arg_hostgroup;
+      }
+      if ($arg_orgId) {
+        set $orgId $arg_orgId;
+      }
+      if ($arg_report) {
+        set $report $arg_report;
+      }
+      if ($user = "") {
+        return 401;
+      }
+      if ($hostgroup = "") {
+        return 401;
+      }
+      if ($orgId = "") {
+        return 401;
+      }
+      if ($report = "") {
+        return 401;
+      }
+      if ($http_referer ~ "^https://(.*)/grafana/d/(.*)orgId=([0-9]+)(.*)") {
+        set $referer_orgId $3;
+        set $cookie_valid 1;
+      }
+      if ($referer_orgId != $orgId) {
+        set $cookie_valid 0;
+        return 401;
+      }
+      if ($cookie_valid = 1) {
+        add_header Set-Cookie "ref_grafana_path=$http_referer; Path=/; HttpOnly; Secure; Samesite=Lax; Max-Age=86400";
+        add_header Set-Cookie "ref_grafana_user=$user; Path=/; HttpOnly; Secure; Samesite=Lax; Max-Age=86400";
+        add_header Set-Cookie "ref_grafana_hostgroup=$hostgroup; Path=/; HttpOnly; Secure; Samesite=Lax; Max-Age=86400";
+        add_header Set-Cookie "ref_grafana_orgId=$orgId; Path=/; HttpOnly; Secure; Samesite=Lax; Max-Age=86400";
+        add_header Set-Cookie "ref_grafana_report=$report; Path=/; HttpOnly; Secure; Samesite=Lax; Max-Age=86400";
+        #ref_grafana_session already set from grafana ingress
+        set $redirect_url "$scheme://$host{{ $basehref }}/report/grafana/$report/";
+
+        return 302 $redirect_url;
+      }
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  name: grafana-redirect-report-ingress
+spec:
+  ingressClassName: {{ .Release.Name }}
+  rules:
+  - http:
+      paths:
+      - backend:
+          service:
+            name: {{ .Chart.Name }}-frontend
+            port:
+              number: {{ .Values.frontend.service.port }}
+        path: "{{ $basehref }}/grafana-redirect-report-nmaa(/|$)(.*)"
+        pathType: Prefix
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-GRAFANA-USER "$cookie_ref_grafana_user";
+      proxy_set_header X-GRAFANA-HOSTGROUP "$cookie_ref_grafana_hostgroup";
+      proxy_set_header X-GRAFANA-ORGID "$cookie_ref_grafana_orgId";
+      if ($cookie_ref_grafana_session = "") {
+        return 401;
+      }
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$1$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  name: report-be-grafana-ingress
+spec:
+  ingressClassName: {{ .Release.Name }}
+  rules:
+  - http:
+      paths:
+      - backend:
+          service:
+            name: {{ .Chart.Name }}-backend
+            port:
+              number: {{ .Values.backend.service.port }}
+        path: "{{ $basehref }}/(_event|ping|_upload)(/.*)?$"
+        pathType: ImplementationSpecific
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-GRAFANA-USER "$cookie_ref_grafana_user";
+      proxy_set_header X-GRAFANA-HOSTGROUP "$cookie_ref_grafana_hostgroup";
+      proxy_set_header X-GRAFANA-ORGID "$cookie_ref_grafana_orgId";
+      if ($cookie_ref_grafana_session = "") {
+        return 401;
+      }
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/session-cookie-path: "{{ $basehref }}/report/grafana/"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  name: report-fe-grafana-ingress
+spec:
+  ingressClassName: {{ .Release.Name }}
+  rules:
+  - http:
+      paths:
+      - backend:
+          service:
+            name: {{ .Chart.Name }}-frontend
+            port:
+              number: {{ .Values.frontend.service.port }}
+        path: "{{ $basehref }}/report/grafana/(.*)"
+        pathType: Prefix
-        path: "{{ $basehref }}/report/grafana/(.*)"
-        pathType: Prefix
+        path: "{{ $basehref }}/report/grafana/(.*)"
+        pathType: ImplementationSpecific
-        path: "{{ $basehref }}/report/grafana/(.*)"
-        pathType: Prefix
+        path: "{{ $basehref }}/report/grafana/(.*)"
+        pathType: ImplementationSpecific
+
+{{- end }}