From bc65155c78932b023c69040dfc329d839e5a6fed Mon Sep 17 00:00:00 2001
From: Sven Tennie <sven.tennie@wire.com>
Date: Wed, 13 Mar 2024 13:52:34 +0100
Subject: [PATCH] smallstep-accomp: Resolve proxy target on request (#3946)

Usually, proxy targets are resolved when nginx is started. This can lead
to strange behavior if the target either doesn't exist (yet) or the DNS
entry changes while nginx is running.

This little trick with the indirection via a variable should trigger the
lookup(s) while nginx is running. The default behavior of the `resolver`
directive is to update the target according to its TTL in the configured
DNS server.
---
 changelog.d/5-internal/smallstep-accomp-target-resolving  | 4 ++++
 .../templates/server-block-configmap.yaml                 | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/5-internal/smallstep-accomp-target-resolving

diff --git a/changelog.d/5-internal/smallstep-accomp-target-resolving b/changelog.d/5-internal/smallstep-accomp-target-resolving
new file mode 100644
index 00000000000..3d8f4fa8b4e
--- /dev/null
+++ b/changelog.d/5-internal/smallstep-accomp-target-resolving
@@ -0,0 +1,4 @@
+Ensure that targets of the smallstep nginx proxy are resolved at runtime via the
+configured DNS server. This has two benefits: The target gets adjusted when it's
+changed at the DNS server. And, nginx doesn't fail to start when the target
+doesn't exist yet.
diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml
index 366dad7e92e..a6765595d31 100644
--- a/charts/smallstep-accomp/templates/server-block-configmap.yaml
+++ b/charts/smallstep-accomp/templates/server-block-configmap.yaml
@@ -17,12 +17,16 @@ data:
       {{- range .Values.upstreams.proxiedHosts }}
 
       location /proxyCrl/{{ . }} {
+        # This indirection is required to make the resolver check the domain.
+        # Otherwise, broken upstreams lead to broken deployments.
+        set $backend "{{ . }}";
+
         proxy_redirect off;
         proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header Host {{ . }};
+        proxy_set_header Host $backend;
         proxy_hide_header Content-Type;
         add_header Content-Type application/pkix-crl;
-        proxy_pass "https://{{ . }}/crl";
+        proxy_pass "https://$backend/crl";
       }
 
       {{- end }}