update the conf to avoid perm issues in openshift

[bharathappali]

Description

This change updates the NGINX configuration to ensure compatibility with OpenShift’s restricted security model. In OpenShift, containers do not run as a fixed user like nginx but instead use a randomly assigned non-root UID. As a result, default NGINX paths such as /var/cache/nginx and /run/nginx.pid, which are typically owned by root, are not writable at runtime. This leads to permission denied errors and causes the container to crash during startup.

To address this, the NGINX PID file location has been explicitly moved from its default path (/run/nginx.pid) to /tmp/nginx.pid. The /tmp directory is universally writable inside containers, regardless of the runtime UID assigned by OpenShift, making it a safe location for runtime-generated files like PID files.

In addition, all temporary file paths used by NGINX (such as client_body_temp_path, proxy_temp_path, and others) have been redirected from /var/cache/nginx to subdirectories under /tmp. This ensures that NGINX can successfully create and manage temporary files required for request processing without encountering filesystem permission issues.

These changes do not alter application functionality but instead adapt the runtime behavior of NGINX to align with OpenShift’s security constraints. By avoiding reliance on root-owned filesystem paths, the container can run successfully under the default restricted security context without requiring elevated privileges or custom security policies.

Overall, this update improves portability and robustness of the deployment, ensuring that the UI service runs reliably in OpenShift environments while adhering to container security best practices.

Fixes #1859

Type of change

• Bug fix
• New feature
• Docs update
• Breaking change (What changes might users need to make in their application due to this PR?)
• Requires DB changes

How has this been tested?

Please describe the tests that were run to verify your changes and steps to reproduce. Please specify any test configuration required.

• New Test X
• Functional testsuite

Test Configuration

• Kubernetes clusters tested on:

Checklist 🎯

• Followed coding guidelines
• Comments added
• Dependent changes merged
• Documentation updated
• Tests added or updated

Additional information

Include any additional information such as links, test results, screenshots here

Summary by Sourcery

Update NGINX configuration to use writable temporary directories for runtime files to ensure compatibility with OpenShift security constraints.

Bug Fixes:

• Redirect NGINX PID file to /tmp to prevent permission errors when running under OpenShift-assigned non-root UIDs.
• Move NGINX temporary file paths from root-owned cache locations to /tmp subdirectories to avoid filesystem permission issues in OpenShift environments.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the embedded NGINX configuration in the OpenShift manifest so that PID and temp file paths use writable locations under /tmp, avoiding permission issues under restricted UIDs.

Flow diagram for container startup before and after NGINX path change

graph TD
  Start[Container_startup] --> LoadConfig[Load_nginx.conf]
  LoadConfig --> CheckPaths[Check_PID_and_temp_paths]

  CheckPaths --> Before[Old_paths_/run_and_/var/cache/nginx]
  CheckPaths --> After[New_paths_under_/tmp]

  Before --> PermissionDenied[Filesystem_permission_denied]
  PermissionDenied --> Crash[Container_crash_on_startup]

  After --> WritablePaths[Writable_paths_for_random_UID]
  WritablePaths --> NginxStarts[NGINX_starts_successfully]
  NginxStarts --> Ready[Pod_ready]

Loading

File-Level Changes

Change	Details	Files
Adjust NGINX runtime paths to use /tmp for PID and temporary files to be compatible with OpenShift’s restricted security context.	Set explicit NGINX pid directive to write the PID file under /tmp instead of the default /run location. Redirect NGINX client body, proxy, fastcgi, uwsgi, and scgi temporary paths from /var/cache/nginx to dedicated subdirectories under /tmp. Keep the rest of the NGINX upstream and HTTP configuration unchanged while embedding the new directives into the existing ConfigMap manifest.	manifests/crc/default-db-included-installation/openshift/kruize-crc-openshift.yaml

Possibly linked issues

• UI deployment crashloopbackoff due to permission issue #1859: PR changes NGINX PID and temp directories to /tmp, directly fixing the OpenShift permission-related crash described in issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• NGINX will not create the temp directories (/tmp/client_temp, /tmp/proxy_temp, etc.) automatically, so ensure the pod spec (e.g., an initContainer or startup command) creates these directories with the correct permissions, otherwise startup may still fail with No such file or directory errors.
• Since the PID file path is now non-default (/tmp/nginx.pid), double-check that any control/health scripts or sidecars that might send nginx -s signals or read the PID file are either not used in this manifest or are updated to reference the new location.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- NGINX will not create the temp directories (`/tmp/client_temp`, `/tmp/proxy_temp`, etc.) automatically, so ensure the pod spec (e.g., an initContainer or startup command) creates these directories with the correct permissions, otherwise startup may still fail with `No such file or directory` errors.
- Since the PID file path is now non-default (`/tmp/nginx.pid`), double-check that any control/health scripts or sidecars that might send `nginx -s` signals or read the PID file are either not used in this manifest or are updated to reference the new location.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[shreyabiradar07]

LGTM, verified the changes on OpenShift

[dinogun]

LGTM