Skip to content

Commit

Permalink
Merge pull request #3613 from mercedes-benz/feature-3609-web-ui-forwa…
Browse files Browse the repository at this point in the history 
…rding-to-web-server

Feature 3609 web UI forwarding to web server
  • Loading branch information
@sven-dmlr
sven-dmlr authored Nov 15, 2024
2 parents a8c3f3e + c2b4b30 commit 3c26b94
Show file tree
Hide file tree
Showing 11 changed files with 624 additions and 90 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/release-web-ui.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,8 +109,8 @@ jobs:
run: |
cd sechub-web-ui && \
npm install && \
npx nuxi generate && \
cd .output/public && \
npm run build && \
cd dist && \
echo '${{ inputs.web-ui-version }}' > sechub-web-ui_version.txt && \
zip -r ../../../$WEB_UI_RELEASE_ZIPFILE *
Expand All @@ -137,7 +137,7 @@ jobs:
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
with:
name: sechub-web-ui_htdocs
path: sechub-web-ui/.output/
path: sechub-web-ui/dist/
retention-days: 7

- name: Create Web-UI release
Expand Down Expand Up @@ -202,7 +202,7 @@ jobs:
VERSION_TAG="${WEB_UI_VERSION}"
echo "# Building image $DOCKER_REGISTRY:$VERSION_TAG"
echo " from $ACTIONS_BASE_IMAGE_DEBIAN"
cp -r sechub-web-ui/.output sechub-web-ui-solution/docker/copy
cp -r sechub-web-ui/dist sechub-web-ui-solution/docker/copy
cd sechub-web-ui-solution
export BASE_IMAGE="$ACTIONS_BASE_IMAGE_DEBIAN"
export BUILD_TYPE=copy
Expand Down
7 changes: 7 additions & 0 deletions sechub-web-server-solution/helm/web-server/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ metadata:
name: web-server-policy
spec:
ingress:
- from:
- podSelector:
matchLabels:
name: web-ui # Allow SecHub Web-UI access
ports:
- protocol: TCP
port: 4443
- ports:
{{- if .Values.go_mmproxy.enabled }}
- port: 8080
Expand Down
15 changes: 15 additions & 0 deletions sechub-web-server-solution/helm/web-server/templates/service-internal.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# SPDX-License-Identifier: MIT

# Internal access via cluster IP (maybe obsolete when an api-gateway is in place)
apiVersion: v1
kind: Service
metadata:
name: web-server-internal
spec:
selector:
name: web-server
ports:
- protocol: TCP
port: 4443
targetPort: 4443
type: ClusterIP
39 changes: 20 additions & 19 deletions sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ COPY clone.sh "$WEB_UI_BUILD_FOLDER/clone.sh"

RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get install --assume-yes --quiet git wget && \
apt-get install -y git wget && \
apt-get clean

RUN cd "${WEB_UI_BUILD_FOLDER}" && \
Expand Down Expand Up @@ -66,7 +66,7 @@ ENV WEB_UI_RELEASE_ZIP="sechub-web-ui_htdocs.zip"

RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get install --assume-yes --quiet unzip wget && \
apt-get install -y unzip wget && \
apt-get clean

RUN mkdir -p "${WEB_UI_ARTIFACTS}/dist" && \
Expand All @@ -76,8 +76,8 @@ RUN mkdir -p "${WEB_UI_ARTIFACTS}/dist" && \
sha256sum --check "${WEB_UI_RELEASE_ZIP}.sha256sum" && \
unzip ${WEB_UI_RELEASE_ZIP} && \
rm -f "${WEB_UI_RELEASE_ZIP}" "${WEB_UI_RELEASE_ZIP}.sha256sum"


#-------------------
# Builder
#-------------------
Expand Down Expand Up @@ -105,21 +105,26 @@ ENV HTDOCS_FOLDER="${HTDOCS_FOLDER}"
# using fixed group and user ids + prepare alive check file
RUN usermod -u "$UID" "$USER" && \
groupmod -g "$GID" "$USER" && \
NGINX_ALIVE_DIR="$HTDOCS_FOLDER/health" && \
mkdir -p "$NGINX_ALIVE_DIR" && \
echo "SecHub Web-UI is alive" > "$NGINX_ALIVE_DIR/alive.html"
mkdir -p "$$HTDOCS_FOLDER" "$CERTIFICATE_DIRECTORY"

# Copy run script into container
# Copy launcher script into container
COPY run.sh /run.sh

RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get --assume-yes upgrade && \
apt-get --assume-yes install bind9-host curl netcat-openbsd nginx openssl sed vim-tiny && \
apt-get --assume-yes clean
apt-get -y upgrade && \
apt-get -y install bind9-host curl netcat-openbsd nginx openssl sed vim-tiny && \
apt-get -y clean && \
# Cleanup nginx default files
cd /etc/nginx && \
rm -rf conf.d fastcgi* koi-* modules-* *_params sites-* snippets win-utf /var/www/html/index.nginx-debian.html

# Copy configuration script
COPY nginx.conf /etc/nginx/nginx.conf
# Copy Nginx configuration files
COPY nginx/ /etc/nginx/

# Copy content to web server's document root
COPY --from=builder "${WEB_UI_ARTIFACTS}/dist" "${HTDOCS_FOLDER}"
COPY htdocs/ "${HTDOCS_FOLDER}/"

# Create self-signed certificate
RUN cd /tmp && \
Expand All @@ -135,20 +140,16 @@ RUN cd /tmp && \
2>&1 | sed 's/\.//g'

# Prepare certificates
RUN mkdir -p "$CERTIFICATE_DIRECTORY" && \
mv /tmp/sechub-web-ui.cert "$CERTIFICATE_DIRECTORY"/sechub-web-ui.cert && \
RUN mv /tmp/sechub-web-ui.cert "$CERTIFICATE_DIRECTORY"/sechub-web-ui.cert && \
mv /tmp/sechub-web-ui.key "$CERTIFICATE_DIRECTORY"/sechub-web-ui.key && \
# Generate ephemeral Diffie-Hellman paramaters for perfect forward secrecy
# see: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_5
openssl dhparam -out "$CERTIFICATE_DIRECTORY"/certsdhparam.pem 2048 2>&1 | sed 's/\.//g'

# Copy content to web server's document root
COPY --from=builder "${WEB_UI_ARTIFACTS}/dist" "${HTDOCS_FOLDER}"

# Create PID file and set permissions
RUN touch /var/run/nginx.pid && \
chmod 755 "$HTDOCS_FOLDER" && \
chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \
chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" /var/log/nginx /var/lib/nginx /var/run/nginx.pid && \
chmod +x /run.sh

# Switch from root to non-root user
Expand Down
Binary file added sechub-web-ui-solution/docker/htdocs/favicon.ico
View file
Binary file not shown.
Loading

0 comments on commit 3c26b94

Please sign in to comment.