Merge pull request #3599 from mercedes-benz/feature-3596-web-ui-ssl-k…

…eystore

Feature 3596 web UI ssl keystore

sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile

@@ -148,7 +148,7 @@ COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${HTDOCS_FOLDER}"
 # Create PID file and set permissions
 RUN touch /var/run/nginx.pid && \
     chmod 755 "$HTDOCS_FOLDER" && \
-    chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" "$HTDOCS_FOLDER" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \
+    chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \
     chmod +x /run.sh
 
 # Switch from root to non-root user

sechub-web-ui-solution/docker/run.sh

@@ -1,21 +1,50 @@
 #!/bin/sh
 # SPDX-License-Identifier: MIT
+set -e
 
 debug () {
-    while true
-    do
-	    echo "Press [CTRL+C] to stop.."
-	    sleep 120
-    done
+  while true ; do
+    echo "Press [CTRL+C] to stop.."
+    sleep 120
+  done
 }
 
-if [ "$LOADBALANCER_START_MODE" != "server" ]
-then
-    debug
+install_ssl_certs () {
+  echo "### Installing SSL certs \"$WEB_UI_SSL_KEYSTORE_ALIAS\""
+  K8S_SSL_SECRETS="/sechub-web-ui/secrets/secret-ssl"
+
+  cd "$CERTIFICATE_DIRECTORY"
+
+  echo "# Extraxting private key"
+  openssl pkcs12 -in "$K8S_SSL_SECRETS/keystore_file" -nocerts -out key.pem -nodes -legacy -password file:"$K8S_SSL_SECRETS/keystore_password"
+
+  echo "# Extracting certificate(s)"
+  openssl pkcs12 -in "$K8S_SSL_SECRETS/keystore_file" -nokeys -out cert.pem -nodes -legacy -password file:"$K8S_SSL_SECRETS/keystore_password"
+
+  echo "# Verifying name (keystore alias)"
+  grep "friendlyName: $WEB_UI_SSL_KEYSTORE_ALIAS" key.pem
+  grep "friendlyName: $WEB_UI_SSL_KEYSTORE_ALIAS" cert.pem
+
+  echo "# Replacing certificates"
+  cat key.pem | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > sechub-web-ui.key
+  cat cert.pem | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > sechub-web-ui.cert
+
+  # cleanup temporary files
+  rm -f key.pem cert.pem
+}
+
+###############
+# main
+if [ "$WEB_UI_SSL_KEYSTORE_ALIAS" != "undefined" ] ; then
+  install_ssl_certs
+fi
+
+if [ "$LOADBALANCER_START_MODE" != "server" ] ; then
+  debug
 fi
 
-echo "Check configuration file"
+echo "### Checking configuration file"
 nginx -t
 
-echo "Start Nginx"
-nginx -g 'daemon off;'
+echo "### Starting Nginx"
+nginx -g 'daemon off;'

sechub-web-ui-solution/helm/web-ui/Chart.yaml

@@ -11,4 +11,4 @@ type: application
 # This version number should be incremented each time you make changes to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.0.0
+version: 1.1.0

sechub-web-ui-solution/helm/web-ui/README.md

@@ -1,4 +1,43 @@
 <!-- SPDX-License-Identifier: MIT --->
 # SecHub Web UI
 
- This Helm chart is used to deploy the SecHub Web UI to a Kubernetes cluster.
+This Helm chart is used to deploy the SecHub Web UI to a Kubernetes cluster.
+
+## SSL certificates and keys
+
+### Default SSL setup
+The web-ui container image is shipped with initially created self-signed certificates.
+
+### User-provided SSL keystore
+If you want to provide your own officially signed certificates,
+you need to create a pkcs12 keystore with a "-name" attribute (e.g. `sechub-web-ui.example.com`).
+
+#### How to create the .p12 keystore
+Create a private key (`sechub-web-ui.key`), create a certificate signed by a CA of your trust (`sechub-web-ui.cert`).
+```bash
+NAME="sechub-web-ui.example.com"
+openssl pkcs12 -export -in sechub.corpinter.net-full-chain.crt -inkey sechub.corpinter.net_server.key -out ${NAME}.p12 -name ${NAME}
+# Enter pass phrase for private key file
+# Enter Export Password for .p12 keystore
+```
+
+#### Set .p12 and its password as Kubernetes secrets
+A Kubernetes secret `secret-web-ui-ssl` must be defined containing
+- `keystore_file` - Your .p12 keystore file created in the previous step<br>
+  Inside the .p12 keystore, an alias with ${NAME} is expected pointing to the ssl certificate to use
+- `keystore_password` - Export Password for .p12 keystore from above step
+
+#### Update your values.yaml
+Declare ${NAME} as your keystore alias in your Helm values.yaml file.
+
+Example:
+```yaml
+web_ui:
+  ssl:
+    keystoreAlias: "sechub-web-ui.example.com"
+```
+
+#### Deploy
+Now you can deploy using your values.yaml file from above.
+
+Then the SecHub web-ui will use your certificates and key for https encryption.

sechub-web-ui-solution/helm/web-ui/templates/deployment.yaml

@@ -104,6 +104,8 @@ spec:
         env:
           - name: DEPLOYMENT_COMMENT
             value: "{{ .Values.deploymentComment }}"
+          - name: WEB_UI_SSL_KEYSTORE_ALIAS
+            value: "{{ .Values.web_ui.ssl.keystoreAlias }}"
         resources:
           # min container memory
           requests:

sechub-web-ui-solution/helm/web-ui/values.yaml

@@ -27,12 +27,12 @@ resources:
 web_ui:
   ssl:
     keystoreAlias: "undefined"
-    # Alias in .p12 keystore.
+    # Alias in pkcs12 (.p12) keystore.
     # - On `undefined`, a self-signed certificate will be used.
-    # - otherwise, k8s secret `secret-webui-ssl` must be defined containing
+    # - otherwise, a Kubernetes secret `secret-web-ui-ssl` must be defined containing
     #   - `keystore_file` (containing the ssl certificate chain)
     #     Inside the .p12 keystore, an alias with this name is expected
-    #     pointing to the ssl certificate to use
+    #     pointing to the ssl key and certificate to use
     #   - `keystore_password`
 
 # deploymentComment (optional):