From 7d0752d57bd8f2be6df5a8caa334d9a0993168f4 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Thu, 7 Nov 2024 18:21:20 +0100 Subject: [PATCH 1/3] ssl keystore handling added #3596 --- sechub-web-ui-solution/docker/run.sh | 30 +++++++++----- sechub-web-ui-solution/helm/web-ui/Chart.yaml | 2 +- sechub-web-ui-solution/helm/web-ui/README.md | 41 ++++++++++++++++++- .../helm/web-ui/templates/deployment.yaml | 2 + .../helm/web-ui/values.yaml | 6 +-- 5 files changed, 65 insertions(+), 16 deletions(-) diff --git a/sechub-web-ui-solution/docker/run.sh b/sechub-web-ui-solution/docker/run.sh index 0e76c516b..748ae56f3 100644 --- a/sechub-web-ui-solution/docker/run.sh +++ b/sechub-web-ui-solution/docker/run.sh @@ -2,20 +2,28 @@ # SPDX-License-Identifier: MIT debug () { - while true - do - echo "Press [CTRL+C] to stop.." - sleep 120 - done + while true ; do + echo "Press [CTRL+C] to stop.." + sleep 120 + done } -if [ "$LOADBALANCER_START_MODE" != "server" ] -then - debug +install_ssl_certs () { + echo "### Installing SSL certs \"$WEB_UI_SSL_KEYSTOREALIAS\"" +} + +############### +# main +if [ "$WEB_UI_SSL_KEYSTORE_ALIAS" != "undefined" ] ; then + install_ssl_certs +fi + +if [ "$LOADBALANCER_START_MODE" != "server" ] ; then + debug fi -echo "Check configuration file" +echo "### Checking configuration file" nginx -t -echo "Start Nginx" -nginx -g 'daemon off;' \ No newline at end of file +echo "### Starting Nginx" +nginx -g 'daemon off;' diff --git a/sechub-web-ui-solution/helm/web-ui/Chart.yaml b/sechub-web-ui-solution/helm/web-ui/Chart.yaml index 98ded79be..49d21f10a 100644 --- a/sechub-web-ui-solution/helm/web-ui/Chart.yaml +++ b/sechub-web-ui-solution/helm/web-ui/Chart.yaml @@ -11,4 +11,4 @@ type: application # This version number should be incremented each time you make changes to the chart and its templates. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.0 +version: 1.1.0 diff --git a/sechub-web-ui-solution/helm/web-ui/README.md b/sechub-web-ui-solution/helm/web-ui/README.md index cc47cbf2a..de8102310 100644 --- a/sechub-web-ui-solution/helm/web-ui/README.md +++ b/sechub-web-ui-solution/helm/web-ui/README.md @@ -1,4 +1,43 @@ # SecHub Web UI - This Helm chart is used to deploy the SecHub Web UI to a Kubernetes cluster. \ No newline at end of file +This Helm chart is used to deploy the SecHub Web UI to a Kubernetes cluster. + +## SSL certificates and keys + +### Default SSL setup +The web-ui container image is shipped with initially created self-signed certificates. + +### User-provided SSL keystore +If you want to provide your own "official" certificates, +you need to create a pkcs12 keystore with a "name" attribute (e.g. `sechub-web-ui.example.com`). + +#### How to create the .p12 keystore +Create a private key (`sechub-web-ui.key`), create a certificate signed by a CA of your trust (`sechub-web-ui.cert`). +```bash +NAME="sechub-web-ui.example.com" +openssl pkcs12 -export -in sechub.corpinter.net-full-chain.crt -inkey sechub.corpinter.net_server.key -out ${NAME}.p12 -name ${NAME} +# Enter pass phrase for private key file +# Enter Export Password for .p12 keystore +``` + +#### Set .p12 and its password as Kubernetes secrets +A Kubernetes secret `secret-web-ui-ssl` must be defined containing +- `keystore_file` - Your .p12 keystore file created in the previous step
+ Inside the .p12 keystore, an alias with ${NAME} is expected pointing to the ssl certificate to use +- `keystore_password` - Export Password for .p12 keystore from above step + +#### Update your values.yaml +Declare ${NAME} as your keystore alias in your Helm values.yaml file. + +Example: +```yaml +web_ui: + ssl: + keystoreAlias: "sechub-web-ui.example.com" +``` + +#### Deploy +Now you can deploy using your values.yaml file from above. + +Then the SecHub web-ui will use your certificates and key for https encryption. diff --git a/sechub-web-ui-solution/helm/web-ui/templates/deployment.yaml b/sechub-web-ui-solution/helm/web-ui/templates/deployment.yaml index ae8cc3424..c17be0f27 100644 --- a/sechub-web-ui-solution/helm/web-ui/templates/deployment.yaml +++ b/sechub-web-ui-solution/helm/web-ui/templates/deployment.yaml @@ -104,6 +104,8 @@ spec: env: - name: DEPLOYMENT_COMMENT value: "{{ .Values.deploymentComment }}" + - name: WEB_UI_SSL_KEYSTORE_ALIAS + value: "{{ .Values.web_ui.ssl.keystoreAlias }}" resources: # min container memory requests: diff --git a/sechub-web-ui-solution/helm/web-ui/values.yaml b/sechub-web-ui-solution/helm/web-ui/values.yaml index d7ab54d9a..4148eb2b3 100644 --- a/sechub-web-ui-solution/helm/web-ui/values.yaml +++ b/sechub-web-ui-solution/helm/web-ui/values.yaml @@ -27,12 +27,12 @@ resources: web_ui: ssl: keystoreAlias: "undefined" - # Alias in .p12 keystore. + # Alias in pkcs12 (.p12) keystore. # - On `undefined`, a self-signed certificate will be used. - # - otherwise, k8s secret `secret-webui-ssl` must be defined containing + # - otherwise, a Kubernetes secret `secret-web-ui-ssl` must be defined containing # - `keystore_file` (containing the ssl certificate chain) # Inside the .p12 keystore, an alias with this name is expected - # pointing to the ssl certificate to use + # pointing to the ssl key and certificate to use # - `keystore_password` # deploymentComment (optional): From 232aeb1824649c26a53f3dd57370c5684c0eb89b Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 8 Nov 2024 10:53:55 +0100 Subject: [PATCH 2/3] certificate handling added #3596 --- .../docker/Web-UI-Debian.dockerfile | 2 +- sechub-web-ui-solution/docker/run.sh | 23 ++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile index 419d83d9e..e66c46d24 100644 --- a/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile +++ b/sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile @@ -148,7 +148,7 @@ COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${HTDOCS_FOLDER}" # Create PID file and set permissions RUN touch /var/run/nginx.pid && \ chmod 755 "$HTDOCS_FOLDER" && \ - chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" "$HTDOCS_FOLDER" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \ + chown -R "$USER:$USER" "$CERTIFICATE_DIRECTORY" /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid && \ chmod +x /run.sh # Switch from root to non-root user diff --git a/sechub-web-ui-solution/docker/run.sh b/sechub-web-ui-solution/docker/run.sh index 748ae56f3..c23533a0f 100644 --- a/sechub-web-ui-solution/docker/run.sh +++ b/sechub-web-ui-solution/docker/run.sh @@ -1,5 +1,6 @@ #!/bin/sh # SPDX-License-Identifier: MIT +set -e debug () { while true ; do @@ -9,7 +10,27 @@ debug () { } install_ssl_certs () { - echo "### Installing SSL certs \"$WEB_UI_SSL_KEYSTOREALIAS\"" + echo "### Installing SSL certs \"$WEB_UI_SSL_KEYSTORE_ALIAS\"" + K8S_SSL_SECRETS="/sechub-web-ui/secrets/secret-ssl" + + cd "$CERTIFICATE_DIRECTORY" + + echo "# Extraxting private key" + openssl pkcs12 -in "$K8S_SSL_SECRETS/keystore_file" -nocerts -out key.pem -nodes -legacy -password file:"$K8S_SSL_SECRETS/keystore_password" + + echo "# Extracting certificate(s)" + openssl pkcs12 -in "$K8S_SSL_SECRETS/keystore_file" -nokeys -out cert.pem -nodes -legacy -password file:"$K8S_SSL_SECRETS/keystore_password" + + echo "# Verifying name (keystore alias)" + grep "friendlyName: $WEB_UI_SSL_KEYSTORE_ALIAS" key.pem + grep "friendlyName: $WEB_UI_SSL_KEYSTORE_ALIAS" cert.pem + + echo "# Replacing certificates" + cat key.pem | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > sechub-web-ui.key + cat cert.pem | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > sechub-web-ui.cert + + # cleanup temporary files + rm -f key.pem cert.pem } ############### From c851b51f0645c64e13743a9a4340656b7fbc5efe Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 8 Nov 2024 11:51:10 +0100 Subject: [PATCH 3/3] readme improved due to Pr suggestion #3596 --- sechub-web-ui-solution/helm/web-ui/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sechub-web-ui-solution/helm/web-ui/README.md b/sechub-web-ui-solution/helm/web-ui/README.md index de8102310..68b211e97 100644 --- a/sechub-web-ui-solution/helm/web-ui/README.md +++ b/sechub-web-ui-solution/helm/web-ui/README.md @@ -9,8 +9,8 @@ This Helm chart is used to deploy the SecHub Web UI to a Kubernetes cluster. The web-ui container image is shipped with initially created self-signed certificates. ### User-provided SSL keystore -If you want to provide your own "official" certificates, -you need to create a pkcs12 keystore with a "name" attribute (e.g. `sechub-web-ui.example.com`). +If you want to provide your own officially signed certificates, +you need to create a pkcs12 keystore with a "-name" attribute (e.g. `sechub-web-ui.example.com`). #### How to create the .p12 keystore Create a private key (`sechub-web-ui.key`), create a certificate signed by a CA of your trust (`sechub-web-ui.cert`).