From 5a0d0565646719c14f48354fbcb404425fdf8c75 Mon Sep 17 00:00:00 2001 From: Steve Juergens Date: Tue, 31 Dec 2024 16:00:27 -0500 Subject: [PATCH 01/31] Initial configuration to split configuration to containers --- core/files/entrypoint.sh | 19 +++++++++++-- core/files/entrypoint_fpm.sh | 4 +++ core/files/entrypoint_k8s_fpm.sh | 27 +++++++++++++++++++ core/files/entrypoint_k8s_nginx.sh | 10 +++++++ core/files/entrypoint_nginx.sh | 5 +++- .../supervisor/conf.d/10-supervisor.conf.k8s | 21 +++++++++++++++ 6 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 core/files/entrypoint_k8s_fpm.sh create mode 100644 core/files/entrypoint_k8s_nginx.sh create mode 100644 core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 47fead8b..9529ecd2 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,5 +76,20 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -# start supervisord using the main configuration file so we have a socket interface -/usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf +if [ -n "$KUBERNETES_SERVICE_HOST" ]; then + case "$CONTAINER_NAME" in + nginx*) + exec /entrypoint_k8s_nginx.sh + ;; + php*) + exec /entrypoint_k8s_fpm.sh + ;; + cron*) + mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} + exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + ;; + esac +else + # start supervisord using the main configuration file so we have a socket interface + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf +fi \ No newline at end of file diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index a319a4ca..b93d02f7 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -64,6 +64,10 @@ change_php_vars() { done } +if [ -n "${BASH_SOURCE[0]}" ]; then + return +fi + echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Starting PHP FPM" diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh new file mode 100644 index 00000000..ba08ddf6 --- /dev/null +++ b/core/files/entrypoint_k8s_fpm.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +source /entrypoint_nginx.sh +source /entrypoint_fpm.sh + +# Initialize MySQL +echo "INIT | Initialize MySQL ..." && init_mysql + +# Initialize MISP +echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files +echo "INIT | Update MISP app/files directory ..." && update_misp_data_files +echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions +echo "INIT | Flip NGINX live ..." && flip_nginx true true + +# Run configure MISP script +echo "INIT | Configure MISP installation ..." +/configure_misp.sh + +if [[ -x /custom/files/customize_misp.sh ]]; then + echo "INIT | Customize MISP installation ..." + /custom/files/customize_misp.sh +fi + +echo "Configure PHP | Change PHP values ..." && change_php_vars + +echo "Configure PHP | Starting PHP FPM" +exec /usr/sbin/php-fpm8.2 -R -F diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh new file mode 100644 index 00000000..13638d3c --- /dev/null +++ b/core/files/entrypoint_k8s_nginx.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +source /entrypoint_nginx.sh + +# Initialize nginx +echo "INIT | Initialize NGINX ..." && init_nginx + +# launch nginx as current shell process in container +exec nginx -g 'daemon off;' + diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index 60a72413..d090016c 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -255,7 +255,7 @@ flip_nginx() { echo "... nginx docroot set to ${NGINX_DOC_ROOT}" sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp - if [[ "$reload" = "true" ]]; then + if [[ "$reload" = "true" ]] && [[ -z "$KUBERNETES_SERVICE_HOST" ]]; then echo "... nginx reloaded" nginx -s reload fi @@ -401,6 +401,9 @@ init_nginx() { flip_nginx false false } +if [ -n "${BASH_SOURCE[0]}" ]; then + return +fi # Initialize MySQL echo "INIT | Initialize MySQL ..." && init_mysql diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s new file mode 100644 index 00000000..296e384b --- /dev/null +++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s @@ -0,0 +1,21 @@ +[supervisord] +nodaemon=true +user=root +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[inet_http_server] +port=127.0.0.1:9001 +username=supervisor +password=supervisor + +[program:cron] +command=/entrypoint_cron.sh +autorestart=true +redirect_stderr=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 From 98aafa1dbcbca8724f6d22986b42c1564ae1d392 Mon Sep 17 00:00:00 2001 From: Jeremy Huntwork Date: Wed, 8 Jan 2025 10:00:24 -0500 Subject: [PATCH 02/31] Some additional fixes/changes - Let the php container run the inet supervisord for the bg workers still - Properly configure the cron container to exec cron - Add configuration to optionally change the sock file location for php-fpm, allows us to specify a shared file between containers in a pod - make new entrypoint files executable - Set the php config value for `session.cookie_domain` so that it doesn't use the default of ''. When empty it falls back to the hostname which will be different per pod, meaning that each pod will handle session requests separately, which breaks things like OIDC. --- core/files/entrypoint.sh | 8 +++++--- core/files/entrypoint_cron.sh | 5 +++++ core/files/entrypoint_fpm.sh | 5 +++++ core/files/entrypoint_k8s_fpm.sh | 3 +-- core/files/entrypoint_k8s_nginx.sh | 3 ++- core/files/entrypoint_nginx.sh | 6 ++++++ core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s | 9 --------- 7 files changed, 24 insertions(+), 15 deletions(-) mode change 100644 => 100755 core/files/entrypoint_k8s_fpm.sh mode change 100644 => 100755 core/files/entrypoint_k8s_nginx.sh diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 9529ecd2..a707bd52 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -82,14 +82,16 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then exec /entrypoint_k8s_nginx.sh ;; php*) + # Not ideal, but let supervisord manage the workers still + mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} + /usr/bin/supervisord -c /etc/supervisor/supervisord.conf & exec /entrypoint_k8s_fpm.sh ;; cron*) - mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} - exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + exec /entrypoint_cron.sh ;; esac else # start supervisord using the main configuration file so we have a socket interface /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf -fi \ No newline at end of file +fi diff --git a/core/files/entrypoint_cron.sh b/core/files/entrypoint_cron.sh index e38cb7a8..edfe9115 100755 --- a/core/files/entrypoint_cron.sh +++ b/core/files/entrypoint_cron.sh @@ -30,6 +30,11 @@ if [[ ! -p /tmp/cronlog ]]; then mkfifo -m 777 /tmp/cronlog fi +if [ -n "$KUBERNETES_SERVICE_HOST" ]; then + tail -f /tmp/cronlog & + exec cron -l -f +fi + # Build another fifo for the cron pipe if [[ ! -p /tmp/cronpipe ]]; then mkfifo /tmp/cronpipe diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index b93d02f7..0f652c43 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -32,6 +32,7 @@ change_php_vars() { sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'" sed -i "s/;?date.timezone = .*/date.timezone = ${PHP_TIMEZONE}/" "$FILE" + sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE" done for FILE in /etc/php/*/fpm/pool.d/www.conf @@ -61,6 +62,10 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}" + sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE" + fi done } diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh old mode 100644 new mode 100755 index ba08ddf6..c12ec835 --- a/core/files/entrypoint_k8s_fpm.sh +++ b/core/files/entrypoint_k8s_fpm.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -e source /entrypoint_nginx.sh source /entrypoint_fpm.sh @@ -10,7 +10,6 @@ echo "INIT | Initialize MySQL ..." && init_mysql echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files echo "INIT | Update MISP app/files directory ..." && update_misp_data_files echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions -echo "INIT | Flip NGINX live ..." && flip_nginx true true # Run configure MISP script echo "INIT | Configure MISP installation ..." diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh old mode 100644 new mode 100755 index 13638d3c..cc9634cd --- a/core/files/entrypoint_k8s_nginx.sh +++ b/core/files/entrypoint_k8s_nginx.sh @@ -1,9 +1,10 @@ -#!/bin/bash +#!/bin/bash -e source /entrypoint_nginx.sh # Initialize nginx echo "INIT | Initialize NGINX ..." && init_nginx +echo "INIT | Flip NGINX live ..." && flip_nginx true true # launch nginx as current shell process in container exec nginx -g 'daemon off;' diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index d090016c..cebc0247 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -262,6 +262,12 @@ flip_nginx() { } init_nginx() { + # Optional location of PHP-FPM sock file + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}" + sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp + fi + # Adjust timeouts echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}" sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s index 296e384b..aa929c2e 100644 --- a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s +++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s @@ -10,12 +10,3 @@ stderr_logfile_maxbytes=0 port=127.0.0.1:9001 username=supervisor password=supervisor - -[program:cron] -command=/entrypoint_cron.sh -autorestart=true -redirect_stderr=true -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 From 2c88e8b7c96d0e4e164fa6ef5d39acc0ab9c6fb2 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Tue, 8 Jul 2025 15:45:42 -0400 Subject: [PATCH 03/31] Added K8s CronJobs of default MISP cronjobs Applied using kubectl kustomize `kubectl apply -k cronjobs` --- .../k8s_cronjobs/base/base-api-cronjob.yaml | 27 +++++++++++++++++++ .../k8s_cronjobs/base/kustomization.yaml | 2 ++ .../k8s_cronjobs/k8s-misp-cron-secret.yaml | 9 +++++++ core/files/k8s_cronjobs/kustomization.yaml | 9 +++++++ .../overlays/cacheFeed/kustomization.yaml | 7 +++++ .../overlays/cacheFeed/patch.yaml | 18 +++++++++++++ .../overlays/fetchFeed/kustomization.yaml | 7 +++++ .../overlays/fetchFeed/patch.yaml | 18 +++++++++++++ .../overlays/pullAll/kustomization.yaml | 7 +++++ .../k8s_cronjobs/overlays/pullAll/patch.yaml | 25 +++++++++++++++++ .../overlays/pushAll/kustomization.yaml | 7 +++++ .../k8s_cronjobs/overlays/pushAll/patch.yaml | 25 +++++++++++++++++ .../updateGalaxies/kustomization.yaml | 7 +++++ .../overlays/updateGalaxies/patch.yaml | 18 +++++++++++++ .../updateNoticeLists/kustomization.yaml | 7 +++++ .../overlays/updateNoticeLists/patch.yaml | 18 +++++++++++++ .../updateTaxonomies/kustomization.yaml | 7 +++++ .../overlays/updateTaxonomies/patch.yaml | 18 +++++++++++++ .../updateWarningLists/kustomization.yaml | 7 +++++ .../overlays/updateWarningLists/patch.yaml | 18 +++++++++++++ 20 files changed, 261 insertions(+) create mode 100644 core/files/k8s_cronjobs/base/base-api-cronjob.yaml create mode 100644 core/files/k8s_cronjobs/base/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml create mode 100644 core/files/k8s_cronjobs/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/pullAll/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/pushAll/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml create mode 100644 core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml diff --git a/core/files/k8s_cronjobs/base/base-api-cronjob.yaml b/core/files/k8s_cronjobs/base/base-api-cronjob.yaml new file mode 100644 index 00000000..608330f4 --- /dev/null +++ b/core/files/k8s_cronjobs/base/base-api-cronjob.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "* * * * *" # Placeholder; Overridden in overlays + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: curl-job + image: curlimages/curl:latest + command: ["/bin/sh", "-c"] + args: ["echo 'Placeholder Command'"] # Placeholder; Overridden in overlays + env: + - name: BASE_URL + valueFrom: + secretKeyRef: + name: misp-cron-secret + key: url + - name: MISP_API_KEY + valueFrom: + secretKeyRef: + name: misp-cron-secret + key: api_key \ No newline at end of file diff --git a/core/files/k8s_cronjobs/base/kustomization.yaml b/core/files/k8s_cronjobs/base/kustomization.yaml new file mode 100644 index 00000000..8db0b970 --- /dev/null +++ b/core/files/k8s_cronjobs/base/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - base-api-cronjob.yaml \ No newline at end of file diff --git a/core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml b/core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml new file mode 100644 index 00000000..5f99753c --- /dev/null +++ b/core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: misp-cron-secret +type: Opaque +stringData: + url: "https://misp.example.com" # Replace with your MISP instance URL +data: + api_key: "" # Base64 encoded value of your MISP API key goes here \ No newline at end of file diff --git a/core/files/k8s_cronjobs/kustomization.yaml b/core/files/k8s_cronjobs/kustomization.yaml new file mode 100644 index 00000000..941ea0fc --- /dev/null +++ b/core/files/k8s_cronjobs/kustomization.yaml @@ -0,0 +1,9 @@ +resources: + - overlays/cacheFeed + - overlays/fetchFeed + - overlays/pullAll + - overlays/pushAll + - overlays/updateGalaxies + - overlays/updateNoticeLists + - overlays/updateTaxonomies + - overlays/updateWarningLists \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml b/core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml new file mode 100644 index 00000000..2de5d59d --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -feed-cache \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml b/core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml new file mode 100644 index 00000000..c61aead6 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/feeds/cacheFeeds/all" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml b/core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml new file mode 100644 index 00000000..cd037e99 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -feed-fetch \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml b/core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml new file mode 100644 index 00000000..692b9bc0 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "30 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/feeds/fetchFromAllFeeds" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml b/core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml new file mode 100644 index 00000000..7e0e3c66 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -pullall \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/pullAll/patch.yaml b/core/files/k8s_cronjobs/overlays/pullAll/patch.yaml new file mode 100644 index 00000000..6e8e8451 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/pullAll/patch.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "0 1 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X GET "$BASE_URL/servers" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" + | awk '/"Server":/,/}/' + | grep -o '"id": "[0-9]*"' + | grep -o '[0-9]\+' + | xargs -I {} curl -sS -X POST $BASE_URL/servers/pull/{} + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" diff --git a/core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml b/core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml new file mode 100644 index 00000000..d6e18455 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -pushall \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/pushAll/patch.yaml b/core/files/k8s_cronjobs/overlays/pushAll/patch.yaml new file mode 100644 index 00000000..9db48668 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/pushAll/patch.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "0 0 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X GET "$BASE_URL/servers" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" + | awk '/"Server":/,/}/' + | grep -o '"id": "[0-9]*"' + | grep -o '[0-9]\+' + | xargs -I {} curl -sS -X POST $BASE_URL/servers/push/{} + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml b/core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml new file mode 100644 index 00000000..359a585b --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-galaxies \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml b/core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml new file mode 100644 index 00000000..33fd4c62 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/galaxies/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml b/core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml new file mode 100644 index 00000000..bb341438 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-notice \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml b/core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml new file mode 100644 index 00000000..0477456f --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/noticelists/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml b/core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml new file mode 100644 index 00000000..62b92106 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-taxonomies \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml b/core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml new file mode 100644 index 00000000..515e4b18 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/taxonoomies/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml b/core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml new file mode 100644 index 00000000..9dcbc852 --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-warninglists \ No newline at end of file diff --git a/core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml b/core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml new file mode 100644 index 00000000..110e92dc --- /dev/null +++ b/core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/warninglists/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file From 91513b38efdffcace4825a0b9256c67bba01c352 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Tue, 8 Jul 2025 15:47:35 -0400 Subject: [PATCH 04/31] Updated supervisored path --- core/files/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index a707bd52..44bfd5a0 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -84,7 +84,7 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then php*) # Not ideal, but let supervisord manage the workers still mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} - /usr/bin/supervisord -c /etc/supervisor/supervisord.conf & + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & exec /entrypoint_k8s_fpm.sh ;; cron*) From 21f6c9a3bcd23844452982538d4e73ad428535e1 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Tue, 8 Jul 2025 15:47:45 -0400 Subject: [PATCH 05/31] Removed cron container in favor of K8s cronjobs. --- core/files/entrypoint.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 44bfd5a0..84d66d50 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -87,9 +87,6 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & exec /entrypoint_k8s_fpm.sh ;; - cron*) - exec /entrypoint_cron.sh - ;; esac else # start supervisord using the main configuration file so we have a socket interface From 11f6111635eec2f12d705d1cf5a2af5f5253cbb2 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Tue, 8 Jul 2025 15:50:20 -0400 Subject: [PATCH 06/31] Prevent breaking existing setups per oivindoh comment --- core/files/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 84d66d50..6c401a9a 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,7 +76,7 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -if [ -n "$KUBERNETES_SERVICE_HOST" ]; then +if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_NAME" ]; then case "$CONTAINER_NAME" in nginx*) exec /entrypoint_k8s_nginx.sh From 83e52982381251c0b78b682b0c374956105e4396 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 10 Jul 2025 08:18:13 -0400 Subject: [PATCH 07/31] Changed workflows target repo to variable --- .github/workflows/release-latest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 4c14b4a9..ac7d5986 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -32,7 +32,7 @@ jobs: run: | sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" - echo "NAMESPACE=ghcr.io/misp/misp-docker" >> "$GITHUB_ENV" + echo "NAMESPACE=ghcr.io/${{ github.repository_owner }}/misp-docker" >> "$GITHUB_ENV" - name: Log in to the container registry uses: docker/login-action@v3 From aaaaea24eebdc6f3b9f457d00a7cf1fe7dfdc4ca Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 10 Jul 2025 10:14:28 -0400 Subject: [PATCH 08/31] Force repository owner variable to lowercase (required by ghcr) --- .github/workflows/release-latest.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index ac7d5986..b30aac90 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -32,7 +32,8 @@ jobs: run: | sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" - echo "NAMESPACE=ghcr.io/${{ github.repository_owner }}/misp-docker" >> "$GITHUB_ENV" + OWNER=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]') + echo "NAMESPACE=ghcr.io/${OWNER}/misp-docker" >> "$GITHUB_ENV" - name: Log in to the container registry uses: docker/login-action@v3 From bc687a9dab29c478b9ab30f9695a2aa11da22d19 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 10 Jul 2025 12:39:54 -0400 Subject: [PATCH 09/31] Swapped from container_name to _service as container_name isn't automatically exposed --- core/files/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 6c401a9a..902eeadb 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,8 +76,8 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_NAME" ]; then - case "$CONTAINER_NAME" in +if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_SERVICE" ]; then + case "$CONTAINER_SERVICE" in nginx*) exec /entrypoint_k8s_nginx.sh ;; From 53e26ff957cfe8c53d91f3ff24584c9caff91910 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 10 Jul 2025 12:40:51 -0400 Subject: [PATCH 10/31] Removed cron entrypoint customizations as tasks refactored to k8s cronjobs --- core/files/entrypoint_cron.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/core/files/entrypoint_cron.sh b/core/files/entrypoint_cron.sh index edfe9115..e38cb7a8 100755 --- a/core/files/entrypoint_cron.sh +++ b/core/files/entrypoint_cron.sh @@ -30,11 +30,6 @@ if [[ ! -p /tmp/cronlog ]]; then mkfifo -m 777 /tmp/cronlog fi -if [ -n "$KUBERNETES_SERVICE_HOST" ]; then - tail -f /tmp/cronlog & - exec cron -l -f -fi - # Build another fifo for the cron pipe if [[ ! -p /tmp/cronpipe ]]; then mkfifo /tmp/cronpipe From aff80ac05a271f8eeed5fb9d05ed01faf97cfc4a Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 10 Jul 2025 12:43:13 -0400 Subject: [PATCH 11/31] moved k8s yaml location outside of core --- .../files => kubernetes}/k8s_cronjobs/base/base-api-cronjob.yaml | 0 {core/files => kubernetes}/k8s_cronjobs/base/kustomization.yaml | 0 {core/files => kubernetes}/k8s_cronjobs/k8s-misp-cron-secret.yaml | 0 {core/files => kubernetes}/k8s_cronjobs/kustomization.yaml | 0 .../k8s_cronjobs/overlays/cacheFeed/kustomization.yaml | 0 .../k8s_cronjobs/overlays/cacheFeed/patch.yaml | 0 .../k8s_cronjobs/overlays/fetchFeed/kustomization.yaml | 0 .../k8s_cronjobs/overlays/fetchFeed/patch.yaml | 0 .../k8s_cronjobs/overlays/pullAll/kustomization.yaml | 0 .../files => kubernetes}/k8s_cronjobs/overlays/pullAll/patch.yaml | 0 .../k8s_cronjobs/overlays/pushAll/kustomization.yaml | 0 .../files => kubernetes}/k8s_cronjobs/overlays/pushAll/patch.yaml | 0 .../k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml | 0 .../k8s_cronjobs/overlays/updateGalaxies/patch.yaml | 0 .../k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml | 0 .../k8s_cronjobs/overlays/updateNoticeLists/patch.yaml | 0 .../k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml | 0 .../k8s_cronjobs/overlays/updateTaxonomies/patch.yaml | 0 .../k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml | 0 .../k8s_cronjobs/overlays/updateWarningLists/patch.yaml | 0 20 files changed, 0 insertions(+), 0 deletions(-) rename {core/files => kubernetes}/k8s_cronjobs/base/base-api-cronjob.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/base/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/k8s-misp-cron-secret.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/cacheFeed/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/fetchFeed/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/pullAll/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/pullAll/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/pushAll/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/pushAll/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateGalaxies/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml (100%) rename {core/files => kubernetes}/k8s_cronjobs/overlays/updateWarningLists/patch.yaml (100%) diff --git a/core/files/k8s_cronjobs/base/base-api-cronjob.yaml b/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml similarity index 100% rename from core/files/k8s_cronjobs/base/base-api-cronjob.yaml rename to kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml diff --git a/core/files/k8s_cronjobs/base/kustomization.yaml b/kubernetes/k8s_cronjobs/base/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/base/kustomization.yaml rename to kubernetes/k8s_cronjobs/base/kustomization.yaml diff --git a/core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml b/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml similarity index 100% rename from core/files/k8s_cronjobs/k8s-misp-cron-secret.yaml rename to kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml diff --git a/core/files/k8s_cronjobs/kustomization.yaml b/kubernetes/k8s_cronjobs/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/kustomization.yaml rename to kubernetes/k8s_cronjobs/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/cacheFeed/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/fetchFeed/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/pullAll/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/pullAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/pullAll/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/pushAll/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/pushAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/pushAll/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateGalaxies/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml rename to kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml diff --git a/core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml similarity index 100% rename from core/files/k8s_cronjobs/overlays/updateWarningLists/patch.yaml rename to kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml From 70cea7f9be1ed339b5bf7c62ffe0a1bf6fad4f18 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Wed, 16 Jul 2025 13:58:57 -0400 Subject: [PATCH 12/31] added manual trigger of workflow --- .github/workflows/release-latest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 4c14b4a9..490fbb2d 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -3,6 +3,7 @@ name: Build the Docker images and push them to the container registry on: push: branches: [ "master" ] + workflow_dispatch: # manual trigger jobs: build: From b898686951e8b2b8d116d68046400c4e9abaa9c5 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Wed, 16 Jul 2025 15:06:13 -0400 Subject: [PATCH 13/31] Updated to new core version --- template.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template.env b/template.env index 26560d34..ef509e54 100644 --- a/template.env +++ b/template.env @@ -2,7 +2,7 @@ # Build-time variables ## -CORE_TAG=v2.5.15 +CORE_TAG=v2.5.16 # CORE_FLAVOR=full MODULES_TAG=v3.0.2 # MODULES_FLAVOR=full From 475ca25c10f37b0a49301d88ab4e0faa7721db2a Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 08:54:41 -0400 Subject: [PATCH 14/31] Revert "Kubernetes config" --- core/files/entrypoint.sh | 18 ++----------- core/files/entrypoint_fpm.sh | 9 ------- core/files/entrypoint_k8s_fpm.sh | 26 ------------------ core/files/entrypoint_k8s_nginx.sh | 11 -------- core/files/entrypoint_nginx.sh | 11 +------- .../supervisor/conf.d/10-supervisor.conf.k8s | 12 --------- .../k8s_cronjobs/base/base-api-cronjob.yaml | 27 ------------------- .../k8s_cronjobs/base/kustomization.yaml | 2 -- .../k8s_cronjobs/k8s-misp-cron-secret.yaml | 9 ------- kubernetes/k8s_cronjobs/kustomization.yaml | 9 ------- .../overlays/cacheFeed/kustomization.yaml | 7 ----- .../overlays/cacheFeed/patch.yaml | 18 ------------- .../overlays/fetchFeed/kustomization.yaml | 7 ----- .../overlays/fetchFeed/patch.yaml | 18 ------------- .../overlays/pullAll/kustomization.yaml | 7 ----- .../k8s_cronjobs/overlays/pullAll/patch.yaml | 25 ----------------- .../overlays/pushAll/kustomization.yaml | 7 ----- .../k8s_cronjobs/overlays/pushAll/patch.yaml | 25 ----------------- .../updateGalaxies/kustomization.yaml | 7 ----- .../overlays/updateGalaxies/patch.yaml | 18 ------------- .../updateNoticeLists/kustomization.yaml | 7 ----- .../overlays/updateNoticeLists/patch.yaml | 18 ------------- .../updateTaxonomies/kustomization.yaml | 7 ----- .../overlays/updateTaxonomies/patch.yaml | 18 ------------- .../updateWarningLists/kustomization.yaml | 7 ----- .../overlays/updateWarningLists/patch.yaml | 18 ------------- 26 files changed, 3 insertions(+), 345 deletions(-) delete mode 100755 core/files/entrypoint_k8s_fpm.sh delete mode 100755 core/files/entrypoint_k8s_nginx.sh delete mode 100644 core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s delete mode 100644 kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml delete mode 100644 kubernetes/k8s_cronjobs/base/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml delete mode 100644 kubernetes/k8s_cronjobs/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml delete mode 100644 kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 902eeadb..47fead8b 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,19 +76,5 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_SERVICE" ]; then - case "$CONTAINER_SERVICE" in - nginx*) - exec /entrypoint_k8s_nginx.sh - ;; - php*) - # Not ideal, but let supervisord manage the workers still - mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} - /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & - exec /entrypoint_k8s_fpm.sh - ;; - esac -else - # start supervisord using the main configuration file so we have a socket interface - /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf -fi +# start supervisord using the main configuration file so we have a socket interface +/usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index 0f652c43..a319a4ca 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -32,7 +32,6 @@ change_php_vars() { sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'" sed -i "s/;?date.timezone = .*/date.timezone = ${PHP_TIMEZONE}/" "$FILE" - sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE" done for FILE in /etc/php/*/fpm/pool.d/www.conf @@ -62,17 +61,9 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi - if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then - echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}" - sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE" - fi done } -if [ -n "${BASH_SOURCE[0]}" ]; then - return -fi - echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Starting PHP FPM" diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh deleted file mode 100755 index c12ec835..00000000 --- a/core/files/entrypoint_k8s_fpm.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -e - -source /entrypoint_nginx.sh -source /entrypoint_fpm.sh - -# Initialize MySQL -echo "INIT | Initialize MySQL ..." && init_mysql - -# Initialize MISP -echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files -echo "INIT | Update MISP app/files directory ..." && update_misp_data_files -echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions - -# Run configure MISP script -echo "INIT | Configure MISP installation ..." -/configure_misp.sh - -if [[ -x /custom/files/customize_misp.sh ]]; then - echo "INIT | Customize MISP installation ..." - /custom/files/customize_misp.sh -fi - -echo "Configure PHP | Change PHP values ..." && change_php_vars - -echo "Configure PHP | Starting PHP FPM" -exec /usr/sbin/php-fpm8.2 -R -F diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh deleted file mode 100755 index cc9634cd..00000000 --- a/core/files/entrypoint_k8s_nginx.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -e - -source /entrypoint_nginx.sh - -# Initialize nginx -echo "INIT | Initialize NGINX ..." && init_nginx -echo "INIT | Flip NGINX live ..." && flip_nginx true true - -# launch nginx as current shell process in container -exec nginx -g 'daemon off;' - diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index cebc0247..60a72413 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -255,19 +255,13 @@ flip_nginx() { echo "... nginx docroot set to ${NGINX_DOC_ROOT}" sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp - if [[ "$reload" = "true" ]] && [[ -z "$KUBERNETES_SERVICE_HOST" ]]; then + if [[ "$reload" = "true" ]]; then echo "... nginx reloaded" nginx -s reload fi } init_nginx() { - # Optional location of PHP-FPM sock file - if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then - echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}" - sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp - fi - # Adjust timeouts echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}" sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp @@ -407,9 +401,6 @@ init_nginx() { flip_nginx false false } -if [ -n "${BASH_SOURCE[0]}" ]; then - return -fi # Initialize MySQL echo "INIT | Initialize MySQL ..." && init_mysql diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s deleted file mode 100644 index aa929c2e..00000000 --- a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s +++ /dev/null @@ -1,12 +0,0 @@ -[supervisord] -nodaemon=true -user=root -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 - -[inet_http_server] -port=127.0.0.1:9001 -username=supervisor -password=supervisor diff --git a/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml b/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml deleted file mode 100644 index 608330f4..00000000 --- a/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "* * * * *" # Placeholder; Overridden in overlays - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: curl-job - image: curlimages/curl:latest - command: ["/bin/sh", "-c"] - args: ["echo 'Placeholder Command'"] # Placeholder; Overridden in overlays - env: - - name: BASE_URL - valueFrom: - secretKeyRef: - name: misp-cron-secret - key: url - - name: MISP_API_KEY - valueFrom: - secretKeyRef: - name: misp-cron-secret - key: api_key \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/base/kustomization.yaml b/kubernetes/k8s_cronjobs/base/kustomization.yaml deleted file mode 100644 index 8db0b970..00000000 --- a/kubernetes/k8s_cronjobs/base/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - base-api-cronjob.yaml \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml b/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml deleted file mode 100644 index 5f99753c..00000000 --- a/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: misp-cron-secret -type: Opaque -stringData: - url: "https://misp.example.com" # Replace with your MISP instance URL -data: - api_key: "" # Base64 encoded value of your MISP API key goes here \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/kustomization.yaml b/kubernetes/k8s_cronjobs/kustomization.yaml deleted file mode 100644 index 941ea0fc..00000000 --- a/kubernetes/k8s_cronjobs/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -resources: - - overlays/cacheFeed - - overlays/fetchFeed - - overlays/pullAll - - overlays/pushAll - - overlays/updateGalaxies - - overlays/updateNoticeLists - - overlays/updateTaxonomies - - overlays/updateWarningLists \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml deleted file mode 100644 index 2de5d59d..00000000 --- a/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -feed-cache \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml deleted file mode 100644 index c61aead6..00000000 --- a/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "20 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/feeds/cacheFeeds/all" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml deleted file mode 100644 index cd037e99..00000000 --- a/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -feed-fetch \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml deleted file mode 100644 index 692b9bc0..00000000 --- a/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "30 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/feeds/fetchFromAllFeeds" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml deleted file mode 100644 index 7e0e3c66..00000000 --- a/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -pullall \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml deleted file mode 100644 index 6e8e8451..00000000 --- a/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "0 1 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X GET "$BASE_URL/servers" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" - | awk '/"Server":/,/}/' - | grep -o '"id": "[0-9]*"' - | grep -o '[0-9]\+' - | xargs -I {} curl -sS -X POST $BASE_URL/servers/pull/{} - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" diff --git a/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml deleted file mode 100644 index d6e18455..00000000 --- a/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -pushall \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml deleted file mode 100644 index 9db48668..00000000 --- a/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "0 0 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X GET "$BASE_URL/servers" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" - | awk '/"Server":/,/}/' - | grep -o '"id": "[0-9]*"' - | grep -o '[0-9]\+' - | xargs -I {} curl -sS -X POST $BASE_URL/servers/push/{} - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml deleted file mode 100644 index 359a585b..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -update-galaxies \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml deleted file mode 100644 index 33fd4c62..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "20 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/galaxies/update" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml deleted file mode 100644 index bb341438..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -update-notice \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml deleted file mode 100644 index 0477456f..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "20 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/noticelists/update" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml deleted file mode 100644 index 62b92106..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -update-taxonomies \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml deleted file mode 100644 index 515e4b18..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "20 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/taxonoomies/update" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml deleted file mode 100644 index 9dcbc852..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -resources: - - ../../base/ - -patches: - - path: patch.yaml - -nameSuffix: -update-warninglists \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml deleted file mode 100644 index 110e92dc..00000000 --- a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: misp-curljob -spec: - schedule: "20 2 * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: curl-job - args: - - > - curl -sS -X POST "$BASE_URL/warninglists/update" - -H "Accept: application/json" - -H "Content-Type: application/json" - -H "Authorization: $MISP_API_KEY" \ No newline at end of file From 2452fce3597ee2d18185266290d30071c2c72be7 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 10:52:38 -0400 Subject: [PATCH 15/31] Split nginx into standalone container built as misp-web --- .github/workflows/release-latest.yml | 1 + core/files/entrypoint.sh | 21 +++++++-------------- core/files/entrypoint_fpm.sh | 6 +++++- core/files/entrypoint_k8s_nginx.sh | 9 ++++++++- core/files/entrypoint_nginx.sh | 1 + docker-bake.hcl | 10 ++++++++++ template.env | 12 ++++++++++++ web/Dockerfile | 23 +++++++++++++++++++++++ 8 files changed, 67 insertions(+), 16 deletions(-) mode change 100755 => 100644 core/files/entrypoint_k8s_nginx.sh create mode 100644 web/Dockerfile diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 4c14b4a9..80c1ce61 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -33,6 +33,7 @@ jobs: sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" echo "NAMESPACE=ghcr.io/misp/misp-docker" >> "$GITHUB_ENV" + cp -r core/files web/files - name: Log in to the container registry uses: docker/login-action@v3 diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 902eeadb..5f8afa7a 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,19 +76,12 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_SERVICE" ]; then - case "$CONTAINER_SERVICE" in - nginx*) - exec /entrypoint_k8s_nginx.sh - ;; - php*) - # Not ideal, but let supervisord manage the workers still - mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} - /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & - exec /entrypoint_k8s_fpm.sh - ;; - esac +if [ "$MISP_PHP_ONLY" ]; then + # Not ideal, but let supervisord manage the workers still + mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & + exec /entrypoint_k8s_fpm.sh else - # start supervisord using the main configuration file so we have a socket interface - /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf + # start supervisord using the main configuration file so we have a socket interface + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf fi diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index 0f652c43..97123568 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -62,13 +62,17 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi - if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + if [[ "$MISP_PHP_ONLY" ] && [ -n "$PHP_HOST" ]]; then + echo "Configure PHP | Setting 'listen' to 0.0.0.0:${PHP_FPM_PORT:-9000}" + sed -i "/^listen =/s@=.*@= 0.0.0.0:${PHP_FPM_PORT:-9000}@" "$FILE" + elif [[ -n "$PHP_FPM_SOCK_FILE" ]]; then echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}" sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE" fi done } +# Return to skip running below commands if not sourced if [ -n "${BASH_SOURCE[0]}" ]; then return fi diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh old mode 100755 new mode 100644 index cc9634cd..592f3c04 --- a/core/files/entrypoint_k8s_nginx.sh +++ b/core/files/entrypoint_k8s_nginx.sh @@ -1,9 +1,16 @@ #!/bin/bash -e -source /entrypoint_nginx.sh +source ./entrypoint_nginx.sh # Initialize nginx echo "INIT | Initialize NGINX ..." && init_nginx + +# Configure NGINX to connec to PHP-FPM over TCP if a host is provided +if [[ -n "$PHP_FPM_HOST" ]]; then + echo "... setting 'fastcgi_pass' to $PHP_FPM_HOST:${PHP_FPM_PORT:-9000}" + sed -i "s@fastcgi_pass .*;@fastcgi_pass $PHP_FPM_HOST:${PHP_FPM_PORT:-9000};@" /etc/nginx/includes/misp +fi + echo "INIT | Flip NGINX live ..." && flip_nginx true true # launch nginx as current shell process in container diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index cebc0247..64d132c3 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -407,6 +407,7 @@ init_nginx() { flip_nginx false false } +# Return to skip running below commands if not sourced if [ -n "${BASH_SOURCE[0]}" ]; then return fi diff --git a/docker-bake.hcl b/docker-bake.hcl index b49465fd..9e6303ff 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -159,4 +159,14 @@ target "misp-core-slim" { "PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}", } platforms = "${PLATFORMS}" + + target "misp-web" { + context = "web/." + dockerfile = "Dockerfile" + tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}", WEB_TAG != "" ? ["${NAMESPACE}/misp-web:${WEB_TAG}"] : []]) + args = { + "WEB_TAG": "${WEB_TAG}" + } + } + platforms = "${PLATFORMS}" } diff --git a/template.env b/template.env index 26560d34..0fa57271 100644 --- a/template.env +++ b/template.env @@ -225,6 +225,18 @@ SYNCSERVERS_1_PULL_RULES= # PHP FPM configuration +## Multi-container / Kubernetes PHP Build configurations +# Set to true to have the container configure php-fpm running in foreground with supervisord managing workers +# Used when running nginx and cronjobs seperately +# MISP_PHP_ONLY= +# Hostname used by nginx to connect to PHP-FPM +# PHP_FPM_HOST=misp-php +# Port used by nginx to connect to PHP-FPM. Default 9000 +# PHP_FPM_PORT=9000 +# Change the default sock file used by nginx to connect to PHP-FPM +# Ignored if PHP_FPM_HOST is set +# $PHP_FPM_SOCK_FILE= + ## Basic PHP settings # Maximum memory a PHP script can use. # PHP_MEMORY_LIMIT=2048M diff --git a/web/Dockerfile b/web/Dockerfile new file mode 100644 index 00000000..432deffe --- /dev/null +++ b/web/Dockerfile @@ -0,0 +1,23 @@ +# Use a minimal and secure official NGINX image +FROM nginxinc/nginx-unprivileged:stable-alpine + +# Set working directory +WORKDIR /app + +# Copy all files from the local 'files' directory into the container +COPY files/etc/nginx /etc/nginx +COPY files/var/www/html /var/www/html +COPY files/entrypoint*nginx.sh /app/. + +# Change ownership to the nginx user (UID 101) +RUN chown -R 101:0 /etc/nginx /var/www/html /app +# Ensure appropriate permissions +RUN chmod -R 755 /etc/nginx /var/www/html /app +# Ensure the entrypoint script is executable +RUN chmod +x entrypoint_k8s_nginx.sh + +# Set the entrypoint +ENTRYPOINT ["./entrypoint_k8s_nginx.sh"] + +# Use a non-root user (already set in nginx-unprivileged image) +USER 101 From 65c0062c3b58d8eaa75df9a39adbd5e1233bb694 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 10:57:45 -0400 Subject: [PATCH 16/31] Revert "Revert "Kubernetes config"" --- core/files/entrypoint.sh | 18 +++++++++++-- core/files/entrypoint_fpm.sh | 9 +++++++ core/files/entrypoint_k8s_fpm.sh | 26 ++++++++++++++++++ core/files/entrypoint_k8s_nginx.sh | 11 ++++++++ core/files/entrypoint_nginx.sh | 11 +++++++- .../supervisor/conf.d/10-supervisor.conf.k8s | 12 +++++++++ .../k8s_cronjobs/base/base-api-cronjob.yaml | 27 +++++++++++++++++++ .../k8s_cronjobs/base/kustomization.yaml | 2 ++ .../k8s_cronjobs/k8s-misp-cron-secret.yaml | 9 +++++++ kubernetes/k8s_cronjobs/kustomization.yaml | 9 +++++++ .../overlays/cacheFeed/kustomization.yaml | 7 +++++ .../overlays/cacheFeed/patch.yaml | 18 +++++++++++++ .../overlays/fetchFeed/kustomization.yaml | 7 +++++ .../overlays/fetchFeed/patch.yaml | 18 +++++++++++++ .../overlays/pullAll/kustomization.yaml | 7 +++++ .../k8s_cronjobs/overlays/pullAll/patch.yaml | 25 +++++++++++++++++ .../overlays/pushAll/kustomization.yaml | 7 +++++ .../k8s_cronjobs/overlays/pushAll/patch.yaml | 25 +++++++++++++++++ .../updateGalaxies/kustomization.yaml | 7 +++++ .../overlays/updateGalaxies/patch.yaml | 18 +++++++++++++ .../updateNoticeLists/kustomization.yaml | 7 +++++ .../overlays/updateNoticeLists/patch.yaml | 18 +++++++++++++ .../updateTaxonomies/kustomization.yaml | 7 +++++ .../overlays/updateTaxonomies/patch.yaml | 18 +++++++++++++ .../updateWarningLists/kustomization.yaml | 7 +++++ .../overlays/updateWarningLists/patch.yaml | 18 +++++++++++++ 26 files changed, 345 insertions(+), 3 deletions(-) create mode 100755 core/files/entrypoint_k8s_fpm.sh create mode 100755 core/files/entrypoint_k8s_nginx.sh create mode 100644 core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s create mode 100644 kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml create mode 100644 kubernetes/k8s_cronjobs/base/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml create mode 100644 kubernetes/k8s_cronjobs/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml create mode 100644 kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 47fead8b..902eeadb 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -76,5 +76,19 @@ export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} -# start supervisord using the main configuration file so we have a socket interface -/usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf +if [ -n "$KUBERNETES_SERVICE_HOST" ] && [ -n "$CONTAINER_SERVICE" ]; then + case "$CONTAINER_SERVICE" in + nginx*) + exec /entrypoint_k8s_nginx.sh + ;; + php*) + # Not ideal, but let supervisord manage the workers still + mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,} + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf & + exec /entrypoint_k8s_fpm.sh + ;; + esac +else + # start supervisord using the main configuration file so we have a socket interface + /usr/local/bin/supervisord -c /etc/supervisor/supervisord.conf +fi diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index a319a4ca..0f652c43 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -32,6 +32,7 @@ change_php_vars() { sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'" sed -i "s/;?date.timezone = .*/date.timezone = ${PHP_TIMEZONE}/" "$FILE" + sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE" done for FILE in /etc/php/*/fpm/pool.d/www.conf @@ -61,9 +62,17 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}" + sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE" + fi done } +if [ -n "${BASH_SOURCE[0]}" ]; then + return +fi + echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Starting PHP FPM" diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh new file mode 100755 index 00000000..c12ec835 --- /dev/null +++ b/core/files/entrypoint_k8s_fpm.sh @@ -0,0 +1,26 @@ +#!/bin/bash -e + +source /entrypoint_nginx.sh +source /entrypoint_fpm.sh + +# Initialize MySQL +echo "INIT | Initialize MySQL ..." && init_mysql + +# Initialize MISP +echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files +echo "INIT | Update MISP app/files directory ..." && update_misp_data_files +echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions + +# Run configure MISP script +echo "INIT | Configure MISP installation ..." +/configure_misp.sh + +if [[ -x /custom/files/customize_misp.sh ]]; then + echo "INIT | Customize MISP installation ..." + /custom/files/customize_misp.sh +fi + +echo "Configure PHP | Change PHP values ..." && change_php_vars + +echo "Configure PHP | Starting PHP FPM" +exec /usr/sbin/php-fpm8.2 -R -F diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh new file mode 100755 index 00000000..cc9634cd --- /dev/null +++ b/core/files/entrypoint_k8s_nginx.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e + +source /entrypoint_nginx.sh + +# Initialize nginx +echo "INIT | Initialize NGINX ..." && init_nginx +echo "INIT | Flip NGINX live ..." && flip_nginx true true + +# launch nginx as current shell process in container +exec nginx -g 'daemon off;' + diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index 60a72413..cebc0247 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -255,13 +255,19 @@ flip_nginx() { echo "... nginx docroot set to ${NGINX_DOC_ROOT}" sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp - if [[ "$reload" = "true" ]]; then + if [[ "$reload" = "true" ]] && [[ -z "$KUBERNETES_SERVICE_HOST" ]]; then echo "... nginx reloaded" nginx -s reload fi } init_nginx() { + # Optional location of PHP-FPM sock file + if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then + echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}" + sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp + fi + # Adjust timeouts echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}" sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp @@ -401,6 +407,9 @@ init_nginx() { flip_nginx false false } +if [ -n "${BASH_SOURCE[0]}" ]; then + return +fi # Initialize MySQL echo "INIT | Initialize MySQL ..." && init_mysql diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s new file mode 100644 index 00000000..aa929c2e --- /dev/null +++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s @@ -0,0 +1,12 @@ +[supervisord] +nodaemon=true +user=root +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[inet_http_server] +port=127.0.0.1:9001 +username=supervisor +password=supervisor diff --git a/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml b/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml new file mode 100644 index 00000000..608330f4 --- /dev/null +++ b/kubernetes/k8s_cronjobs/base/base-api-cronjob.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "* * * * *" # Placeholder; Overridden in overlays + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: curl-job + image: curlimages/curl:latest + command: ["/bin/sh", "-c"] + args: ["echo 'Placeholder Command'"] # Placeholder; Overridden in overlays + env: + - name: BASE_URL + valueFrom: + secretKeyRef: + name: misp-cron-secret + key: url + - name: MISP_API_KEY + valueFrom: + secretKeyRef: + name: misp-cron-secret + key: api_key \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/base/kustomization.yaml b/kubernetes/k8s_cronjobs/base/kustomization.yaml new file mode 100644 index 00000000..8db0b970 --- /dev/null +++ b/kubernetes/k8s_cronjobs/base/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - base-api-cronjob.yaml \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml b/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml new file mode 100644 index 00000000..5f99753c --- /dev/null +++ b/kubernetes/k8s_cronjobs/k8s-misp-cron-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: misp-cron-secret +type: Opaque +stringData: + url: "https://misp.example.com" # Replace with your MISP instance URL +data: + api_key: "" # Base64 encoded value of your MISP API key goes here \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/kustomization.yaml b/kubernetes/k8s_cronjobs/kustomization.yaml new file mode 100644 index 00000000..941ea0fc --- /dev/null +++ b/kubernetes/k8s_cronjobs/kustomization.yaml @@ -0,0 +1,9 @@ +resources: + - overlays/cacheFeed + - overlays/fetchFeed + - overlays/pullAll + - overlays/pushAll + - overlays/updateGalaxies + - overlays/updateNoticeLists + - overlays/updateTaxonomies + - overlays/updateWarningLists \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml new file mode 100644 index 00000000..2de5d59d --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/cacheFeed/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -feed-cache \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml new file mode 100644 index 00000000..c61aead6 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/cacheFeed/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/feeds/cacheFeeds/all" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml new file mode 100644 index 00000000..cd037e99 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/fetchFeed/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -feed-fetch \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml b/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml new file mode 100644 index 00000000..692b9bc0 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/fetchFeed/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "30 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/feeds/fetchFromAllFeeds" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml new file mode 100644 index 00000000..7e0e3c66 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/pullAll/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -pullall \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml new file mode 100644 index 00000000..6e8e8451 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/pullAll/patch.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "0 1 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X GET "$BASE_URL/servers" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" + | awk '/"Server":/,/}/' + | grep -o '"id": "[0-9]*"' + | grep -o '[0-9]\+' + | xargs -I {} curl -sS -X POST $BASE_URL/servers/pull/{} + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" diff --git a/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml new file mode 100644 index 00000000..d6e18455 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/pushAll/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -pushall \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml b/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml new file mode 100644 index 00000000..9db48668 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/pushAll/patch.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "0 0 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X GET "$BASE_URL/servers" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" + | awk '/"Server":/,/}/' + | grep -o '"id": "[0-9]*"' + | grep -o '[0-9]\+' + | xargs -I {} curl -sS -X POST $BASE_URL/servers/push/{} + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml new file mode 100644 index 00000000..359a585b --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-galaxies \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml new file mode 100644 index 00000000..33fd4c62 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateGalaxies/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/galaxies/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml new file mode 100644 index 00000000..bb341438 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-notice \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml new file mode 100644 index 00000000..0477456f --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateNoticeLists/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/noticelists/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml new file mode 100644 index 00000000..62b92106 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-taxonomies \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml new file mode 100644 index 00000000..515e4b18 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateTaxonomies/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/taxonoomies/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml new file mode 100644 index 00000000..9dcbc852 --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../../base/ + +patches: + - path: patch.yaml + +nameSuffix: -update-warninglists \ No newline at end of file diff --git a/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml new file mode 100644 index 00000000..110e92dc --- /dev/null +++ b/kubernetes/k8s_cronjobs/overlays/updateWarningLists/patch.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: misp-curljob +spec: + schedule: "20 2 * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: curl-job + args: + - > + curl -sS -X POST "$BASE_URL/warninglists/update" + -H "Accept: application/json" + -H "Content-Type: application/json" + -H "Authorization: $MISP_API_KEY" \ No newline at end of file From 14145af378aeae8ecd8fde8d3a5f7feb3c81b442 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:04:17 -0400 Subject: [PATCH 17/31] Fixed indenting and brackets --- docker-bake.hcl | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 9e6303ff..70e985cb 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -160,13 +160,12 @@ target "misp-core-slim" { } platforms = "${PLATFORMS}" - target "misp-web" { - context = "web/." - dockerfile = "Dockerfile" - tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}", WEB_TAG != "" ? ["${NAMESPACE}/misp-web:${WEB_TAG}"] : []]) - args = { - "WEB_TAG": "${WEB_TAG}" - } +target "misp-web" { + context = "web/." + dockerfile = "Dockerfile" + tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}", WEB_TAG != "" ? ["${NAMESPACE}/misp-web:${WEB_TAG}"] : []]) + args = { + "WEB_TAG": "${WEB_TAG}" } platforms = "${PLATFORMS}" -} +} \ No newline at end of file From fe716e1fa10ba9a37ab4a02e7cf47f8e5bb4cc88 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:08:53 -0400 Subject: [PATCH 18/31] Fixed brackets --- docker-bake.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-bake.hcl b/docker-bake.hcl index 70e985cb..e8d45fe8 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -159,6 +159,7 @@ target "misp-core-slim" { "PYPI_SUPERVISOR_VERSION": "${PYPI_SUPERVISOR_VERSION}", } platforms = "${PLATFORMS}" +} target "misp-web" { context = "web/." From 39fa3bf3e06edc80c7671780dada2af05bee62ed Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:13:39 -0400 Subject: [PATCH 19/31] Removed web_tag as this isn't sourced from the main projects --- docker-bake.hcl | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index e8d45fe8..5ceb0c5f 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -164,9 +164,6 @@ target "misp-core-slim" { target "misp-web" { context = "web/." dockerfile = "Dockerfile" - tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}", WEB_TAG != "" ? ["${NAMESPACE}/misp-web:${WEB_TAG}"] : []]) - args = { - "WEB_TAG": "${WEB_TAG}" - } + tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}" ]) platforms = "${PLATFORMS}" } \ No newline at end of file From 5da4de2ed9f2cfa47fc573d30d1e10cc7c3fc054 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:15:50 -0400 Subject: [PATCH 20/31] Added misp-web as target --- docker-bake.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-bake.hcl b/docker-bake.hcl index 5ceb0c5f..99aaf053 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -84,6 +84,7 @@ group "default" { "misp-modules-slim", "misp-core", "misp-core-slim", + "misp-web", ] } From d3037eb9b8908a539ff84e32564cf349b498d51f Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:19:03 -0400 Subject: [PATCH 21/31] Added misp-web to matrix targets --- .github/workflows/release-latest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 16d44069..0a1b413b 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -11,7 +11,7 @@ jobs: strategy: matrix: - target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim] + target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim, misp-web] permissions: contents: read From 1ca3bb44d5a661283061a7fb0e0170ac9d2387c9 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:25:25 -0400 Subject: [PATCH 22/31] Update test build to include building misp-web as well --- .github/workflows/test-build-latest.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-build-latest.yml b/.github/workflows/test-build-latest.yml index f63706d2..f114a958 100644 --- a/.github/workflows/test-build-latest.yml +++ b/.github/workflows/test-build-latest.yml @@ -10,7 +10,7 @@ jobs: strategy: matrix: - target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim] + target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim, misp-web] steps: - name: Checkout repository @@ -29,6 +29,7 @@ jobs: sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" echo "NAMESPACE=local" >> "$GITHUB_ENV" + cp -r core/files web/files - name: Build uses: docker/bake-action@v6 From 723f8d4c98aa1df4342cf1a8aa34d02681978563 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:27:45 -0400 Subject: [PATCH 23/31] Updated workflows cp command --- .github/workflows/release-latest.yml | 2 +- .github/workflows/test-build-latest.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 0a1b413b..57e7a127 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -35,7 +35,7 @@ jobs: echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" OWNER=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]') echo "NAMESPACE=ghcr.io/${OWNER}/misp-docker" >> "$GITHUB_ENV" - cp -r core/files web/files + cp -r core/files/* web/files/ - name: Log in to the container registry uses: docker/login-action@v3 diff --git a/.github/workflows/test-build-latest.yml b/.github/workflows/test-build-latest.yml index f114a958..ccff27af 100644 --- a/.github/workflows/test-build-latest.yml +++ b/.github/workflows/test-build-latest.yml @@ -29,7 +29,7 @@ jobs: sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" echo "NAMESPACE=local" >> "$GITHUB_ENV" - cp -r core/files web/files + cp -r core/files/* web/files/ - name: Build uses: docker/bake-action@v6 From 60f93176260bf763da2b080d2576d6ca07c31c74 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:36:23 -0400 Subject: [PATCH 24/31] Moved the web dockerfile to the core folder to reduce changes to main repo --- .github/workflows/release-latest.yml | 1 - web/Dockerfile => core/Dockerfile-web | 0 docker-bake.hcl | 4 ++-- 3 files changed, 2 insertions(+), 3 deletions(-) rename web/Dockerfile => core/Dockerfile-web (100%) diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 57e7a127..94cadc3a 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -35,7 +35,6 @@ jobs: echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" OWNER=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]') echo "NAMESPACE=ghcr.io/${OWNER}/misp-docker" >> "$GITHUB_ENV" - cp -r core/files/* web/files/ - name: Log in to the container registry uses: docker/login-action@v3 diff --git a/web/Dockerfile b/core/Dockerfile-web similarity index 100% rename from web/Dockerfile rename to core/Dockerfile-web diff --git a/docker-bake.hcl b/docker-bake.hcl index 99aaf053..59ea9ad3 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -163,8 +163,8 @@ target "misp-core-slim" { } target "misp-web" { - context = "web/." - dockerfile = "Dockerfile" + context = "core/." + dockerfile = "Dockerfile-web" tags = flatten(["${NAMESPACE}/misp-web:latest", "${NAMESPACE}/misp-web:${COMMIT_HASH}" ]) platforms = "${PLATFORMS}" } \ No newline at end of file From 0372dc72fe4378bce37c3bf98188577738fbf1f9 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:37:30 -0400 Subject: [PATCH 25/31] Reverted test build yaml --- .github/workflows/test-build-latest.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-build-latest.yml b/.github/workflows/test-build-latest.yml index ccff27af..4568088e 100644 --- a/.github/workflows/test-build-latest.yml +++ b/.github/workflows/test-build-latest.yml @@ -29,7 +29,6 @@ jobs: sed -e '/^[[:space:]]*$/d' -e '/[#@]/d' -e 's/\"//g' -e 's/\(^[^=]*\)=\(.*\)/\1="\2"/' template.env > env.hcl echo "COMMIT_HASH=`echo '${{ github.sha }}' | cut -c 1-7`" >> "$GITHUB_ENV" echo "NAMESPACE=local" >> "$GITHUB_ENV" - cp -r core/files/* web/files/ - name: Build uses: docker/bake-action@v6 From 43af84d099ff1fdba3b82118f0c3b3df6fa7f906 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:43:42 -0400 Subject: [PATCH 26/31] Trailing slashes to web dockerfile --- core/Dockerfile-web | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/Dockerfile-web b/core/Dockerfile-web index 432deffe..02e05157 100644 --- a/core/Dockerfile-web +++ b/core/Dockerfile-web @@ -5,8 +5,8 @@ FROM nginxinc/nginx-unprivileged:stable-alpine WORKDIR /app # Copy all files from the local 'files' directory into the container -COPY files/etc/nginx /etc/nginx -COPY files/var/www/html /var/www/html +COPY files/etc/nginx/ /etc/nginx/ +COPY files/var/www/html/ /var/www/html/ COPY files/entrypoint*nginx.sh /app/. # Change ownership to the nginx user (UID 101) From 259f6e42a99b6ca7e8430cc5756e61f97ac9ea1d Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:51:36 -0400 Subject: [PATCH 27/31] Removed wildcard files copy command --- core/Dockerfile-web | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/Dockerfile-web b/core/Dockerfile-web index 02e05157..016b699d 100644 --- a/core/Dockerfile-web +++ b/core/Dockerfile-web @@ -4,10 +4,11 @@ FROM nginxinc/nginx-unprivileged:stable-alpine # Set working directory WORKDIR /app -# Copy all files from the local 'files' directory into the container +# Copy necessary from the local 'files' directory into the container COPY files/etc/nginx/ /etc/nginx/ COPY files/var/www/html/ /var/www/html/ -COPY files/entrypoint*nginx.sh /app/. +COPY files/entrypoint_nginx.sh /app/. +COPY files/entrypoint_k8s_nginx.sh /app/. # Change ownership to the nginx user (UID 101) RUN chown -R 101:0 /etc/nginx /var/www/html /app From 48c7f97d8408deb57d5c71ed8e1323955862c7f5 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 11:55:46 -0400 Subject: [PATCH 28/31] added debug --- core/Dockerfile-web | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/Dockerfile-web b/core/Dockerfile-web index 016b699d..648e55ca 100644 --- a/core/Dockerfile-web +++ b/core/Dockerfile-web @@ -10,6 +10,12 @@ COPY files/var/www/html/ /var/www/html/ COPY files/entrypoint_nginx.sh /app/. COPY files/entrypoint_k8s_nginx.sh /app/. +#DEBUG +RUN echo "Listing /app:" && ls -la /app && \ + echo "Listing /etc/nginx:" && ls -la /etc/nginx && \ + echo "Listing /var/www/html:" && ls -la /var/www/html + + # Change ownership to the nginx user (UID 101) RUN chown -R 101:0 /etc/nginx /var/www/html /app # Ensure appropriate permissions From a8554e799377cb0ef62da106c5ea00d68e9d8dc6 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 12:01:49 -0400 Subject: [PATCH 29/31] Moved chown into the copying step --- core/Dockerfile-web | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/core/Dockerfile-web b/core/Dockerfile-web index 648e55ca..ab65427f 100644 --- a/core/Dockerfile-web +++ b/core/Dockerfile-web @@ -5,19 +5,16 @@ FROM nginxinc/nginx-unprivileged:stable-alpine WORKDIR /app # Copy necessary from the local 'files' directory into the container -COPY files/etc/nginx/ /etc/nginx/ -COPY files/var/www/html/ /var/www/html/ -COPY files/entrypoint_nginx.sh /app/. -COPY files/entrypoint_k8s_nginx.sh /app/. +COPY --chown=101:0 files/etc/nginx/ /etc/nginx/ +COPY --chown=101:0 files/var/www/html/ /var/www/html/ +COPY --chown=101:0 files/entrypoint_nginx.sh /app/. +COPY --chown=101:0 files/entrypoint_k8s_nginx.sh /app/. #DEBUG RUN echo "Listing /app:" && ls -la /app && \ echo "Listing /etc/nginx:" && ls -la /etc/nginx && \ echo "Listing /var/www/html:" && ls -la /var/www/html - -# Change ownership to the nginx user (UID 101) -RUN chown -R 101:0 /etc/nginx /var/www/html /app # Ensure appropriate permissions RUN chmod -R 755 /etc/nginx /var/www/html /app # Ensure the entrypoint script is executable From cd405a39ddefe9db2e94187faa22fd4f4fdca4ec Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 13:30:44 -0400 Subject: [PATCH 30/31] Absolute entrypoint paths --- core/Dockerfile-web | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/Dockerfile-web b/core/Dockerfile-web index ab65427f..359eec01 100644 --- a/core/Dockerfile-web +++ b/core/Dockerfile-web @@ -18,10 +18,10 @@ RUN echo "Listing /app:" && ls -la /app && \ # Ensure appropriate permissions RUN chmod -R 755 /etc/nginx /var/www/html /app # Ensure the entrypoint script is executable -RUN chmod +x entrypoint_k8s_nginx.sh +RUN chmod +x /app/entrypoint_k8s_nginx.sh # Set the entrypoint -ENTRYPOINT ["./entrypoint_k8s_nginx.sh"] +ENTRYPOINT ["/app/entrypoint_k8s_nginx.sh"] # Use a non-root user (already set in nginx-unprivileged image) USER 101 From 0d551940d67400e9d8103124c903835fa7d921b9 Mon Sep 17 00:00:00 2001 From: jeremiah-RENISAC Date: Thu, 17 Jul 2025 13:31:05 -0400 Subject: [PATCH 31/31] Fixed if statement syntax --- core/files/entrypoint_fpm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index 97123568..e9940e77 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -62,7 +62,7 @@ change_php_vars() { echo "Configure PHP | Disabling 'pm.status_listen'" sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE" fi - if [[ "$MISP_PHP_ONLY" ] && [ -n "$PHP_HOST" ]]; then + if [ "$MISP_PHP_ONLY" ] && [ -n "$PHP_HOST" ]; then echo "Configure PHP | Setting 'listen' to 0.0.0.0:${PHP_FPM_PORT:-9000}" sed -i "/^listen =/s@=.*@= 0.0.0.0:${PHP_FPM_PORT:-9000}@" "$FILE" elif [[ -n "$PHP_FPM_SOCK_FILE" ]]; then