Merge pull request #214 from OWASP/develop

v1.1.3

Author: piyushroshan

.github/workflows/ci.yml

@@ -246,3 +246,7 @@ jobs:
           cache-from: type=gha,scope=mailhog-service
           cache-to: type=gha,mode=max,scope=mailhog-service
 
+      - name: Dump docker logs on failure
+        if: failure()
+        uses: jwalton/gh-docker-logs@v2
+

deploy/docker/docker-compose.yml

@@ -40,14 +40,20 @@ services:
       - SMTP_AUTH=true
       - SMTP_STARTTLS=true
       - ENABLE_LOG4J=${ENABLE_LOG4J:-false}
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_KEYSTORE_TYPE=PKCS12
+      - TLS_KEYSTORE=classpath:certs/server.p12
+      - TLS_KEYSTORE_PASSWORD=passw0rd
+      - TLS_KEY_PASSWORD=passw0rd
+      - TLS_KEY_ALIAS=identity
     depends_on:
       postgresdb:
         condition: service_healthy
       mongodb:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${IDENTITY_SERVER_PORT:-8080}/identity/health_check
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -75,6 +81,9 @@ services:
       - MONGO_DB_USER=admin
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -83,7 +92,7 @@ services:
       crapi-identity:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${COMMUNITY_SERVER_PORT:-8087}/community/home
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -112,7 +121,10 @@ services:
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
       - SECRET_KEY=crapi
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -123,7 +135,7 @@ services:
       crapi-community:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${WORKSHOP_SERVER_PORT:-8000}/workshop/health_check/
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -138,10 +150,12 @@ services:
     image: crapi/crapi-web:${VERSION:-latest}
     ports:
       - "${LISTEN_IP:-127.0.0.1}:8888:80"
+      - "${LISTEN_IP:-127.0.0.1}:8443:443"
     environment:
       - COMMUNITY_SERVICE=crapi-community:${COMMUNITY_SERVER_PORT:-8087}
       - IDENTITY_SERVICE=crapi-identity:${IDENTITY_SERVER_PORT:-8080}
       - WORKSHOP_SERVICE=crapi-workshop:${WORKSHOP_SERVER_PORT:-8000}
+      - TLS_ENABLED=${TLS_ENABLED:-false}
     depends_on:
       crapi-community:
         condition: service_healthy
@@ -225,8 +239,8 @@ services:
           cpus: '0.3'
           memory: 128M
 
-  api.crapi.io:
-    container_name: api.crapi.io
+  api.mypremiumdealership.com:
+    container_name: api.mypremiumdealership.com
     image: crapi/gateway-service:${VERSION:-latest}
     #ports:
     #  - "${LISTEN_IP:-127.0.0.1}:8443:443" # https
@@ -235,6 +249,7 @@ services:
         interval: 15s
         timeout: 15s
         retries: 15
+        start_period: 15s
     deploy:
       resources:
         limits:

deploy/helm/templates/community/config.yaml

@@ -22,3 +22,4 @@ data:
     MONGO_DB_PASSWORD: {{ .Values.mongodb.config.mongoPassword }}
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.community.port | quote }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}

deploy/helm/templates/identity/config.yaml

@@ -30,3 +30,9 @@ data:
   SMTP_STARTTLS: {{ .Values.identity.config.smtpStartTLS | quote }}
   SERVER_PORT: {{ .Values.identity.port | quote }}
   API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
+  TLS_KEYSTORE_TYPE: {{ .Values.identity.config.keyStoreType }}
+  TLS_KEYSTORE: {{ .Values.identity.config.keyStore }}
+  TLS_KEYSTORE_PASSWORD: {{ .Values.identity.config.keyStorePassword }}
+  TLS_KEY_PASSWORD: {{ .Values.identity.config.keyPassword }}
+  TLS_KEY_ALIAS: {{ .Values.identity.config.keyAlias }}

deploy/helm/templates/web/configmap.yaml

@@ -9,3 +9,4 @@ data:
   COMMUNITY_SERVICE: {{ .Values.community.service.name }}:{{ .Values.community.port }}
   IDENTITY_SERVICE: {{ .Values.identity.service.name }}:{{ .Values.identity.port }}
   WORKSHOP_SERVICE: {{ .Values.workshop.service.name }}:{{ .Values.workshop.port }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}

deploy/helm/templates/web/deployment.yaml

@@ -23,6 +23,7 @@ spec:
           image: {{ .Values.web.image }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
           ports:
+            - containerPort: 443
             - containerPort: 80
           {{- if .Values.web.resources }}
           resources:

deploy/helm/templates/web/ingress.yaml

@@ -11,6 +11,10 @@ spec:
     targetPort: 80
     nodePort: {{ .Values.web.service.nodePort }}
     name: nginx
+  - port: {{ .Values.web.sslPort }}
+    targetPort: 443
+    nodePort: {{ .Values.web.service.sslNodePort }}
+    name: nginx-ssl
   type: LoadBalancer
   selector:
     {{- toYaml .Values.web.serviceSelectorLabels | nindent 4 }}

deploy/helm/templates/workshop/config.yaml

@@ -22,3 +22,4 @@ data:
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.workshop.port | quote }}
     API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}

deploy/helm/values-tls.yaml

@@ -0,0 +1,32 @@
+# Default values for crapi.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+imagePullPolicy: Always
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
+apiGatewayServiceInstall: false
+enableLog4j: true
+enableShellInjection: true
+tlsEnabled: true
+
+web:
+  image: crapi/crapi-web
+  port: 80
+  sslPort: 443
+identity:
+  image: crapi/crapi-identity
+  port: 8080
+community:
+  image: crapi/crapi-community
+  port: 8087
+workshop:
+  image: crapi/crapi-workshop
+  port: 8000
+mailhog:
+  image: crapi/mailhog
+mongodb:
+  image: mongo
+  version: 5.0
+postgresdb:
+  image: postgres
+  version: 14

deploy/helm/values.yaml

@@ -6,9 +6,10 @@ jwtSecret: crapi
 enableLog4j: false
 enableShellInjection: true
 imagePullPolicy: Always
-apiGatewayServiceUrl: https://api.crapi.io
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
 apiGatewayServiceInstall: true
 apiGatewayPassword: 
+tlsEnabled: false
 
 waitForK8sResources:
   image: groundnuty/k8s-wait-for:v1.3
@@ -19,11 +20,13 @@ web:
   image: crapi/crapi-web
   replicaCount: 1
   port: 80
+  sslPort: 443
   service:
     name: crapi-web
     labels:
       app: crapi-web
     nodePort: 30080
+    sslNodePort: 30443
   config:
     name: crapi-web-configmap
     labels:
@@ -70,6 +73,11 @@ identity:
     smtpFrom: "[email protected]"
     smtpAuth: true
     smtpStartTLS: true
+    keyStoreType: PKCS12
+    keyStore: classpath:certs/server.p12
+    keyStorePassword: passw0rd
+    keyPassword: passw0rd
+    keyAlias: identity
   resources:
     limits:
       cpu: "500m"
@@ -278,4 +286,4 @@ apiGatewayService:
   deploymentSelectorMatchLabels:
     app: gateway-service
   serviceSelectorLabels:
-    app: gateway-service
+    app: gateway-service