Merge pull request #743 from intekhab1025/feature/SSL-TLS-sample-implementation

Author: erwindon

docker/build-and-upload.sh

@@ -4,6 +4,7 @@ cd dockerfiles
 set -e
 tag=3007.4
 docker build -f dockerfile-saltmaster --tag erwindon/saltgui-saltmaster:$tag --tag erwindon/saltgui-saltmaster:latest .
+docker build -f dockerfile-saltmaster-tls --tag erwindon/saltgui-saltmaster-tls:$tag --tag erwindon/saltgui-saltmaster-tls:latest .
 docker build -f dockerfile-saltminion-ubuntu --tag erwindon/saltgui-saltminion-ubuntu:$tag --tag erwindon/saltgui-saltminion-ubuntu:latest .
 docker build -f dockerfile-saltminion-debian --tag erwindon/saltgui-saltminion-debian:$tag --tag erwindon/saltgui-saltminion-debian:latest .
 docker build -f dockerfile-saltminion-centos --tag erwindon/saltgui-saltminion-centos:$tag --tag erwindon/saltgui-saltminion-centos:latest .
@@ -12,6 +13,7 @@ docker images | awk '/^<none>/ {print $3;}' | xargs --no-run-if-empty docker rmi
 for t in $tag latest; do
 	# this needs "docker login"
 	docker push erwindon/saltgui-saltmaster:$t
+	docker push erwindon/saltgui-saltmaster-tls:$t
 	docker push erwindon/saltgui-saltminion-ubuntu:$t
 	docker push erwindon/saltgui-saltminion-debian:$t
 	docker push erwindon/saltgui-saltminion-centos:$t

docker/conf/master-tls

@@ -0,0 +1,51 @@
+# /etc/salt/master
+
+file_roots:
+  base:
+    - /srv/salt/
+
+pillar_roots:
+  base:
+    - /srv/pillar
+
+external_auth:
+  pam:
+    salt:
+      - .*
+      - '@runner'
+      - '@wheel'
+      - '@jobs'
+
+rest_cherrypy:
+    port: 3334
+    host: 0.0.0.0
+    disable_ssl: false
+    ssl_crt: /etc/ssl/saltgui/server.crt
+    ssl_key: /etc/ssl/saltgui/server.key
+    app: /saltgui/index.html
+    static: /saltgui/static
+    static_path: /static
+
+netapi_enable_clients:
+    - local
+    - local_async
+    - runner
+    - wheel
+
+saltgui_templates:
+    template1:
+        description: First template
+        target: "*"
+        command: test.fib num=10
+    template2:
+        description: Second template
+        targettype: glob
+        target: "*ubuntu*"
+        command: test.version
+    template3:
+        description: Empty template
+    template4:
+        description: Fourth template
+        targettype: compound
+        target: "G@os:Ubuntu"
+        command: test.version

docker/docker-compose-tls.yml

@@ -0,0 +1,38 @@
+version: '3'
+services:
+  saltmaster-local:
+    image: erwindon/saltgui-saltmaster-tls:3007.4
+    hostname: saltmaster-local
+    ports:
+      - 4505:4505
+      - 4506:4506
+      - 3334:3334
+    volumes:
+    - ./srv/:/srv/
+    - ./conf/master-tls:/etc/salt/master
+    - ../saltgui:/saltgui
+    - ssl_certs:/etc/ssl/saltgui
+
+  saltminion-ubuntu:
+    image: erwindon/saltgui-saltminion-ubuntu:3007.4
+    hostname: saltminion-ubuntu
+    depends_on:
+      - saltmaster-local
+    restart: on-failure
+
+  saltminion-debian:
+    image: erwindon/saltgui-saltminion-debian:3007.4
+    hostname: saltminion-debian
+    depends_on:
+      - saltmaster-local
+    restart: on-failure
+
+  saltminion-centos:
+    image: erwindon/saltgui-saltminion-centos:3007.4
+    hostname: saltminion-centos
+    depends_on:
+      - saltmaster-local
+    restart: on-failure
+
+volumes:
+  ssl_certs:

docker/dockerfiles/dockerfile-saltmaster-tls

@@ -0,0 +1,57 @@
+FROM ubuntu:24.04
+
+LABEL maintainer="Erwin Dondorp <[email protected]>"
+LABEL name=salt-master-tls
+LABEL project="SaltGUI testing with TLS"
+LABEL version=3007.4
+
+ENV SALT_VERSION=3007.4
+ENV DEBIAN_FRONTEND=noninteractive
+
+# make download possible, make encrypted password generation possible
+RUN apt-get update
+RUN apt-get install --yes --no-install-recommends curl openssl adduser
+
+# add a user for the frontend salt:salt
+RUN adduser salt
+RUN usermod -s /bin/bash -p "$(openssl passwd -1 salt)" salt
+
+# install salt-master with salt-api
+# not using repo, so must explicitly do all packages
+RUN curl -k -L -o salt-common_${SALT_VERSION}.deb https://packages.broadcom.com/artifactory/saltproject-deb/pool/salt-common_${SALT_VERSION}_amd64.deb
+RUN curl -k -L -o salt-api_${SALT_VERSION}.deb https://packages.broadcom.com/artifactory/saltproject-deb/pool/salt-api_${SALT_VERSION}_amd64.deb
+RUN curl -k -L -o salt-master_${SALT_VERSION}.deb https://packages.broadcom.com/artifactory/saltproject-deb/pool/salt-master_${SALT_VERSION}_amd64.deb
+RUN apt install --yes --no-install-recommends ./salt-common_${SALT_VERSION}.deb ./salt-master_${SALT_VERSION}.deb ./salt-api_${SALT_VERSION}.deb
+
+# install supervisor
+# because we need to run salt-master and salt-api
+RUN apt-get install --yes --no-install-recommends supervisor
+
+# cleanup temporary files
+RUN rm -rf /var/lib/apt/lists/* *.deb \
+  && apt-get --yes autoremove \
+  && apt-get clean
+
+# Create SSL directory and generate self-signed certificates
+RUN mkdir -p /etc/ssl/saltgui
+
+# Generate SSL certificates using a single RUN command
+RUN cd /etc/ssl/saltgui && \
+    openssl genrsa -out server.key 2048 && \
+    openssl req -new -key server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=saltgui" && \
+    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \
+    chmod 600 server.key && \
+    chmod 644 server.crt && \
+    rm server.csr && \
+    echo "SSL certificates generated successfully"
+
+# copy supervisord configuration
+COPY ./conf/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+# some volume configuration for the saltmaster
+VOLUME ["/pki", "/var/cache/salt", "/var/log/salt", "/etc/ssl/saltgui"]
+EXPOSE 3334 4505 4506
+
+# define main container command
+# explicitly mentioning the (default) configuration file saves a warning
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

docs/README.md

@@ -2,6 +2,8 @@
 
 SaltGUI is an open source web interface for managing a SaltStack server and its minions. Built using vanilla ES6 and implemented as a wrapper around the rest_cherrypy server a.k.a. salt-api.
 
+**Security Note**: For production deployments, TLS encryption is strongly recommended. See [TLS Configuration](#tls-configuration) for complete setup instructions.
+
 The version tagged `release` is the latest released version. The version `master` should be fine, but it may contain changes that are not yet in these release-notes.
 
 See [SaltGUI documentation](https://erwindon.github.io/SaltGUI/) for the complete documentation.
@@ -92,7 +94,9 @@ rest_cherrypy:
 - Replace each of the `/srv/saltgui` in the above config with the actual `saltgui` directory from the GIT repository. Alternatively, you can create a soft-link /src/saltgui that points to the actual saltgui directory.
 - To successfully use `salt-api` with a default PAM setup, if may be needed to grant read access on `/etc/shadow` to the `salt` user. This is best done using `sudo usermod --append --groups shadow salt`.
 - Restart everything with ``pkill salt-master && pkill salt-api && salt-master -d && salt-api -d``
-- You should be good to go. If you have any problems, open a GitHub issue. As always, SSL is recommended wherever possible but setup is beyond the scope of this guide.
+- You should be good to go. If you have any problems, open a GitHub issue.
+
+**For TLS configuration**, see the dedicated [TLS Configuration](#tls-configuration) section below for comprehensive setup instructions including enterprise best practices.
 
 **Note: With this configuration, the user has access to all salt modules available, maybe this is not what you want**
 
@@ -582,13 +586,59 @@ Note that the main page of SaltGUI is then located at `/app/`. When you want `/a
 
 
 ## Development environment with Docker
-To make life a bit easier for testing SaltGUI or setting up a local development environment you can use the provided docker-compose setup in this repository to run a saltmaster with three minions, including SaltGUI:
+To make life a bit easier for testing SaltGUI or setting up a local development environment, you can use the provided docker-compose setups in this repository:
+
+**For basic testing (HTTP):**
 ```
 cd docker
 docker-compose up
 ```
 Then browse to [http://localhost:3333/](http://localhost:3333/), you can login with `salt:salt`.
 
+**For TLS testing:**
+```
+cd docker
+docker-compose -f docker-compose-tls.yml up
+```
+Then browse to [https://localhost:3334/](https://localhost:3334/), you can login with `salt:salt`.
+
+
+## TLS-enabled Docker Environment
+For production use or testing with TLS encryption, you can use the TLS-enabled Docker configuration:
+
+```bash
+cd docker
+docker-compose -f docker-compose-tls.yml up
+```
+
+This will start:
+- A SaltGUI master with TLS enabled on port 3334
+- Three minions (Ubuntu, Debian, CentOS)
+- Self-signed SSL certificates (automatically generated)
+
+**Connecting to TLS-enabled SaltGUI:**
+- Browse to [https://localhost:3334/](https://localhost:3334/)
+- You will see a security warning about the self-signed certificate
+- Accept the certificate to proceed (for testing purposes)
+- Login with `salt:salt`
+
+**Important Notes for TLS Setup:**
+- The TLS configuration uses self-signed certificates generated during the Docker build
+- For production use, replace the self-signed certificates with proper CA-signed certificates
+- You can mount your own certificates by modifying the `ssl_certs` volume in `docker-compose-tls.yml`
+- The TLS master configuration is located in `docker/conf/master-tls`
+
+**Custom SSL Certificates:**
+To use your own SSL certificates, place them in a directory and mount it to the container:
+```yaml
+volumes:
+  - /path/to/your/certs:/etc/ssl/saltgui
+```
+
+Your certificate directory should contain:
+- `server.crt` - SSL certificate file
+- `server.key` - Private key file
+
 
 ## Testing
 We provide some functional tests and unit tests. They use the docker setup to run the functional tests. You will also need [yarn](https://yarnpkg.com) and [node.js](https://nodejs.org/en/) to run them. When you have docker, yarn and node.js installed, you can run the tests from the root of the repository like this: