Change nginx ciphers and make configurable via helm chart values (#4507)

* Change nginx ciphers and make configurable via helm chart values * Add support for including breaking changes in the changelog * Improve clean-symlinks script * Update changelog.sh * Update changelog.sh * Remove trailing line * Remove tailing line * Fix bug with cert path patching * Fig bug where protocols not patched
cloudfoundry · Aug 18, 2020 · 3a8cd74 · 3a8cd74
1 parent 4df1516
commit 3a8cd74
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 6 deletions.
diff --git a/deploy/Dockerfile.ui b/deploy/Dockerfile.ui
@@ -16,7 +16,7 @@ RUN npm install && \
 FROM splatform/stratos-nginx-base:leap15_1 as prod-build
 RUN mkdir -p /usr/share/doc/suse
 COPY  deploy/containers/nginx/LICENSE.txt /usr/share/doc/suse/LICENSE.txt
-COPY  deploy/containers/nginx/conf/nginx.k8s.conf /etc/nginx/nginx.conf
+COPY  deploy/containers/nginx/conf/nginx.k8s.conf /etc/nginx/nginx.conf.tmpl
 COPY --from=base-build /usr/dist /usr/share/nginx/html
 COPY deploy/containers/nginx/run-nginx.sh/ /run-nginx.sh
 EXPOSE 80 443

diff --git a/deploy/containers/nginx/conf/nginx.dev.conf b/deploy/containers/nginx/conf/nginx.dev.conf
@@ -48,7 +48,7 @@ http {
         ssl_certificate             /etc/secrets/server.crt;
         ssl_certificate_key         /etc/secrets/server.key;
         ssl_protocols               TLSv1.2 TLSv1.3;
-        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_ciphers                 HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;

diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf
@@ -47,8 +47,8 @@ http {
 
         ssl_certificate             /CONSOLE_CERT_PATH/tls.crt;
         ssl_certificate_key         /CONSOLE_CERT_PATH/tls.key;
-        ssl_protocols               TLSv1.2 TLSv1.3;
-        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_protocols               __PROTOCOLS__;
+        ssl_ciphers                 __CIPHERS__;
         ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;

diff --git a/deploy/containers/nginx/run-nginx.sh b/deploy/containers/nginx/run-nginx.sh
@@ -5,6 +5,9 @@ echo "Stratos UI Container (nginx)"
 echo "============================================"
 echo ""
 
+# Copy the template config to the /etc/nging/nginx.conf
+cp /etc/nginx/nginx.conf.tmpl /etc/nginx/nginx.conf
+
 sed -i -e 's@CONSOLE_CERT_PATH@'"${CONSOLE_CERT_PATH}"'@g' /etc/nginx/nginx.conf
 echo "Checking for certificate at ${CONSOLE_CERT_PATH} ..."
 
@@ -16,5 +19,22 @@ do
     sleep 1; 
 done
 
-echo "TLS certificate detected ... starting nginx."
+echo "TLS certificate detected OK"
+
+# Patch the config file with the desired ciphers and protocols
+echo "Setting nginx ciphers and protocols"
+
+DEFAULT_PROTOCOLS="TLSv1.2 TLSv1.3"
+DEFAULT_CIPHERS="HIGH:!aNULL:!MD5"
+
+NGINX_PROTOCOLS=${SSL_PROTOCOLS:-$DEFAULT_PROTOCOLS}
+NGINX_CIPHERS=${SSL_CIPHERS:-$DEFAULT_CIPHERS}
+
+echo "SSL Protocols : $NGINX_PROTOCOLS"
+echo "SSL Ciphers   : $NGINX_CIPHERS"
+
+sed -i -e 's/__PROTOCOLS__/'"${NGINX_PROTOCOLS}"'/g' /etc/nginx/nginx.conf
+sed -i -e 's/__CIPHERS__/'"${NGINX_CIPHERS}"'/g' /etc/nginx/nginx.conf
+
+echo "Starting nginx ..."
 nginx -g "daemon off;"
diff --git a/deploy/kubernetes/console/README.md b/deploy/kubernetes/console/README.md
@@ -22,7 +22,7 @@ Check the repository was successfully added by searching for the `console`, for
 ```
 helm search repo console
 NAME               	CHART VERSION   APP VERSION	DESCRIPTION                                  
-stratos/console    	3.2.0           3.2.0      	A Helm chart for deploying Stratos UI Console
+stratos/console    	4.0.0           4.0.0      	A Helm chart for deploying Stratos UI Console
 ```
 
 > Note: Version numbers will depend on the version of Stratos available from the Helm repository
@@ -115,6 +115,8 @@ The following table lists the configurable parameters of the Stratos Helm chart
 |console.service.extraLabels|Additional labels to be added to all service resources||
 |console.service.ingress.annotations|Annotations to be added to the ingress resource||
 |console.service.ingress.extraLabels|Additional labels to be added to the ingress resource||
+|console.sslProtocols|SSL Protocols to use for the nginx configuration|TLSv1.2 TLSv1.3|
+|console.sslCiphers|SSL Ciphers to use for the nginx configuration|HIGH:!aNULL:!MD5|
 |console.nodeSelector|Node selectors to use for the console Pod||
 |mariadb.nodeSelector|Node selectors to use for the database Pod||
 |configInit.nodeSelector|Node selectors to use for the configuration Pod||

diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml
@@ -69,6 +69,10 @@ spec:
           value: "{{.Values.consoleVersion}}:{{ .Release.Revision }}"
         - name: CONSOLE_CERT_PATH
           value: "/{{ .Release.Name }}-cert-volume"
+        - name: SSL_PROTOCOLS
+          value: "{{ .Values.console.sslProtocols }}"
+        - name: SSL_CIPHERS
+          value: "{{ .Values.console.sslCiphers }}"
         volumeMounts:
         - mountPath: "/{{ .Release.Name }}-cert-volume"
           name: "{{ .Release.Name }}-cert-volume"

diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml
@@ -108,6 +108,10 @@ console:
 
   # Node Selector for console Pod
   nodeSelector: {}
+
+  # ssl protocols and ciphers overrides - leave empty for defaults
+  sslProtocols:
+  sslCiphers:
 
 images:
   console: stratos-console