Change nginx ciphers and make configurable via helm chart values

build/clean-symlinks.js

@@ -7,7 +7,7 @@ const path = require('path');
 const fs = require('fs');
 
 // __dirname is the folder where build.js is located
-const STRATOS_DIR= path.resolve(__dirname, '..');
+const STRATOS_DIR = path.resolve(__dirname, '..');
 
 function processFile(filepath) {
   if (fs.existsSync(filepath)) {
@@ -23,14 +23,18 @@ function processFolder(dir) {
   if (!fs.existsSync(dir)) {
     return
   }
-  fs.readdirSync(dir).forEach( f => {
+  fs.readdirSync(dir).forEach(f => {
     let dirPath = path.join(dir, f);
-    const realPath = fs.realpathSync(dirPath);
-    const stats = fs.lstatSync(realPath);
-    if (stats.isDirectory()) {
-      processFolder(dirPath);
+    if (!fs.existsSync(dirPath)) {
+      fs.unlinkSync(dirPath);
     } else {
-      processFile(dirPath);
+      const realPath = fs.realpathSync(dirPath);
+      const stats = fs.lstatSync(realPath);
+      if (stats.isDirectory()) {
+        processFolder(dirPath);
+      } else {
+        processFile(dirPath);
+      }
     }
   });
 };

deploy/Dockerfile.ui

@@ -16,7 +16,7 @@ RUN npm install && \
 FROM splatform/stratos-nginx-base:leap15_1 as prod-build
 RUN mkdir -p /usr/share/doc/suse
 COPY  deploy/containers/nginx/LICENSE.txt /usr/share/doc/suse/LICENSE.txt
-COPY  deploy/containers/nginx/conf/nginx.k8s.conf /etc/nginx/nginx.conf
+COPY  deploy/containers/nginx/conf/nginx.k8s.conf /etc/nginx/nginx.conf.tmpl
 COPY --from=base-build /usr/dist /usr/share/nginx/html
 COPY deploy/containers/nginx/run-nginx.sh/ /run-nginx.sh
 EXPOSE 80 443

deploy/containers/nginx/conf/nginx.dev.conf

@@ -48,7 +48,7 @@ http {
         ssl_certificate             /etc/secrets/server.crt;
         ssl_certificate_key         /etc/secrets/server.key;
         ssl_protocols               TLSv1.2 TLSv1.3;
-        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_ciphers                 HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;

deploy/containers/nginx/conf/nginx.k8s.conf

@@ -47,8 +47,8 @@ http {
 
         ssl_certificate             /CONSOLE_CERT_PATH/tls.crt;
         ssl_certificate_key         /CONSOLE_CERT_PATH/tls.key;
-        ssl_protocols               TLSv1.2 TLSv1.3;
-        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_protocols               __PROTOCOLS__;
+        ssl_ciphers                 __CIPHERS__;
         ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;

deploy/containers/nginx/run-nginx.sh

@@ -5,6 +5,9 @@ echo "Stratos UI Container (nginx)"
 echo "============================================"
 echo ""
 
+# Copy the template config to the /etc/nging/nginx.conf
+cp /etc/nginx/nginx.conf.tmpl /etc/nginx/nginx.conf
+
 sed -i -e 's@CONSOLE_CERT_PATH@'"${CONSOLE_CERT_PATH}"'@g' /etc/nginx/nginx.conf
 echo "Checking for certificate at ${CONSOLE_CERT_PATH} ..."
 
@@ -16,5 +19,22 @@ do
     sleep 1; 
 done
 
-echo "TLS certificate detected ... starting nginx."
+echo "TLS certificate detected OK"
+
+# Patch the config file with the desired ciphers and protocols
+echo "Setting nginx ciphers and protocols"
+
+DEFAULT_PROTOCOLS="TLSv1.2 TLSv1.3"
+DEFAULT_CIPHERS="HIGH:!aNULL:!MD5"
+
+NGINX_PROTOCOLS=${SSL_PROTOCOLS:-$DEFAULT_PROTOCOLS}
+NGINX_CIPHERS=${SSL_CIPHERS:-$DEFAULT_CIPHERS}
+
+echo "SSL Protocols : $NGINX_PROTOCOLS"
+echo "SSL Ciphers   : $NGINX_CIPHERS"
+
+sed -i -e 's/__PROTOCOLS__/'"${NGINX_PROTOCOLS}"'/g' /etc/nginx/nginx.conf
+sed -i -e 's/__CIPHERS__/'"${NGINX_CIPHERS}"'/g' /etc/nginx/nginx.conf
+
+echo "Starting nginx ..."
 nginx -g "daemon off;"

deploy/kubernetes/console/README.md

@@ -22,7 +22,7 @@ Check the repository was successfully added by searching for the `console`, for
 ```
 helm search repo console
 NAME               	CHART VERSION   APP VERSION	DESCRIPTION                                  
-stratos/console    	3.2.0           3.2.0      	A Helm chart for deploying Stratos UI Console
+stratos/console    	4.0.0           4.0.0      	A Helm chart for deploying Stratos UI Console
 ```
 
 > Note: Version numbers will depend on the version of Stratos available from the Helm repository
@@ -115,6 +115,8 @@ The following table lists the configurable parameters of the Stratos Helm chart
 |console.service.extraLabels|Additional labels to be added to all service resources||
 |console.service.ingress.annotations|Annotations to be added to the ingress resource||
 |console.service.ingress.extraLabels|Additional labels to be added to the ingress resource||
+|console.sslProtocols|SSL Protocols to use for the nginx configuration|TLSv1.2 TLSv1.3|
+|console.sslCiphers|SSL Ciphers to use for the nginx configuration|HIGH:!aNULL:!MD5|
 |console.nodeSelector|Node selectors to use for the console Pod||
 |mariadb.nodeSelector|Node selectors to use for the database Pod||
 |configInit.nodeSelector|Node selectors to use for the configuration Pod||

deploy/kubernetes/console/templates/deployment.yaml

@@ -69,6 +69,10 @@ spec:
           value: "{{.Values.consoleVersion}}:{{ .Release.Revision }}"
         - name: CONSOLE_CERT_PATH
           value: "/{{ .Release.Name }}-cert-volume"
+        - name: SSL_PROTOCOLS
+          value: "{{ .Values.console.sslProtocols }}"
+        - name: SSL_CIPHERS
+          value: "{{ .Values.console.sslCiphers }}"
         volumeMounts:
         - mountPath: "/{{ .Release.Name }}-cert-volume"
           name: "{{ .Release.Name }}-cert-volume"

deploy/kubernetes/console/values.yaml

@@ -108,6 +108,10 @@ console:
 
   # Node Selector for console Pod
   nodeSelector: {}
+
+  # ssl protocols and ciphers overrides - leave empty for defaults
+  sslProtocols:
+  sslCiphers:
 
 images:
   console: stratos-console