* fix(frontend-2): routes to /authn should set x-frame-options header to deny
* fix(frontend1): do not render authn route if in an iframe
* fix(nginx): should log in json format
* chore(frontend): use bitnami/openresty as base image for frontend Dockerfile
openresty/openresty was not being patched as frequently as we would like, resulting in numerous
vulnerabilities without resolution. bitnami/openresty is being patched more frequently.
Some additional changes were necessary when porting our frontend between these distributions:
- html files are in /app
- nginx.conf is in /opt/bitnami/openresty/nginx/conf/nginx.conf
- envsubst is not available by default in bitnami/openresty and needs to be copied in
- Nginx.conf - we wrap the server block in http block and overwrite root nginx.conf
- using the existing bitnami/openresty nginx.conf as a server block alone causes issues with bitnami/openresty, as bitnami/openresty provides a root nginx.conf which conflicts with directives in Speckle's server block
- we copy the directives from openresty/openresty (which are known to work with Speckle's server block), and apply them alongside Speckle's server block. This creates a new root nginx.conf which we can overwrite the default on the image.
- nginx should use a port available to non sudo/root user, we have selected 8080 instead of previous 80
- need to explicitly output nginx logs to stderr / stdout
Created a readonly root file system on Kubernetes. This requires the following changes:
- emptyDir volumes are mounted in kubernetes to allow bitnami/openresty to write to specific locations
- explicitly include and copy mime.types file to nginx configuration directory
Due to the change to non-privileged port number (8080), the following subsequent changes were required:
- Update 1-click deployment script to match frontend at port 8080
- Updates docker-compose-speckle.yaml file
Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
* feat(helm chart): add SecurityContext to pods and containers
Speckle pods should run with minimal privileges and capabilities to function.
Fix https://github.com/specklesystems/speckle-server/issues/857
* Update securityContext for all pods
* frontend runs as nonroot and readonly root filesystem
- set fsgroup for all pods with volumes
* Frontend requires write directory at /etc/nginx/conf.d
* Allow openresty log directory to be writable
* feat(helm local test): add test container into the make script
Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
Iain Sproat