diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7d9c45fca..f41979e4c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,6 +75,7 @@ jobs: echo "${{ secrets.DOCKER_REPO_EVENTS_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_EVENTS_ID.key echo "${{ secrets.DOCKER_REPO_ADMIN_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_ADMIN_ID.key echo "${{ secrets.DOCKER_REPO_NGINX_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_NGINX_ID.key + echo "${{ secrets.DOCKER_REPO_K8SPROXY_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_K8SPROXY_ID.key echo "${{ secrets.DOCKER_REPO_SSO_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_SSO_ID.key echo "${{ secrets.DOCKER_REPO_PORTAL_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_PORTAL_ID.key echo "${{ secrets.DOCKER_REPO_MSSQL_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_MSSQL_ID.key @@ -90,6 +91,7 @@ jobs: DOCKER_REPO_EVENTS_ID: "1020320052e6247f3c5fbfc2a3bfb0efc7e247f8a5a187dc03f60848359ac7c9" DOCKER_REPO_ADMIN_ID: "c5d80db8745fcd7a1510c3fba5c65582cfc2453d2b1eeb292abe79eb1351cf5c" DOCKER_REPO_NGINX_ID: "bf3d3247f5c2be73bbe830cddbae445c29e4fcc9e2fb4b4d39abf86a2740098b" + DOCKER_REPO_K8SPROXY_ID: "bdad34c1202b2bbf8a460b66da08b2c1c1eea5864b29508782c00da145eb1fcd" DOCKER_REPO_SSO_ID: "97a5f6d29b255ff709ec63faad27c2f76246f006563bf3ecbb71547325c05815" DOCKER_REPO_PORTAL_ID: "4f358aa0a41c9a6650f5d2f907c2de418df34ddf3ee45e0994be7cc2dcd0b56e" DOCKER_REPO_MSSQL_ID: "30a44d7efbe48d30ed06abef003d2d8990205dad6a034617cddc03548f8c084e" diff --git a/build.sh b/build.sh index 4730fe92d..db563df88 100755 --- a/build.sh +++ b/build.sh @@ -21,6 +21,7 @@ then docker push bitwarden/events:$TAG docker push bitwarden/admin:$TAG docker push bitwarden/nginx:$TAG + docker push bitwarden/k8s-proxy:$TAG docker push bitwarden/sso:$TAG docker push bitwarden/portal:$TAG docker push bitwarden/mssql:$TAG @@ -40,6 +41,7 @@ then docker tag bitwarden/events bitwarden/events:$TAG docker tag bitwarden/admin bitwarden/admin:$TAG docker tag bitwarden/nginx bitwarden/nginx:$TAG + docker tag bitwarden/nginx bitwarden/k8s-proxy:$TAG docker tag bitwarden/sso bitwarden/sso:$TAG docker tag bitwarden/portal bitwarden/portal:$TAG docker tag bitwarden/mssql bitwarden/mssql:$TAG diff --git a/util/Nginx/.dockerignore b/util/Nginx/.dockerignore index 62b43aced..808fa8257 100644 --- a/util/Nginx/.dockerignore +++ b/util/Nginx/.dockerignore @@ -6,3 +6,4 @@ !security-headers-ssl.conf !mime.types !logrotate.sh +!setup-bwuser.sh diff --git a/util/Nginx/Dockerfile-k8s b/util/Nginx/Dockerfile-k8s new file mode 100644 index 000000000..19e50daa0 --- /dev/null +++ b/util/Nginx/Dockerfile-k8s @@ -0,0 +1,40 @@ +FROM nginx:1.18 + +LABEL com.bitwarden.product="bitwarden" + +ENV USERNAME="bitwarden" +ENV GROUPNAME="bitwarden" + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + gosu \ + curl && \ + rm -rf /var/lib/apt/lists/* + +COPY nginx.conf /etc/nginx/nginx.conf +COPY proxy.conf /etc/nginx/proxy.conf +COPY mime.types /etc/nginx/mime.types +COPY security-headers.conf /etc/nginx/security-headers.conf +COPY security-headers-ssl.conf /etc/nginx/security-headers.conf + +COPY setup-bwuser.sh / + +EXPOSE 8000 + +EXPOSE 8080 +EXPOSE 8443 + +RUN chmod +x /setup-bwuser.sh + +RUN ./setup-bwuser.sh $USERNAME $GROUPNAME + +RUN mkdir -p /var/run/nginx && \ + touch /var/run/nginx/nginx.pid +RUN chown -R $USERNAME:$GROUPNAME /var/run/nginx && \ + chown -R $USERNAME:$GROUPNAME /var/cache/nginx && \ + chown -R $USERNAME:$GROUPNAME /var/log/nginx + + +HEALTHCHECK CMD curl --insecure -Lfs https://localhost:8443/alive || curl -Lfs http://localhost:8080/alive || exit 1 + +USER bitwarden diff --git a/util/Nginx/build.sh b/util/Nginx/build.sh index 613603090..d8adbc1e8 100755 --- a/util/Nginx/build.sh +++ b/util/Nginx/build.sh @@ -8,3 +8,9 @@ echo -e "\n## Building Nginx" echo -e "\nBuilding docker image" docker --version docker build -t bitwarden/nginx "$DIR/." + + +echo -e "\n## Building k8s-proxy" + +echo -e "\nBuilding docker image" +docker build -f $DIR/Dockerfile-k8s -t bitwarden/k8s-proxy "$DIR/." diff --git a/util/Nginx/setup-bwuser.sh b/util/Nginx/setup-bwuser.sh new file mode 100644 index 000000000..b17454722 --- /dev/null +++ b/util/Nginx/setup-bwuser.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Setup + + +if [ -n $1 ]; then + USERNAME=$1 +else + echo "[!] setup-bwuser.sh is missing username" + exit 1 +fi +if [ -n $2 ]; then + GROUPNAME=$2 +else + echo "[!] setup-bwuser.sh is missing groupname" + exit 1 +fi + +LUID=${LOCAL_UID:-0} +LGID=${LOCAL_GID:-0} + +# Step down from host root to well-known nobody/nogroup user + +if [ $LUID -eq 0 ] +then + LUID=65534 +fi +if [ $LGID -eq 0 ] +then + LGID=65534 +fi + +# Create user and group + +groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 || +groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1 +useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 || +usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 +mkhomedir_helper $USERNAME