This is to get an image that we can use in kubernetes-land in a production-like way.

* Add prod pivcac image
* Make sure image is largely read-only to the app user
* Add RDS cert bundle
* Add nginx image
* make prod pivcac image and nginx images be built automatically by gitlab

Author: timothy-spencer

.gitlab-ci.yml

@@ -210,6 +210,86 @@ build-pivcac-image:
       --compressed-caching=false
       --build-arg "http_proxy=${http_proxy}" --build-arg "https_proxy=${https_proxy}" --build-arg "no_proxy=${no_proxy}"
 
+# Build a container image async, and don't block CI tests
+# Cache intermediate images for 1 week (168 hours)
+build-prod-pivcac-image:
+  stage: review
+  needs: []
+  interruptible: true
+  variables:
+    BRANCH_TAGGING_STRING: ""
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/review:main"
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE != "merge_request_event"
+      when: never
+  tags:
+    - build-pool
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: ['']
+  script:
+    - mkdir -p /kaniko/.docker
+    - |-
+      KANIKOCFG="\"credsStore\":\"ecr-login\""
+      if [ "x${http_proxy}" != "x" -o "x${https_proxy}" != "x" ]; then
+        KANIKOCFG="${KANIKOCFG}, \"proxies\": { \"default\": { \"httpProxy\": \"${http_proxy}\", \"httpsProxy\": \"${https_proxy}\", \"noProxy\": \"${no_proxy}\"}}"
+      fi
+      KANIKOCFG="{ ${KANIKOCFG} }"
+      echo "${KANIKOCFG}" > /kaniko/.docker/config.json
+    - >-
+      /kaniko/executor
+      --context "${CI_PROJECT_DIR}"
+      --dockerfile "${CI_PROJECT_DIR}/prod.Dockerfile"
+      --destination "${ECR_REGISTRY}/identity-pivcac/pivcac:${CI_COMMIT_SHA}"
+      ${BRANCH_TAGGING_STRING}
+      --cache-repo="${ECR_REGISTRY}/identity-pivcac/pivcac/cache"
+      --cache-ttl=168h
+      --cache=true
+      --compressed-caching=false
+      --build-arg "http_proxy=${http_proxy}" --build-arg "https_proxy=${https_proxy}" --build-arg "no_proxy=${no_proxy}"
+
+build-prod-nginx-image:
+  stage: review
+  needs: []
+  interruptible: true
+  variables:
+    BRANCH_TAGGING_STRING: ""
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        BRANCH_TAGGING_STRING: "--destination ${ECR_REGISTRY}/identity-pivcac/review:main"
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE != "merge_request_event"
+      when: never
+  tags:
+    - build-pool
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: ['']
+  script:
+    - mkdir -p /kaniko/.docker
+    - |-
+      KANIKOCFG="\"credsStore\":\"ecr-login\""
+      if [ "x${http_proxy}" != "x" -o "x${https_proxy}" != "x" ]; then
+        KANIKOCFG="${KANIKOCFG}, \"proxies\": { \"default\": { \"httpProxy\": \"${http_proxy}\", \"httpsProxy\": \"${https_proxy}\", \"noProxy\": \"${no_proxy}\"}}"
+      fi
+      KANIKOCFG="{ ${KANIKOCFG} }"
+      echo "${KANIKOCFG}" > /kaniko/.docker/config.json
+    - >-
+      /kaniko/executor
+      --context "${CI_PROJECT_DIR}"
+      --dockerfile "${CI_PROJECT_DIR}/nginx.Dockerfile"
+      --destination "${ECR_REGISTRY}/identity-pivcac/nginx:${CI_COMMIT_SHA}"
+      ${BRANCH_TAGGING_STRING}
+      --cache-repo="${ECR_REGISTRY}/identity-pivcac/pivcac/cache"
+      --cache-ttl=168h
+      --cache=true
+      --compressed-caching=false
+      --build-arg "http_proxy=${http_proxy}" --build-arg "https_proxy=${https_proxy}" --build-arg "no_proxy=${no_proxy}"
+
 review-app:
   stage: review
   allow_failure: true

Dockerfile

@@ -1,5 +1,27 @@
 # Use the official Ruby image because the Rails images have been deprecated
-FROM logindotgov/build as build
+FROM ruby:3.3.1-slim as build
+
+RUN apt-get update && \
+    apt-get install -y \
+    git-core \
+    build-essential \
+    git-lfs \
+    curl \
+    zlib1g-dev \
+    libssl-dev \
+    libreadline-dev \
+    libyaml-dev \
+    libsqlite3-dev \
+    sqlite3 \
+    libxml2-dev \
+    libxslt1-dev \
+    libcurl4-openssl-dev \
+    software-properties-common \
+    libffi-dev \
+    libpq-dev \
+    xz-utils \
+    unzip && \
+    rm -rf /var/lib/apt/lists/*
 
 # Everything happens here from now on
 WORKDIR /pivcac
@@ -9,20 +31,61 @@ COPY Gemfile* ./
 RUN gem install bundler --conservative && \
     bundle install --without deploy production
 
-# Copy everything else over
-COPY . .
+# Generate and place SSL certificates for puma
+RUN mkdir -p /pivcac/keys
+RUN openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 1825 \
+    -keyout /pivcac/keys/localhost.key \
+    -out /pivcac/keys/localhost.crt \
+    -subj "/C=US/ST=Fake/L=Fakerton/O=Dis/CN=localhost" && \
+    chmod 644 /pivcac/keys/localhost.key /pivcac/keys/localhost.crt
+
+# Download RDS Combined CA Bundle
+RUN mkdir -p /usr/local/share/aws \
+  && curl https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem > /usr/local/share/aws/rds-combined-ca-bundle.pem \
+  && chmod 644 /usr/local/share/aws/rds-combined-ca-bundle.pem
+
 
 # Switch to base image
-FROM logindotgov/base
+FROM ruby:3.3.1-slim
 WORKDIR /pivcac
 
+RUN apt-get update && \
+    apt-get install -y \
+    curl \
+    zlib1g-dev \
+    libssl-dev \
+    libreadline-dev \
+    libyaml-dev \
+    libxml2-dev \
+    libxslt1-dev \
+    libcurl4-openssl-dev \
+    libffi-dev \
+    libpq-dev && \
+    rm -rf /var/lib/apt/lists/*
+
 # Copy Gems, NPMs, and other relevant items from build layer
-COPY --chown=appuser:appuser --from=build /pivcac .
+COPY --from=build /pivcac .
 
 # Copy in whole source (minus items matched in .dockerignore)
-COPY --chown=appuser:appuser . .
+COPY . .
+
+# Create a new user and set up the working directory
+RUN addgroup --gid 1000 app && \
+    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" app && \
+    mkdir -p /pivcac && \
+    mkdir -p /pivcac/tmp/pids && \
+    mkdir -p /pivcac/log
+
+# make everything the proper perms after everything is initialized
+RUN chown -R app:app /pivcac/tmp && \
+    chown -R app:app /pivcac/log && \
+    find /pivcac -type d | xargs chmod 755
+
+# get rid of suid/sgid binaries
+RUN find / -perm /4000 -type f | xargs chmod u-s
+RUN find / -perm /2000 -type f | xargs chmod g-s
 
-USER appuser
+USER app
 
 EXPOSE 8443
-CMD ["bundle", "exec", "rackup", "config.ru", "--host", "ssl://localhost:8443?key=config/local-certs/server.key&cert=config/local-certs/server.crt"]
+CMD ["bundle", "exec", "rackup", "config.ru", "--host", "ssl://0.0.0.0:3000?key=/pivcac/keys/localhost.key&cert=/pivcac/keys/localhost.crt"]

Gemfile.lock

@@ -260,7 +260,7 @@ GEM
     regexp_parser (2.7.0)
     request_store (1.5.1)
       rack (>= 1.4)
-    rexml (3.3.3)
+    rexml (3.3.6)
       strscan
     rgl (0.5.6)
       lazy_priority_queue (~> 0.1.0)

k8.Dockerfile

@@ -21,13 +21,13 @@ ENV TZ=Etc/UTC
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
 # Install dependencies
-RUN apt-get update && apt-get install -y \    
+RUN apt-get update && apt-get install -y \
     build-essential \
     cron \
-    curl \    
+    curl \
     gettext-base \
     git-core \
-    tar \ 
+    tar \
     unzip \
     jq \
     libcurl4-openssl-dev \
@@ -99,7 +99,7 @@ COPY --chmod=644 ./k8files/status.conf /opt/nginx/conf/sites.d/
 COPY ./k8files/pivcac.conf /opt/nginx/conf/sites.d/pivcac.conftemp
 
 # Download RDS Combined CA Bundles
-RUN wget -P /usr/local/share/aws/  https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
+RUN wget -P /usr/local/share/aws/  https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
 
 # Create cron jobs
 RUN echo '* */4 * * * websrv flock -n /tmp/update_cert_revocations.lock -c /usr/local/bin/update_cert_revocations' > /etc/cron.d/update_cert_revocations; \

k8files/nginx-prod.conf

@@ -0,0 +1,172 @@
+#user  nginx;
+worker_processes 2;
+worker_rlimit_nofile 2048;
+pid /var/run/nginx.pid;
+daemon off;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  include mime.types;
+  default_type application/octet-stream;
+
+  sendfile on;
+  tcp_nopush off;
+  keepalive_timeout 60 50;
+  gzip on;
+  gzip_types text/plain text/css application/xml application/javascript application/json image/jpg image/jpeg image/png image/gif image/svg+xml font/woff2 woff2;
+
+  # Timeouts definition
+  client_body_timeout   10;
+  client_header_timeout 10;
+  send_timeout          10;
+  # Set buffer size limits
+  client_body_buffer_size  1k;
+  client_header_buffer_size 1k;
+  client_max_body_size 20k;
+  large_client_header_buffers 2 20k;
+  # Limit connections
+  limit_conn addr       20;
+  limit_conn_status     429;
+  limit_conn_zone       $binary_remote_addr zone=addr:5m;
+  # Disable sending server info and versions
+  server_tokens off;
+  more_clear_headers Server;
+  more_clear_headers X-Powered-By;
+  # Prevent clickJacking attack
+  add_header X-Frame-Options SAMEORIGIN;
+  # Disable content-type sniffing
+  add_header X-Content-Type-Options nosniff;
+  # Enable XSS filter
+  add_header X-XSS-Protection "1; mode=block";
+
+  # Enables nginx to check multiple set_real_ip_from lines 
+  real_ip_recursive on;
+
+  real_ip_header X-Forwarded-For;
+
+  # Exclude all private IPv4 space from client source calculation when
+  # processing the X-Forewarded-For header
+  set_real_ip_from 10.0.0.0/8;
+  set_real_ip_from 100.64.0.0/10;
+  set_real_ip_from 172.16.0.0/12;
+  set_real_ip_from 192.168.0.0/16;
+  # TODO - IPv6 CIDR for VPCs will require autoconfiguration
+
+  # Add CloudFront source address ranges to trusted CIDR range for real ip computation
+  include /etc/nginx/cloudfront-ips.conf;
+
+  # logging
+  access_log /dev/stdout;
+  error_log  /dev/stdout info;
+
+  # Specify a key=value format useful for machine parsing
+  log_format kv escape=json
+    '{'
+        '"time": "$time_local", '
+        '"hostname": "$host", '
+        '"dest_port": "$server_port", '
+        '"dest_ip": "$server_addr", '
+        '"src": "$remote_addr", '
+        '"src_ip": "$realip_remote_addr", '
+        '"user": "$remote_user", '
+        '"protocol": "$server_protocol", '
+        '"http_method": "$request_method", '
+        '"status": "$status", '
+        '"bytes_out": "$body_bytes_sent", '
+        '"bytes_in": "$request_length", '
+        '"http_referer": "$http_referer", '
+        '"http_user_agent": "$http_user_agent", '
+        '"nginx_version": "$nginx_version", '
+        '"http_cloudfront_viewer_address": "$http_cloudfront_viewer_address", '
+        '"http_cloudfront_viewer_http_version": "$http_cloudfront_viewer_http_version", '
+        '"http_cloudfront_viewer_tls": "$http_cloudfront_viewer_tls", '
+        '"http_cloudfront_viewer_country": "$http_cloudfront_viewer_country", '
+        '"http_cloudfront_viewer_country_region": "$http_cloudfront_viewer_country_region", '
+        '"http_x_forwarded_for": "$http_x_forwarded_for", '
+        '"http_x_amzn_trace_id": "$http_x_amzn_trace_id", '
+        '"response_time": "$upstream_response_time", '
+        '"request_time": "$request_time", '
+        '"request": "$request", '
+        '"tls_protocol": "$ssl_protocol", '
+        '"tls_cipher": "$ssl_cipher", '
+        '"uri_path": "$uri", '
+        '"uri_query": "$query_string",'
+        '"log_filename": "nginx_access.log"'
+    '}';
+
+  # Get $status_reason variable, a human readable version of $status
+  include status-map.conf;
+
+  # Set HSTS header only if not already set by app. Some clients get unhappy if
+  # you set multiple Strict-Transport-Security headers.
+  # https://serverfault.com/a/598106
+  map $upstream_http_strict_transport_security $sts_value {
+    '' "max-age=31536000; preload";
+  }
+
+  # Always add a HSTS header - This is still inside the http block, so will not
+  # conflict with headers set in nginx.conf
+  add_header Strict-Transport-Security $sts_value always;
+
+  server {
+      listen        8443 ssl;
+      server_name   _;
+      access_log    /dev/stdout kv;
+
+      ssl_certificate      /keys/tls.crt;
+      ssl_certificate_key  /keys/tls.key;
+      ssl_client_certificate /etc/nginx/ficam_bundle.pem;
+      ssl_verify_client optional_no_ca; # on;
+      ssl_verify_depth 10;
+
+      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA';
+      ssl_dhparam /etc/ssl/certs/dhparam.pem;
+      ssl_prefer_server_ciphers on;
+      ssl_protocols TLSv1.2;
+      ssl_session_cache shared:SSL:10m;
+      ssl_session_timeout 5m;
+      ssl_stapling on;
+      ssl_stapling_verify on;
+      proxy_buffer_size          32k;
+      proxy_buffers              8 32k;
+      proxy_busy_buffers_size    64k;
+
+      location ~* \.(html|txt|ico|png|json)$ {
+          root "/srv";
+          try_files $uri @backend;
+      }
+
+      location / {
+          proxy_pass https://0.0.0.0:3000;
+
+          proxy_set_header X-Real-Host $host;
+          proxy_set_header X-Real-Ip $remote_addr;
+          proxy_set_header X-Real-Proto https;
+          proxy_set_header X-Client-Verify $ssl_client_verify;
+          proxy_set_header X-Client-S-Dn $ssl_client_s_dn;
+          proxy_set_header X-Client-I-Dn $ssl_client_i_dn;
+          proxy_set_header X-Client-Serial $ssl_client_serial;
+          proxy_set_header X-Client-Fingerprint $ssl_client_fingerprint;
+          proxy_set_header X-Client-Cert $ssl_client_escaped_cert;
+      }
+
+      location @backend {
+          proxy_pass https://0.0.0.0:3000;
+
+          proxy_set_header X-Real-Host $host;
+          proxy_set_header X-Real-Ip $remote_addr;
+          proxy_set_header X-Real-Proto https;
+          proxy_set_header X-Client-Verify $ssl_client_verify;
+          proxy_set_header X-Client-S-Dn $ssl_client_s_dn;
+          proxy_set_header X-Client-I-Dn $ssl_client_i_dn;
+          proxy_set_header X-Client-Serial $ssl_client_serial;
+          proxy_set_header X-Client-Fingerprint $ssl_client_fingerprint;
+          proxy_set_header X-Client-Cert $ssl_client_escaped_cert;
+      }
+  }
+}