diff --git a/certificates/ldap/.gitkeep b/certificates/ldap/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/deploy/kubernetes/charts/certificates b/deploy/kubernetes/charts/certificates new file mode 120000 index 000000000..840eab124 --- /dev/null +++ b/deploy/kubernetes/charts/certificates @@ -0,0 +1 @@ +../../../certificates/ \ No newline at end of file diff --git a/deploy/kubernetes/charts/templates/iris_app.yaml b/deploy/kubernetes/charts/templates/iris_app.yaml index 7e83cb883..3756c76eb 100644 --- a/deploy/kubernetes/charts/templates/iris_app.yaml +++ b/deploy/kubernetes/charts/templates/iris_app.yaml @@ -1,3 +1,42 @@ +apiVersion: v1 +kind: Secret +metadata: + name: iris-root-ca-cert-secret-app + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/rootCA/irisRootCACert.pem").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-ldap-certs-secret-app + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/ldap/*").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-certs-dir-rootca-secrets-app + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/rootCA/*").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-certs-dir-webcerts-secrets-app + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/web_certificates/*").AsSecrets | indent 2 }} --- apiVersion: apps/v1 kind: Deployment @@ -47,7 +86,21 @@ spec: - name: IRIS_SECURITY_PASSWORD_SALT value: {{ .Values.irisapp.IRIS_SECURITY_PASSWORD_SALT | quote }} - + + - name: DB_RETRY_COUNT + value: {{ .Values.irisapp.DB_RETRY_COUNT | quote }} + + - name: DB_RETRY_DELAY + value: {{ .Values.irisapp.DB_RETRY_DELAY | quote }} + + - name: INTERFACE_HTTPS_PORT + value: {{ .Values.irisapp.INTERFACE_HTTPS_PORT | quote }} + + - name: IRIS_ADM_USERNAME + value: {{ .Values.irisapp.IRIS_ADM_USERNAME | quote }} + + - name: IRIS_ADM_PASSWORD + value: {{ .Values.irisapp.IRIS_ADM_PASSWORD | quote }} ports: - containerPort: 8000 @@ -59,6 +112,19 @@ spec: name: user-templates - mountPath: /home/iris/server_data name: server-data + - mountPath: /etc/irisRootCACert.pem + name: iris-root-ca-cert + subPath: irisRootCACert.pem + readOnly: true + - mountPath: /home/iris/certificates/rootCA + name: iris-certs-dir-rootca + readOnly: true + - mountPath: /home/iris/certificates/web_certificates + name: iris-certs-dir-webcerts + readOnly: true + - mountPath: /iriswebapp/certificates/ldap/ + name: iris-ldap-certs + readOnly: true volumes: - name: iris-downloads emptyDir: {} @@ -66,9 +132,19 @@ spec: emptyDir: {} - name: server-data emptyDir: {} - + - name: iris-root-ca-cert + secret: + secretName: iris-root-ca-cert-secret-app + - name: iris-ldap-certs + secret: + secretName: iris-ldap-certs-secret-app + - name: iris-certs-dir-rootca + secret: + secretName: iris-certs-dir-rootca-secrets-app + - name: iris-certs-dir-webcerts + secret: + secretName: iris-certs-dir-webcerts-secrets-app --- - apiVersion: v1 kind: Service metadata: @@ -82,4 +158,4 @@ spec: targetPort: {{ .Values.irisapp.service.targetPort }} selector: app: {{ .Values.irisapp.app }} ---- \ No newline at end of file +--- diff --git a/deploy/kubernetes/charts/templates/iris_worker.yaml b/deploy/kubernetes/charts/templates/iris_worker.yaml index e16e7fd53..f4fed4a2b 100644 --- a/deploy/kubernetes/charts/templates/iris_worker.yaml +++ b/deploy/kubernetes/charts/templates/iris_worker.yaml @@ -1,3 +1,42 @@ +apiVersion: v1 +kind: Secret +metadata: + name: iris-root-ca-cert-secret-worker + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/rootCA/irisRootCACert.pem").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-ldap-certs-secret-worker + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/ldap/*").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-certs-dir-rootca-secrets-worker + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/rootCA/*").AsSecrets | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: iris-certs-dir-webcerts-secrets-worker + labels: + app: {{ .Values.irisworker.app }} +type: Opaque +data: +{{ (.Files.Glob "certificates/web_certificates/*").AsSecrets | indent 2 }} --- apiVersion: apps/v1 kind: Deployment @@ -17,7 +56,7 @@ spec: - name: {{ .Values.irisworker.name }} image: "{{ .Values.irisworker.image}}:{{ .Values.irisworker.tag }}" imagePullPolicy: "{{ .Values.irisworker.imagePullPolicy }}" - command: ['./wait-for-iriswebapp.sh', 'iriswebapp-app.test.svc.cluster.local:8000', './iris-entrypoint.sh', 'iris-worker'] + command: ['./wait-for-iriswebapp.sh', "{{ .Values.irisapp.name }}:{{ .Values.irisapp.service.port }}", './iris-entrypoint.sh', 'iris-worker'] env: @@ -49,16 +88,26 @@ spec: value: {{ .Values.irisworker.IRIS_SECURITY_PASSWORD_SALT | quote }} - ports: - - containerPort: 80 - volumeMounts: - mountPath: /home/iris/downloads - name: iris-downloads + name: iris-downloads - mountPath: /home/iris/user_templates name: user-templates - mountPath: /home/iris/server_data name: server-data + - mountPath: /etc/irisRootCACert.pem + name: iris-root-ca-cert + subPath: irisRootCACert.pem + readOnly: true + - mountPath: /home/iris/certificates/rootCA + name: iris-certs-dir-rootca + readOnly: true + - mountPath: /home/iris/certificates/web_certificates + name: iris-certs-dir-webcerts + readOnly: true + - mountPath: /iriswebapp/certificates/ldap/ + name: iris-ldap-certs + readOnly: true volumes: - name: iris-downloads emptyDir: {} @@ -66,4 +115,16 @@ spec: emptyDir: {} - name: server-data emptyDir: {} ---- \ No newline at end of file + - name: iris-root-ca-cert + secret: + secretName: iris-root-ca-cert-secret-worker + - name: iris-certs-dir-rootca + secret: + secretName: iris-certs-dir-rootca-secrets-worker + - name: iris-ldap-certs + secret: + secretName: iris-ldap-certs-secret-worker + - name: iris-certs-dir-webcerts + secret: + secretName: iris-certs-dir-webcerts-secrets-worker +--- diff --git a/deploy/kubernetes/charts/templates/nginx_ingress.yaml b/deploy/kubernetes/charts/templates/nginx_ingress.yaml index 55046eb08..709c02a47 100644 --- a/deploy/kubernetes/charts/templates/nginx_ingress.yaml +++ b/deploy/kubernetes/charts/templates/nginx_ingress.yaml @@ -5,6 +5,7 @@ metadata: annotations: {{- toYaml .Values.ingress.annotations | nindent 4 }} spec: + ingressClassName: {{ .Values.ingress.className }} rules: {{- range $host := .Values.ingress.hosts }} - host: {{ $host.host }} diff --git a/deploy/kubernetes/charts/values.yaml b/deploy/kubernetes/charts/values.yaml index 725de6354..da82720c9 100644 --- a/deploy/kubernetes/charts/values.yaml +++ b/deploy/kubernetes/charts/values.yaml @@ -82,12 +82,11 @@ irisapp: ## @param irisapp.service Iris Frontend Service ## service: - port: 80 - targetPort: 8000 + port: 8000 ## @param irisapp.type Iris Frontend Service type ## - type: ClusterIP + type: NodePort ## @param Iris Frontend Environments ## @@ -100,6 +99,12 @@ irisapp: DOCKERIZED: 1 IRIS_SECRET_KEY: AVerySuperSecretKey-SoNotThisOne IRIS_SECURITY_PASSWORD_SALT: ARandomSalt-NotThisOneEither + IRIS_ADM_USERNAME: administrator + # Must be 12 characters minimum and contains a capital letter and a number. + IRIS_ADM_PASSWORD: Hello12345! + DB_RETRY_COUNT: 5 + DB_RETRY_DELAY: 5 + INTERFACE_HTTPS_PORT: 443 ## @section Iris Backend Configuration ## @@ -144,16 +149,16 @@ ingress: annotations: # Add any annotations specific to your Ingress controller kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: / - nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/ssl-redirect: "true" hosts: - host: paths: - - path: / - pathType: Prefix + - path: /(.*) + pathType: ImplementationSpecific serviceName: iriswebapp-app - servicePort: 80 + servicePort: 8000 tls: - secretName: iris-ingress-tls-secret hosts: - - \ No newline at end of file + - diff --git a/docker/webApp/Dockerfile b/docker/webApp/Dockerfile index 01c6ecb7f..0ee35b812 100644 --- a/docker/webApp/Dockerfile +++ b/docker/webApp/Dockerfile @@ -51,7 +51,7 @@ RUN apt update RUN apt install -y p7zip-full pgp rsync postgresql-client RUN mkdir /iriswebapp/ -RUN mkdir -p /home/iris/certificates +RUN mkdir -p /home/iris/certificates/{rootCA,web_certificates} RUN mkdir -p /home/iris/user_templates RUN mkdir -p /home/iris/server_data RUN mkdir -p /home/iris/server_data/backup @@ -71,4 +71,4 @@ RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/evtx_dump RUN chmod +x iris-entrypoint.sh RUN chmod +x wait-for-iriswebapp.sh -#ENTRYPOINT [ "./iris-entrypoint.sh" ] \ No newline at end of file +#ENTRYPOINT [ "./iris-entrypoint.sh" ] diff --git a/docker/webApp/Dockerfile.k8s b/docker/webApp/Dockerfile.k8s deleted file mode 100644 index a1f2a191b..000000000 --- a/docker/webApp/Dockerfile.k8s +++ /dev/null @@ -1,77 +0,0 @@ -# IRIS Source Code -# Copyright (C) 2021 - Airbus CyberSecurity (SAS) -# ir@cyberactionlab.net -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 3 of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public License -# along with this program; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - - -################# -# COMPILE IMAGE # -################# -FROM python:3.9 AS compile-image -RUN apt-get update - -RUN python -m venv /opt/venv -# Make sure we use the virtualenv: -ENV PATH="/opt/venv/bin:$PATH" - -COPY source/dependencies /dependencies -COPY source/requirements.txt / - -RUN pip3 install -r requirements.txt - -############### -# BUILD IMAGE # -############### -FROM python:3.9 as iriswebapp - -ENV PYTHONUNBUFFERED=1 - -COPY --from=compile-image /opt/venv /opt/venv - -# Make sure we use the virtualenv: -ENV PATH="/opt/venv/bin:$PATH" - -# Define specific admin password at creation -#ENV IRIS_ADM_PASSWORD="MySuperFirstPasswordIWant" - -RUN apt update -RUN apt install -y p7zip-full pgp rsync postgresql-client - -RUN mkdir /iriswebapp/ -RUN mkdir -p /home/iris/certificates -RUN mkdir -p /home/iris/user_templates -RUN mkdir -p /home/iris/server_data -RUN mkdir -p /home/iris/server_data/backup -RUN mkdir -p /home/iris/server_data/updates -RUN mkdir -p /home/iris/server_data/custom_assets -RUN mkdir -p /home/iris/server_data/datastore - -WORKDIR /iriswebapp - -COPY docker/webApp/iris-entrypoint.sh . -COPY docker/webApp/wait-for-iriswebapp.sh . -COPY ../../certificates /home/iris/certificates/ -COPY ../../certificates/rootCA/irisRootCACert.pem /etc/irisRootCACert.pem -COPY ../../certificates/ldap/ /iriswebapp/certificates/ldap/ -COPY ./source . - -# Add execution right to binaries needed by evtx2splunk for iris_evtx module -RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/fd -RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/evtx_dump - -RUN chmod +x iris-entrypoint.sh -RUN chmod +x wait-for-iriswebapp.sh -#ENTRYPOINT [ "./iris-entrypoint.sh" ] \ No newline at end of file diff --git a/source/app/post_init.py b/source/app/post_init.py index 968dd773b..5c8272b65 100644 --- a/source/app/post_init.py +++ b/source/app/post_init.py @@ -121,20 +121,18 @@ def run_post_init(development=False): log.info(f'IRIS {app.config.get("IRIS_VERSION")}') log.info("Running post initiation steps") - conn = None - if os.getenv("IRIS_WORKER") is None: # Attempt to connect to the database with retries log.info("Attempting to connect to the database...") for i in range(retry_count): - log.info("Connecting to database, attempt " + str(i + 1) + "/" + str(retry_count)) - conn = connect_to_database(db_host, db_port) - if conn is not None: + log.info("Connecting to database, attempt " + str(i+1) + "/" + str(retry_count)) + conn = connect_to_database(db_host,db_port) + if conn: break log.info("Retrying in " + str(retry_delay) + "seconds...") time.sleep(retry_delay) # If the connection is still not established, exit the script - if conn is None: + if not conn: log.info("Failed to connect to database after " + str(retry_count) + " attempts.") exit(1)