Merge pull request #8 from IvanJosipovic/dev

Harden Container Image

.dockerignore

@@ -0,0 +1,25 @@
+**/.classpath
+**/.dockerignore
+**/.env
+**/.git
+**/.gitignore
+**/.project
+**/.settings
+**/.toolstarget
+**/.vs
+**/.vscode
+**/*.*proj.user
+**/*.dbmdl
+**/*.jfm
+**/azds.yaml
+**/bin
+**/charts
+**/docker-compose*
+**/Dockerfile*
+**/node_modules
+**/npm-debug.log
+**/obj
+**/secrets.dev.yaml
+**/values.dev.yaml
+LICENSE
+README.md

.github/workflows/cicd.yml

@@ -54,8 +54,8 @@ jobs:
       with:
         file: coverage.cobertura.xml
 
-    - name: Build Image
-      run: dotnet publish -c Release --os linux --arch x64 -p:PublishProfile=DefaultContainer -p:Version=${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }}
+    - name: Docker Build
+      run: docker build -t ingress-nginx-validate-jwt:${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }} -f ./ingress-nginx-validate-jwt/Dockerfile --build-arg VERSION=${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }} .
 
     - name: Docker Push
       if: steps.semantic.outputs.new_release_published == 'true'
@@ -78,7 +78,7 @@ jobs:
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Update Helm Versionin
+    - name: Update Helm Version
       if: steps.semantic.outputs.new_release_published == 'true'
       shell: bash
       run: |

README.md

@@ -37,7 +37,7 @@ metadata:
   name: ingress
   namespace: default
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local/auth?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
+    nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local:8080/auth?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
 spec:
 ```
 
@@ -60,7 +60,7 @@ Along with validating the JWT token, the token must have a claim tid=11111111-11
 
 ## Metrics
 
-Metrics are exposed on :80/metrics
+Metrics are exposed on :8080/metrics
 
 | Metric Name  | Description |
 |---|---|

charts/ingress-nginx-validate-jwt/templates/deployment.yaml

@@ -40,7 +40,10 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
+              protocol: TCP
+            - name: https
+              containerPort: 8443
               protocol: TCP
           livenessProbe:
             httpGet:
@@ -52,6 +55,12 @@ spec:
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-volume
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/ingress-nginx-validate-jwt/values.yaml

@@ -31,23 +31,26 @@ serviceAccount:
 
 podAnnotations:
   prometheus.io/scrape: 'true'
-  prometheus.io/port: '80'
+  prometheus.io/port: '8080'
   prometheus.io/path: '/metrics'
 
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 2000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP
-  port: 80
+  port: 8080
 
 ingress:
   enabled: false

ingress-nginx-validate-jwt/Dockerfile

@@ -0,0 +1,26 @@
+FROM mcr.microsoft.com/dotnet/sdk:7.0-alpine AS build
+WORKDIR /src
+COPY ["ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj", "ingress-nginx-validate-jwt/"]
+RUN dotnet restore "ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj"
+COPY . .
+WORKDIR "/src/ingress-nginx-validate-jwt"
+RUN dotnet build "ingress-nginx-validate-jwt.csproj" -c Release -o /app/build
+
+FROM build AS publish
+ARG VERSION=0.0.1
+RUN dotnet publish "ingress-nginx-validate-jwt.csproj" -c Release -r linux-musl-x64 -o /app/publish /p:Version=${VERSION}
+
+FROM mcr.microsoft.com/dotnet/runtime-deps:7.0-alpine AS base
+WORKDIR /app
+EXPOSE 8080
+EXPOSE 8443
+ENV ASPNETCORE_URLS=http://+:8080;https://+:8443
+
+RUN addgroup -g 2000 appgroup \
+    && adduser -u 1000 -G appgroup -D "appuser"
+
+RUN chown appuser:appgroup  /app
+USER appuser:appgroup
+
+COPY --from=publish /app/publish .
+ENTRYPOINT ["./ingress-nginx-validate-jwt"]

ingress-nginx-validate-jwt/Properties/launchSettings.json

@@ -2,12 +2,17 @@
   "profiles": {
     "ingress_nginx_validate_jwt": {
       "commandName": "Project",
-      "launchBrowser": false,
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       },
       "dotnetRunMessages": true,
       "applicationUrl": "https://localhost:7297;http://localhost:5049"
+    },
+    "Docker": {
+      "commandName": "Docker",
+      "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}",
+      "publishAllPorts": true,
+      "useSSL": true
     }
   },
   "$schema": "https://json.schemastore.org/launchsettings.json"

ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj

@@ -20,7 +20,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.23.1" />
-    <PackageReference Include="Microsoft.NET.Build.Containers" Version="0.1.8" />
+    <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.17.0" />
     <PackageReference Include="prometheus-net.AspNetCore" Version="6.0.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.23.1" />
   </ItemGroup>