Docker solution for web-ui SPA

sechub-web-ui-solution/01-start-single-docker-compose.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+cd $(dirname "$0")
+source "../sechub-solutions-shared/scripts/9999-env-file-helper.sh"
+
+# Only variables from .env can be used in the Docker-Compose file
+# all other variables are only available in the container
+setup_environment_file ".env" "env"
+
+# Use Docker BuildKit
+# necessary for switching between build stages
+export BUILDKIT_PROGRESS=plain
+export DOCKER_BUILDKIT=1
+
+echo "Starting single container."
+docker compose --file docker-compose_web_ui.yaml up --build --remove-orphans

sechub-web-ui-solution/10-create-image.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+REGISTRY="$1"
+VERSION="$2"
+WEB_UI_VERSION="$3"
+BASE_IMAGE="$4"  # optional
+BUILD_TYPE="$5" # optional
+DEFAULT_BASE_IMAGE="debian:12-slim"
+DEFAULT_BUILD_TYPE="download"
+
+cd `dirname $0`
+
+usage() {
+  cat - <<EOF
+
+usage: $0 <docker registry> <version tag> <web ui version> [<base image> <build type>]
+
+Builds a docker image of SecHub Web UI <we bui version> for <docker registry>
+with tag <version tag>.
+
+Optional environment variables or options:
+BASE_IMAGE - <base image> to build from ; defaults to $DEFAULT_BASE_IMAGE
+BUILD_TYPE - <build type> (one of: build copy download) ; defaults to $DEFAULT_BUILD_TYPE
+EOF
+}
+
+FAILED=false
+if [[ -z "$REGISTRY" ]] ; then
+  echo "Please provide a docker registry server as 1st parameter."
+  FAILED=true
+fi
+
+if [[ -z "$VERSION" ]] ; then
+  echo "Please provide a version for the container as 2nd parameter."
+  FAILED=true
+fi
+
+if [[ -z "$WEB_UI_VERSION" ]] ; then
+  echo "Please provide a SecHub Web UI release version as 3rd parameter."
+  FAILED=true
+fi
+
+if $FAILED ; then
+  usage
+  exit 1
+fi
+
+if [[ -z "$BASE_IMAGE" ]]; then
+    BASE_IMAGE="$DEFAULT_BASE_IMAGE"
+fi
+
+if [[ -z "$BUILD_TYPE" ]]; then
+    BUILD_TYPE="$DEFAULT_BUILD_TYPE"
+fi
+
+BUILD_ARGS="--build-arg BASE_IMAGE=$BASE_IMAGE"
+echo ">> Base image: $BASE_IMAGE"
+
+BUILD_ARGS+=" --build-arg BUILD_TYPE=$BUILD_TYPE"
+echo ">> Build type: $BUILD_TYPE"
+
+BUILD_ARGS+=" --build-arg WEB_UI_VERSION=$WEB_UI_VERSION"
+echo ">> SecHub Web UI release version: $WEB_UI_VERSION"
+
+# Use Docker BuildKit
+# nesessary for switching between build stages
+export BUILDKIT_PROGRESS=plain
+export DOCKER_BUILDKIT=1
+
+docker build --pull --no-cache $BUILD_ARGS \
+       --tag "$REGISTRY:$VERSION" \
+       --file docker/Web-UI-Debian.dockerfile docker/
+docker tag "$REGISTRY:$VERSION" "$REGISTRY:latest"

sechub-web-ui-solution/20-push-image.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+cd `dirname $0`
+../sechub-solutions-shared/scripts/20-push-image.sh "$1" "$2" "$3"

sechub-web-ui-solution/README.adoc

@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: MIT
+
+== Web UI Image
+
+The files to create the Web UI container image.
+
+The Web UI is a Vue.js SPA build with nuxt.js.
+
+=== Starting the Web UI on localhost as docker container
+
+Following command will run the Web UI on localhost as docker container, with nginx as reverse proxy.
+Attention: currently only self-signed certificates are used.
+----
+./01-start-single-docker-compose.sh
+----

sechub-web-ui-solution/docker-compose_web_ui.yaml

@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: MIT
+
+version: "3"
+services:
+  web-ui:
+    build:
+      args:
+        - BUILD_TYPE=${BUILD_TYPE}
+        - BASE_IMAGE=${BASE_IMAGE}
+        - WEB_UI_VERSION=${WEB_UI_VERSION}
+        - TAG=${TAG}
+        - BRANCH=${BRANCH}
+        - NODE_VERSION=${NODE_VERSION}
+      context: docker/
+      dockerfile: Web-UI-Debian.dockerfile
+    working_dir: /var/www/html/web-ui
+    container_name: web-ui
+    ports:
+      - "443:8443"
+    env_file:
+      - .env
+    networks:
+      - "internal"
+
+networks:
+  internal:

sechub-web-ui-solution/docker/Web-UI-Debian.dockerfile

@@ -0,0 +1,130 @@
+# SPDX-License-Identifier: MIT
+
+#-------------------
+# Global Variables
+#-------------------
+
+# The image argument needs to be placed on top
+ARG NODE_VERSION
+ARG NODE_BASE_IMAGE=node:${NODE_VERSION}-slim
+ARG BASE_IMAGE
+
+# Build args
+ARG WEB_UI_VERSION
+ARG BUILD_TYPE
+
+ARG NODE_ENV
+#-------------------
+# Builder Build
+#-------------------
+
+FROM ${NODE_BASE_IMAGE} AS builder-build
+ARG GIT_URL="https://github.com/mercedes-benz/sechub.git"
+ARG GIT_BRANCH
+ARG GIT_TAG
+ARG WEB_UI_BUILD_FOLDER="/build"
+ARG WEB_UI_ARTIFACTS="/artifacts"
+
+RUN mkdir --parent "${WEB_UI_ARTIFACTS}"
+RUN mkdir --parent "${WEB_UI_BUILD_FOLDER}"
+
+RUN apt-get update && \
+    apt-get upgrade --assume-yes --quiet && \
+    apt-get install --assume-yes --quiet git wget && \
+    apt-get clean
+
+COPY clone.sh "$WEB_UI_BUILD_FOLDER/clone.sh"
+
+RUN cd "${WEB_UI_BUILD_FOLDER}" && \
+    chmod 755 clone.sh && \
+    ./clone.sh "$GIT_URL" "$GIT_BRANCH" "$GIT_TAG" && \
+    cd "sechub/sechub-web-ui" && \
+    npm install && \
+    npx nuxi generate && \
+    cp -r .output "${WEB_UI_ARTIFACTS}"
+
+#-------------------
+# Builder Copy Build
+#-------------------
+
+FROM ${NODE_BASE_IMAGE} AS builder-copy
+ARG WEB_UI_ARTIFACTS="/artifacts"
+
+RUN mkdir --parent "${WEB_UI_ARTIFACTS}"
+
+COPY ./copy "${WEB_UI_ARTIFACTS}"
+
+#-------------------
+# Builder
+#-------------------
+
+FROM builder-${BUILD_TYPE} as builder
+RUN echo "build stage"
+
+#-------------------
+# WebUI Server Image
+#-------------------
+
+FROM ${BASE_IMAGE} AS web-ui
+ARG USER=www-data
+ARG WEB_UI_ARTIFACTS="/artifacts"
+ARG WEB_UI_FOLDER="/var/www/html/"
+
+COPY --from=builder "${WEB_UI_ARTIFACTS}/.output/public" "${WEB_UI_FOLDER}"
+
+# env vars in container
+ENV UID="4242"
+ENV GID="${UID}"
+ENV WEB_UI_VERSION="${WEB_UI_VERSION}"
+ENV WEB_UI_FOLDER="${WEB_UI_FOLDER}"
+
+# non-root user
+# using fixed group and user ids
+RUN usermod -u "$UID" "$USER" && \
+    groupmod -g "$GID" "$USER"
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get --assume-yes upgrade && \
+    apt-get --assume-yes install nginx openssl sed && \
+    apt-get --assume-yes clean
+
+# Create self-signed certificate
+RUN cd /tmp && \
+    openssl req \
+        -new \
+        -newkey rsa:2048 \
+        -days 365 \
+        -nodes \
+        -x509 \
+        -subj "/C=DE/ST=BW/L=Stuttgart/O=Loadbalancer/CN=localhost" \
+        -keyout localhost.key \
+        -out localhost.cert
+
+# Certificates
+RUN mkdir -p /certificates && \
+    mv /tmp/localhost.cert /certificates/localhost.cert && \
+    mv /tmp/localhost.key /certificates/localhost.key
+
+# Generate ephemeral Diffie-Hellman paramaters for perfect forward secrecy
+# see: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html#toc_5
+RUN openssl dhparam -out /certificates/certsdhparam.pem 2048
+
+# Copy configuration script
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Create PID file and set permissions
+RUN touch /var/run/nginx.pid && \
+    chmod 755 ${WEB_UI_FOLDER} && \
+    chown -R "$USER:$USER" /certificates /var/log/nginx /var/lib/nginx /etc/nginx/conf.d /var/run/nginx.pid ${WEB_UI_FOLDER}
+
+# Copy run script into container
+COPY run.sh /run.sh
+RUN chmod +x /run.sh
+
+ENV LOADBALANCER_START_MODE=server
+
+# Switch from root to non-root user
+USER "$USER"
+
+CMD ["/run.sh"]

sechub-web-ui-solution/docker/clone.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+# SPDX-License-Identifier: MIT
+
+GIT_URL="$1"
+BRANCH="$2"
+TAG="$3"
+
+if [ -z "$GIT_URL" ]
+then
+    echo "No Git url provided" 1>&2
+    exit 1
+fi
+
+git_args=""
+
+if [ -n "$TAG" ]
+then
+    echo "Tag: $TAG"
+    git_args="--branch $TAG"
+elif [ -n "$BRANCH" ]
+then
+    echo "Branch: $BRANCH"
+    git_args="--branch $BRANCH"
+else
+    echo "Cloning default branch"
+fi
+
+git clone --depth 1 $git_args "$GIT_URL"

sechub-web-ui-solution/docker/nginx.conf

@@ -0,0 +1,50 @@
+#daemon off;
+# Please see sechub-pds-solutions/shared/docker/loadbalancer/nginx.conf for the original configuration
+worker_processes  1;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    server {
+      listen 8443 ssl http2;
+      server_name _;
+
+      root /var/www/html;
+      location / {
+         index  index.html index.htm;
+      }
+
+      ssl_certificate /certificates/localhost.cert;
+      ssl_certificate_key /certificates/localhost.key;
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
+      ssl_prefer_server_ciphers on;
+      ssl_dhparam /certificates/certsdhparam.pem;
+      ssl_ecdh_curve secp384r1;
+
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:SSL:50m;
+      add_header Strict-Transport-Security max-age=15768000;
+
+      resolver 127.0.0.11 valid=5s;
+    }
+
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format          main  '$remote_addr - $remote_user [$time_local] "$request" '
+                            '$status $body_bytes_sent "$http_referer" '
+                            '"$http_user_agent" "$http_x_forwarded_for"';
+
+}

sechub-web-ui-solution/docker/run.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+# SPDX-License-Identifier: MIT
+
+debug () {
+    while true
+    do
+	    echo "Press [CTRL+C] to stop.."
+	    sleep 120
+    done
+}
+
+if [ "$LOADBALANCER_START_MODE" != "server" ]
+then
+    debug
+fi
+
+echo "Check configuration file"
+nginx -t
+
+echo "Start Nginx"
+nginx -g 'daemon off;'

sechub-web-ui-solution/env

@@ -0,0 +1,21 @@
+# Node Version
+NODE_VERSION=22.9.0
+BASE_IMAGE=debian:12-slim
+
+# Resource limits
+MEMORY_LIMIT=300M
+CPU_LIMIT=1.0
+
+# The build type of SecHub inside the container
+# Possible values are: build, copy, download (currently only copy)
+# build - clones and build from SecHub repository
+# copy - copies ./output directory container
+# download (not implemented)
+BUILD_TYPE=build
+
+# The PDS version used if the BUILD_TYPE is set to `download`
+WEB_UI_VERSION="0.1.0"
+
+# Git information if the BUILD_TYPE is set to `build`
+TAG=""
+BRANCH=""