Allow st2web container to be runable as Non-Root

st2web/Dockerfile

@@ -23,6 +23,9 @@ ENV ST2WEB_HTTPS 0
 ENV ST2_AUTH_URL http://st2auth:9100/
 ENV ST2_API_URL http://st2api:9101/
 ENV ST2_STREAM_URL http://st2stream:9102/
+ENV ST2_CA_CERT /etc/ssl/internal/ca.crt
+ENV ST2_PORT_HTTP 80
+ENV ST2_PORT_HTTPS 443
 
 # Generate UTF-8 locale
 RUN apt-get -qq update \
@@ -78,5 +81,8 @@ VOLUME ["/etc/ssl/st2/"]
 
 EXPOSE 80
 EXPOSE 443
+EXPOSE 8080
+EXPOSE 8443
 STOPSIGNAL SIGTERM
-CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
+RUN touch /var/run/nginx.pid && chown nginx:nginx /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid
+CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL} ${ST2_CERT_CA} ${ST2_PORT_HTTP} ${ST2_PORT_HTTPS}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]

st2web/README.md

@@ -11,9 +11,19 @@ The following environment variables are available for configuration:
 - `ST2_API_URL` (default: `http://st2api:9101/`) - StackStorm API service
 - `ST2_STREAM_URL` (default: `http://st2stream:9102/`) - StackStorm Stream service
 - `ST2WEB_HTTPS` (default: `0`) - Use https with st2web
+- `ST2_PORT_HTTP` (default: `80`) - Port to listen for HTTP traffic
+- `ST2_PORT_HTTPS` (default: `443`) - Port to listen for HTTPS traffic
 
 > Warning! All 3 services should be DNS/network accessible for `st2web` container to start properly. Thanks to K8s pod restarts, it's not a problem.
 
+### Running as Non-Root
+
+To run the `st2web` as non-root, pass the following config options:
+
+* `ST2_PORT_HTTP` - should be set as `8080`
+* `ST2_PORT_HTTPS` - should be set as `8443`
+* Run the container as `uid`/`gid` - `999:999`
+
 ### Secrets
 > Note! You may safely ignore this section if `ST2WEB_HTTPS` is set to `0`.
 

st2web/files/st2.conf-http.patch

@@ -1,22 +1,24 @@
---- st2.conf	2021-06-18 19:45:50.892196136 +0100
-+++ st2.http.conf	2021-06-18 19:50:00.098280995 +0100
-@@ -8,44 +8,18 @@
-
+--- st2.conf	2023-09-01 16:31:41.000000000 +0100
++++ st2.http.conf	2023-09-01 16:33:45.000000000 +0100
+@@ -7,45 +7,19 @@
+ # see https://docs.stackstorm.com/install.html for details
+
  server {
-   listen *:80 default_server;
+-  listen *:80 default_server;
++  listen *:${ST2_PORT_HTTP} default_server;
 +  server_tokens off;
- 
+
 -  add_header Front-End-Https on;
    add_header X-Content-Type-Options nosniff;
- 
+
 -  if ($ssl_protocol = "") {
 -       return 308 https://$host$request_uri;
 -  }
-   if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
-        return 405;
-   }
-   index  index.html;
- 
+-  if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
+-       return 405;
+-  }
+-  index  index.html;
+-
 -  access_log /var/log/nginx/st2webui.access.log combined;
 -  error_log /var/log/nginx/st2webui.error.log;
 -}
@@ -25,9 +27,9 @@
 -  listen       *:443 ssl;
 -  server_tokens off;
 -
--  if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
--       return 405;
--  }
+   if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
+        return 405;
+   }
 -
 -  ssl_certificate           /etc/ssl/st2/st2.crt;
 -  ssl_certificate_key       /etc/ssl/st2/st2.key;
@@ -37,39 +39,39 @@
 -  ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
 -  ssl_prefer_server_ciphers on;
 -
--  index  index.html;
--
+   index  index.html;
+
 -  access_log            /var/log/nginx/ssl-st2webui.access.log combined;
 -  error_log             /var/log/nginx/ssl-st2webui.error.log;
 +  access_log /proc/self/fd/1 combined;
 +  error_log stderr;
- 
+
 -  add_header              Front-End-Https on;
    add_header              X-Content-Type-Options nosniff;
    add_header              X-Frame-Options DENY always;
    add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
 @@ -61,7 +35,7 @@
- 
+
      rewrite ^/api/(.*)  /$1 break;
- 
+
 -    proxy_pass            http://127.0.0.1:9101/;
 +    proxy_pass            ${ST2_API_URL};
      proxy_read_timeout    90;
      proxy_connect_timeout 90;
      proxy_redirect        off;
 @@ -99,7 +73,7 @@
- 
+
      rewrite ^/stream/(.*)  /$1 break;
- 
+
 -    proxy_pass  http://127.0.0.1:9102/;
 +    proxy_pass  ${ST2_STREAM_URL};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 @@ -138,7 +112,7 @@
- 
+
      rewrite ^/auth/(.*)  /$1 break;
- 
+
 -    proxy_pass            http://127.0.0.1:9100/;
 +    proxy_pass            ${ST2_AUTH_URL};
      proxy_read_timeout    90;

st2web/files/st2.conf-https.patch

@@ -1,51 +1,79 @@
---- st2.conf	2021-06-18 19:45:50.892196136 +0100
-+++ st2.https.conf	2021-06-18 19:45:50.884196198 +0100
-@@ -20,8 +20,8 @@
+--- st2.conf	2023-09-18 15:03:31.000000000 +0100
++++ st2.https.conf	2023-09-18 15:12:35.000000000 +0100
+@@ -7,7 +7,7 @@
+ # see https://docs.stackstorm.com/install.html for details
+
+ server {
+-  listen *:80 default_server;
++  listen *:${ST2_PORT_HTTP} default_server;
+
+   add_header Front-End-Https on;
+   add_header X-Content-Type-Options nosniff;
+@@ -20,12 +20,12 @@
    }
    index  index.html;
- 
+
 -  access_log /var/log/nginx/st2webui.access.log combined;
 -  error_log /var/log/nginx/st2webui.error.log;
 +  access_log /proc/self/fd/1 combined;
 +  error_log stderr;
  }
- 
+
  server {
+-  listen       *:443 ssl;
++  listen       *:${ST2_PORT_HTTPS} ssl;
+   server_tokens off;
+
+   if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
 @@ -42,8 +42,8 @@
- 
+
    index  index.html;
- 
+
 -  access_log            /var/log/nginx/ssl-st2webui.access.log combined;
 -  error_log             /var/log/nginx/ssl-st2webui.error.log;
 +  access_log            /proc/self/fd/1 combined;
 +  error_log             stderr;
- 
+
    add_header              Front-End-Https on;
    add_header              X-Content-Type-Options nosniff;
-@@ -61,7 +61,7 @@
- 
+@@ -61,10 +61,11 @@
+
      rewrite ^/api/(.*)  /$1 break;
- 
+
 -    proxy_pass            http://127.0.0.1:9101/;
 +    proxy_pass            ${ST2_API_URL};
      proxy_read_timeout    90;
      proxy_connect_timeout 90;
      proxy_redirect        off;
-@@ -99,7 +99,7 @@
-
++    proxy_ssl_trusted_certificate ${ST2_CA_CERT};
+
+     proxy_set_header      Host $host;
+     proxy_set_header      X-Real-IP $remote_addr;
+@@ -99,12 +100,13 @@
+
      rewrite ^/stream/(.*)  /$1 break;
- 
+
 -    proxy_pass  http://127.0.0.1:9102/;
 +    proxy_pass  ${ST2_STREAM_URL};
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-@@ -138,7 +138,7 @@
-
+     proxy_read_timeout 200;
+     proxy_connect_timeout 200;
++    proxy_ssl_trusted_certificate ${ST2_CA_CERT};
+
+     sendfile on;
+     tcp_nopush on;
+@@ -138,10 +140,11 @@
+
      rewrite ^/auth/(.*)  /$1 break;
- 
+
 -    proxy_pass            http://127.0.0.1:9100/;
 +    proxy_pass            ${ST2_AUTH_URL};
      proxy_read_timeout    90;
      proxy_connect_timeout 90;
      proxy_redirect        off;
++    proxy_ssl_trusted_certificate ${ST2_CA_CERT};
+
+     proxy_set_header      Host $host;
+     proxy_set_header      X-Real-IP $remote_addr;