SSH websocket

Jozef Volak · SimonMisencik · commit 622322fd6bdc · 2023-03-27T09:39:55.000+02:00
Update env vars
diff --git a/composefiles/swarm-uniconfig.yml b/composefiles/swarm-uniconfig.yml
@@ -61,6 +61,8 @@ services:
       - TRAEFIK_PROVIDERS_FILE_WATCH=true
       - TRAEFIK_ENTRYPOINTS_UNICONFIG=true
       - TRAEFIK_ENTRYPOINTS_UNICONFIG_ADDRESS=:8181
+      - TRAEFIK_ENTRYPOINTS_CLISHELL=true
+      - TRAEFIK_ENTRYPOINTS_CLISHELL_ADDRESS=:2022
       - TRAEFIK_PROVIDERS_DOCKER_SWARMMODE=true
       - TRAEFIK_PROVIDERS_DOCKER_WATCH=true
       - TRAEFIK_SERVERSTRANSPORT_ROOTCAS=/run/secrets/frinx_uniconfig_tls_cert.pem
@@ -125,7 +127,7 @@ services:
       - DBPERSISTENCE_CONNECTION_TLSCLIENTKEY=config/frinx_uniconfig_tls_key.der
       - DBPERSISTENCE_CONNECTION_TLSCACERT=config/frinx_uniconfig_tls_cert.pem
       # CLI SHELL CONFIGURATION, CREDENTIALS STORED IN SECRETS
-      - CLISHELL_SSHSERVER_ENABLED=true
+      - CLISHELL_SSHSERVER_ENABLED=${UNICONFIG_SHELL_ENABLED}
       - CLISHELL_SSHSERVER_INETADDRESS=0.0.0.0
       - CLISHELL_SSHSERVER_USERNAMEPASSWORDAUTH_PASSWORD=admin
       # UNICONFIG TRANSACTIONS CONFIGURATION
@@ -194,6 +196,10 @@ services:
         - traefik.http.services.uniconfig.loadbalancer.server.scheme=https
         - traefik.http.services.uniconfig.loadbalancer.passhostheader=true
         - traefik.http.routers.uniconfig.tls=true
+        - traefik.tcp.routers.clishell.entrypoints=clishell
+        - traefik.tcp.routers.clishell.rule=HostSNI(`*`)
+        - traefik.tcp.routers.clishell.service=cli-shell-svc
+        - traefik.tcp.services.cli-shell-svc.loadbalancer.server.port=2022
       <<: *placement-controller
       restart_policy:
         condition: any
diff --git a/composefiles/swarm-workflow-manager.yml b/composefiles/swarm-workflow-manager.yml
@@ -41,7 +41,7 @@ x-dt-enabled: &dt-enabled
 
 services:
   krakend:
-    image: frinx/krakend:1.0.5
+    image: frinx/krakend:latest
     # user: root
     logging: *logging_loki    
     environment:
@@ -62,6 +62,8 @@ services:
       - HTTPS_PROXY=${HTTPS_PROXY}
       - NO_PROXY=workflow-proxy,frinx-frontend,inventory,krakend,unistore,resource-manager,${UNICONFIG_ZONES_LIST},${NO_PROXY}
       - UNICONFIG_ZONES_LIST=${UNICONFIG_ZONES_LIST}
+      - UNICONFIG_SHELL_ENABLED=${UNICONFIG_SHELL_ENABLED:-false}
+      - UNICONFIG_SHELL_OAUTH_ENABLED=false
       - *wfm-enabled
       - *rsm-enabled
       - *inventory-enabled
@@ -92,7 +94,11 @@ services:
     ports:
       - target: 8080
         published: ${KRAKEND_PORT}
-        mode: host  
+        mode: host
+      # Configured with startup --shell 
+      # - target: 8001
+      #   published: 8001
+      #   mode: host  
     ulimits:
       nofile:
         soft: ${KD_ULIMIT_NOFILE_SOFT}
@@ -233,7 +239,7 @@ services:
       - INVENTORY_API_URL=/api/inventory
       - RESOURCE_MANAGER_API_URL=/api/resource
       - UNISTORE_API_URL=/api/unistore
-      - INVENTORY_WS_URL='ws://localhost:8001/graphql'
+      - INVENTORY_WS_URL=ws://localhost:8001/api/inventory
       - *wfm-enabled
       - *rsm-enabled
       - *inventory-enabled
@@ -463,6 +469,7 @@ services:
       - ARANGO_ENABLED=false
       - TOPOLOGY_ENABLED=false
       - SHELL_HOST=uniconfig
+      - SHELL_HOST_ENABLED=${UNICONFIG_SHELL_ENABLED:-false}
     volumes:
       - ${UF_CONFIG_PATH}/inventory/run_inventory.sh:/run_inventory.sh:ro
     healthcheck:
diff --git a/config/krakend/krakend.json b/config/krakend/krakend.json
@@ -17,6 +17,28 @@
     "folder": "/usr/local/lib/krakend/"
   },
   "extra_config": {
+    {{ $uc_shell := env "UNICONFIG_SHELL_ENABLED" }}
+    {{ if eq $uc_shell "true" }}
+    "contribute/websocketproxy": {
+      "port": "8001",
+      "websockets": [
+        {
+          {{ $uc_shell := env "UNICONFIG_SHELL_OAUTH_ENABLED" }}
+          {{ if eq $uc_shell "true" }}
+          {{ $uc_shell_oauth_url := env "OAUTH2_AUTH_URL" }}
+          {{ $uc_shell_bearer := env "AZURE_KRAKEND_PLUGIN_JWT_VALUE_PREFIX" }}
+          {{ $uc_shell_rbac := env "UNICONFIG_CONTROLLER_ADMIN_GROUP" }}
+          "@comment": "uncomment and replace '",
+          "@comment": "jwk_url':' {{ $uc_shell_oauth_url }}",
+          "@comment": "rbac_roles':' {{ $uc_shell_rbac }}",
+          "@comment": "jwk_url ':' {{ $uc_shell_oauth_url }}",
+          {{end}}
+          "backend": "ws://inventory:8000/graphql",
+          "endpoint": "/api/inventory"
+        }
+      ]
+    },
+    {{end}}
     "router":{
       "disable_path_decoding" : true,
       "disable_redirect_fixed_path": true,
@@ -48,7 +70,6 @@
       "referrer_policy": "same-origin",
       "content_type_nosniff": true,
       "browser_xss_filter": true,
-      "content_security_policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src *;",
       "is_development": false
     },
     "security/cors": {
@@ -83,6 +104,7 @@
       "syslog": false,
       "stdout": true
     }
+
   },
   "endpoints": [
 
diff --git a/startup.sh b/startup.sh
@@ -32,7 +32,9 @@ OPTIONS:
                   - KrakenD with certificates
                   - https://localhost
   
-   --auth        Deploy Frinx-Machine with authorization 
+   --auth        Deploy Frinx-Machine with authorization
+
+   --shell       Deploy Frinx-Machine with UC shell
 
    --prod|--dev|--high  
                   Deploy Frinx-Machine in production or development mode
@@ -103,6 +105,9 @@ function argumentsCheck {
         --auth)
             export AUTH_ENABLED="true";;
 
+        --shell)
+            export UNICONFIG_SHELL_ENABLED="true";;
+
         --proxy)
             export PROXY_ENABLED="true"
             setProxyEnv;;
@@ -418,6 +423,14 @@ function validateAzureAD {
   fi
 }
 
+function enableUcShell {
+  if [[ ${UNICONFIG_SHELL_ENABLED} == "true" ]]; then
+    echo -e "${WARNING} Exposing websocket proxy on port 8001"
+    docker service update --publish-add mode=host,target=8001,published=8001 fm_krakend
+  fi
+}
+
+
 function setUniconfigZoneEnv {
 
   if [[ ${__multinode} == "true" ]]; then
@@ -528,6 +541,9 @@ export KRAKEND_PORT=80
 ## Default Auth settings
 export AUTH_ENABLED=false
 
+## Default UC SHELL settings
+export UNICONFIG_SHELL_ENABLED=false
+
 # DEFAULT PERFORM SETTINGS
 devPerformSettingFile='./config/dev_settings.txt'
 productPerformSettingFile='./config/prod_settings.txt'
@@ -555,5 +571,6 @@ setVariableFile "${performSettings}"  # load performance settings
 validateAzureAD
 
 startContainers
+enableUcShell
 show_last_info
 popd > /dev/null
