From 9f426e898f00261b3ee19ab9de97fb72720d8b67 Mon Sep 17 00:00:00 2001 From: Maria Haider Date: Tue, 6 May 2025 21:51:18 +0200 Subject: [PATCH] cisoassitant stuffs --- .../cisoassistant/update-ciso-assistant.sh | 22 +++++++++ .../update-cisoas-enterprise_test.sh | 4 ++ .../net/manifests/cisoassistant_test.pp | 20 ++++++-- .../net/templates/cisoassistant/Caddyfile.erb | 8 ++++ .../cisoassistant/docker-compose.yml.erb | 46 +++++++++++++++++++ 5 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/update-ciso-assistant.sh create mode 100644 global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise_test.sh create mode 100644 global/overlay/etc/puppet/modules/net/templates/cisoassistant/Caddyfile.erb diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-ciso-assistant.sh b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-ciso-assistant.sh new file mode 100644 index 0000000..8605e39 --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-ciso-assistant.sh @@ -0,0 +1,22 @@ +#! /usr/bin/env bash +set -euo pipefail + +DB_FILE="db/ciso-assistant.sqlite3" +BACKUP_FILE="ciso-assistant-backup.sqlite3" + +# Backup the database +if [ ! -f "$DB_FILE" ]; then + echo "Error: No database found, please initialize CISO Assistant first" + exit 1 +else + cp "$DB_FILE" "$BACKUP_FILE" + echo "Backup of the database created in $BACKUP_FILE" +fi + +# Stop and clean the containers +docker compose rm -fs + +# note: the rmi trick is not needed anymore since we move to always pull policy +# Start the containers +docker compose up -d +echo "CISO assistant updated successfully" \ No newline at end of file diff --git a/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise_test.sh b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise_test.sh new file mode 100644 index 0000000..7851deb --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/files/cisoassistant/update-cisoas-enterprise_test.sh @@ -0,0 +1,4 @@ +cd /opt/cisoas/ +pushd .. +./update-ciso-assistant.sh enterprise +popd \ No newline at end of file diff --git a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp index 6ecef1e..dfb4ec1 100644 --- a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp +++ b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp @@ -1,8 +1,8 @@ -class net::cisoassistant_test { +class net::cisoassistant_test ($ciso_service_name='') { $nftables_rules = { 'allow_access_to_cisoassistant' => { from => 'any', - port => 443, + port => 8443, to => 'any', proto => 'tcp', }, @@ -39,8 +39,22 @@ class net::cisoassistant_test { mode => '0744', owner => 'root', group => 'root', - content => file('net/cisoassistant/update-cisoas-enterprise.sh'), + content => file('net/cisoassistant/update-cisoas-enterprise_test.sh'), } + + file { '/opt/cisoas/update-ciso-assistant.sh': + mode => '0744', + owner => 'root', + group => 'root', + content => file('net/cisoassistant/update-ciso-assistant.sh'), + } + + file { '/opt/cisoas/Caddyfile': + owner => 'root', + group => 'root', + content => template('net/cisoassistant/Caddyfile.erb'), + } + sunet::scriptherder::cronjob { 'Upgrade cisoassistant images': cmd => '/opt/cisoas/update-cisoas-enterprise.sh', weekday => 'Saturday', diff --git a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/Caddyfile.erb b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/Caddyfile.erb new file mode 100644 index 0000000..773a1f8 --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/Caddyfile.erb @@ -0,0 +1,8 @@ +<%= @ciso_service_name %>:8443 { + reverse_proxy frontend:3000 + tls /certs/cert.pem /certs/key.pem +} +cisoas-api.sunet.se:9443 { + reverse_proxy backend:8000 + tls /certs/cert.pem /certs/key.pem +} \ No newline at end of file diff --git a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb index 0da567f..0c4d44a 100644 --- a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb +++ b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb @@ -10,3 +10,49 @@ services: environment: - ACME_URL=http://acme-c.sunet.se/ + backend: + container_name: backend + image: ghcr.io/intuitem/ciso-assistant-enterprise-backend:latest + restart: always + environment: + - ALLOWED_HOSTS=backend,<%= @ciso_service_name %> + - CISO_ASSISTANT_URL=https://<%= @ciso_service_name %>:8443 + - DJANGO_DEBUG=True + - AUTH_TOKEN_TTL=7200 + - LICENSE_SEATS=3000 + volumes: + - ./db:/code/db + - /etc/dehydrated/certs/<%= @ciso_service_name %>pem:/certs/cert.pem + - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem + + frontend: + container_name: frontend + restart: always + environment: + - PUBLIC_BACKEND_API_URL=http://backend:8000/api + - PUBLIC_BACKEND_API_EXPOSED_URL=https://<%= @ciso_service_name %>:9443/api + - PROTOCOL_HEADER=x-forwarded-proto + - HOST_HEADER=x-forwarded-host + + image: ghcr.io/intuitem/ciso-assistant-enterprise-frontend:latest + depends_on: + - backend + volumes: + - /etc/dehydrated/certs/<%= @ciso_service_name %>.pem:/certs/cert.pem + - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem + + caddy: + container_name: caddy + image: caddy:2.8.4 + depends_on: + - frontend + # restart: always + ports: + - 8443:8443 + - 9443:9443 + volumes: + - ./caddy_data:/data + - ./Caddyfile:/etc/caddy/Caddyfile + - /etc/dehydrated/certs/<%= @ciso_service_name %>.pem:/certs/cert.pem + - /etc/dehydrated/certs/<%= @ciso_service_name %>.key:/certs/key.pem +