From 7086228addb6c652a29295bf4d962cd1151b0105 Mon Sep 17 00:00:00 2001
From: Sven Dolderer <sven.dolderer@mercedes-benz.com>
Date: Wed, 20 Nov 2024 18:07:48 +0100
Subject: [PATCH] removed deprecated external access from web-server #3631

also fixed setting for logging
---
 .../helm/web-server/Chart.yaml                |  4 +-
 .../helm/web-server/templates/deployment.yaml | 39 +------------------
 .../web-server/templates/networkpolicy.yaml   | 13 ++-----
 .../templates/service-internal.yaml           | 15 -------
 .../helm/web-server/templates/service.yaml    | 23 ++---------
 .../helm/web-server/values.yaml               | 27 -------------
 .../docker/nginx/nginx.conf                   |  8 ++--
 7 files changed, 15 insertions(+), 114 deletions(-)
 delete mode 100644 sechub-web-server-solution/helm/web-server/templates/service-internal.yaml

diff --git a/sechub-web-server-solution/helm/web-server/Chart.yaml b/sechub-web-server-solution/helm/web-server/Chart.yaml
index 43e354351..aa77267b6 100644
--- a/sechub-web-server-solution/helm/web-server/Chart.yaml
+++ b/sechub-web-server-solution/helm/web-server/Chart.yaml
@@ -2,11 +2,11 @@
 
 apiVersion: v2
 name: web-server
-description: SecHub Web Server Helm chart for Kubernetes
+description: SecHub Web Server (Web-UI backend) Helm chart for Kubernetes
 home: https://github.com/mercedes-benz/sechub
 type: application
 
 # This is the chart version.
 # This version number should be incremented each time you make changes to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 1.0.0
diff --git a/sechub-web-server-solution/helm/web-server/templates/deployment.yaml b/sechub-web-server-solution/helm/web-server/templates/deployment.yaml
index 4b3410e80..85e8822f2 100644
--- a/sechub-web-server-solution/helm/web-server/templates/deployment.yaml
+++ b/sechub-web-server-solution/helm/web-server/templates/deployment.yaml
@@ -32,43 +32,8 @@ spec:
         - name: secret-web-ui-ssl-volume
           secret:
             secretName: secret-web-ui-ssl
-{{- end }}
-{{- if .Values.go_mmproxy.enabled }}
-      initContainers:
-      - name: setup
-        image: {{ .Values.go_mmproxy.image }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
-        command:
-        - "/bin/sh"
-        - "-cx"
-        args:
-        - |
-          /sbin/ip rule add from 127.0.0.1/8 iif lo table 123
-          /sbin/ip route add local 0.0.0.0/0 dev lo table 123
-        securityContext:
-          capabilities:
-            add:
-              - NET_ADMIN
 {{- end }}
       containers:
-{{- if .Values.go_mmproxy.enabled }}
-      # go-mmproxy sidecar container
-      - name: go-mmproxy
-        image: {{ .Values.go_mmproxy.image }}
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
-        ports:
-        - containerPort: 8080
-        securityContext:
-          capabilities:
-            add:
-              - NET_ADMIN
-        args:
-        - "-v=0"           # loglevel 0 - no logging ; 1 - log errors ; 2 - log all state changes
-        - "-l"             # listen
-        - "0.0.0.0:8080"   # on port 8080
-        - "-4"             # tcp v4
-        - "127.0.0.1:4443" # forward to SecHub Web Server container (localhost port 4443)
-{{- end }}
       # SecHub web-server container
       - name: web-server
         image: {{ .Values.image }}
@@ -129,9 +94,9 @@ spec:
         - name: DEPLOYMENT_COMMENT
           value: "{{ .Values.deploymentComment }}"
 {{- end }}
-{{- if .Values.web_server.loggingType }}
+{{- if .Values.web_server.logging.type.enabled }}
         - name: LOGGING_TYPE
-          value: "{{ .Values.web_server.loggingType }}"
+          value: "{{ .Values.web_server.logging.type.appenderName }}"
 {{- end }}
 # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 # + Connection to SecHub server
diff --git a/sechub-web-server-solution/helm/web-server/templates/networkpolicy.yaml b/sechub-web-server-solution/helm/web-server/templates/networkpolicy.yaml
index ff12d41f6..61e2edfaa 100644
--- a/sechub-web-server-solution/helm/web-server/templates/networkpolicy.yaml
+++ b/sechub-web-server-solution/helm/web-server/templates/networkpolicy.yaml
@@ -5,6 +5,9 @@ kind: NetworkPolicy
 metadata:
   name: web-server-policy
 spec:
+  podSelector:
+    matchLabels:
+      name: web-server
   ingress:
   - from:
     - podSelector:
@@ -13,13 +16,3 @@ spec:
     ports:
     - protocol: TCP
       port: 4443
-  - ports:
-{{- if .Values.go_mmproxy.enabled }}
-    - port: 8080
-{{- else }}
-    - port: 4443
-{{- end }}
-      protocol: TCP
-  podSelector:
-    matchLabels:
-      name: web-server
diff --git a/sechub-web-server-solution/helm/web-server/templates/service-internal.yaml b/sechub-web-server-solution/helm/web-server/templates/service-internal.yaml
deleted file mode 100644
index d872515b2..000000000
--- a/sechub-web-server-solution/helm/web-server/templates/service-internal.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# SPDX-License-Identifier: MIT
-
-# Internal access via cluster IP (maybe obsolete when an api-gateway is in place)
-apiVersion: v1
-kind: Service
-metadata:
-  name: web-server-internal
-spec:
-  selector:
-    name: web-server
-  ports:
-    - protocol: TCP
-      port: 4443
-      targetPort: 4443
-  type: ClusterIP
diff --git a/sechub-web-server-solution/helm/web-server/templates/service.yaml b/sechub-web-server-solution/helm/web-server/templates/service.yaml
index 5fe7239b1..80b66aaad 100644
--- a/sechub-web-server-solution/helm/web-server/templates/service.yaml
+++ b/sechub-web-server-solution/helm/web-server/templates/service.yaml
@@ -1,30 +1,15 @@
 # SPDX-License-Identifier: MIT
 
+# Internal access via cluster IP (maybe obsolete when an api-gateway is in place)
 apiVersion: v1
 kind: Service
 metadata:
   name: web-server
-  labels:
-    name: web-server
-{{- if .Values.service.annotations }}
-  annotations:
-    {{ .Values.service.annotations | indent 4 | trim }}
-{{- end }}
-{{- if .Values.service.finalizers }}
-  finalizers:
-    {{ .Values.service.finalizers | indent 4 | trim }}
-{{- end }}
 spec:
-  type: LoadBalancer
-  loadBalancerIP: {{ .Values.service.loadbalancer.ip }}
   selector:
     name: web-server
   ports:
-    - name: {{ .Values.service.loadbalancer.port.name }}
-      port: {{ .Values.service.loadbalancer.port.number }}
-      protocol: TCP
-{{- if .Values.go_mmproxy.enabled }}
-      targetPort: 8080
-{{- else }}
+    - protocol: TCP
+      port: 4443
       targetPort: 4443
-{{- end }}
+  type: ClusterIP
diff --git a/sechub-web-server-solution/helm/web-server/values.yaml b/sechub-web-server-solution/helm/web-server/values.yaml
index 17ea66e88..53d3e2888 100644
--- a/sechub-web-server-solution/helm/web-server/values.yaml
+++ b/sechub-web-server-solution/helm/web-server/values.yaml
@@ -70,23 +70,6 @@ web_server:
 #  This way, you can force deployments e.g. when only secrets have changed.
 deploymentComment: "my deployment comment"
 
-service:
-  loadbalancer:
-    ip: ""
-    port:
-      name: web-server-https
-      number: 443
-  # optional: Add annotations (goes to metadata.annotations)
-  #           Can contain multiple lines. Example:
-  # annotations: |-
-  #   loadbalancer.openstack.org/keep-floatingip: "true"
-  #   loadbalancer.openstack.org/proxy-protocol: "true"
-  #
-  # optional: Add finalizers (goes to metadata.finalizers)
-  #           Can contain multiple lines. Example:
-  # finalizers: |-
-  #   - service.kubernetes.io/load-balancer-cleanup
-
 # optional: Add annotations to template.metadata.annotations
 #           Can contain multiple lines. Example for Prometheus actuator:
 # templateMetadataAnnotations: |-
@@ -106,13 +89,3 @@ service:
 #       secretKeyRef:
 #         name: secret-web-server-example
 #         key: password
-
-go_mmproxy:
-  # Log the real client IP addresses via a go-mmproxy sidecar container
-  # Otherwise one sees only the loadbalancer's IP in the logs.
-  # go-mmproxy -> https://github.com/path-network/go-mmproxy
-  # Spoofs the real client address taken from proxy-protocol so the SecHub server will log correctly.
-  # (needs annotation loadbalancer.openstack.org/proxy-protocol: "true" - see above)
-  enabled: false
-  # Choose a "go-mmproxy" docker image. See e.g. https://hub.docker.com/search?q=go-mmproxy
-  image: "example.org/go-mmproxy:2.1.0"
diff --git a/sechub-web-ui-solution/docker/nginx/nginx.conf b/sechub-web-ui-solution/docker/nginx/nginx.conf
index 999678218..be47f6a5e 100644
--- a/sechub-web-ui-solution/docker/nginx/nginx.conf
+++ b/sechub-web-ui-solution/docker/nginx/nginx.conf
@@ -26,22 +26,22 @@ http {
     }
 
     location /api {
-      proxy_pass https://web-server-internal:4443/api;
+      proxy_pass https://web-server:4443/api;
       include sechub_proxy_settings.conf;
     }
 
     location /error {
-      proxy_pass https://web-server-internal:4443/error;
+      proxy_pass https://web-server:4443/error;
       include sechub_proxy_settings.conf;
     }
 
     location /login {
-      proxy_pass https://web-server-internal:4443/login;
+      proxy_pass https://web-server:4443/login;
       include sechub_proxy_settings.conf;
     }
 
     location /oauth2 {
-      proxy_pass https://web-server-internal:4443/oauth2;
+      proxy_pass https://web-server:4443/oauth2;
       include sechub_proxy_settings.conf;
     }