Merge pull request 'Refactore the entire k8s manifest for pure https routing' (#79) from cart into main

Reviewed-on: #79

MidrandBookshop/MidrandBookshop.csproj

@@ -18,13 +18,13 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="LiteCharms.Features" Version="1.127.0" />
+    <PackageReference Include="LiteCharms.Features" Version="1.132.0" />
   </ItemGroup>
 
   <!-- UI -->
   <ItemGroup>
     <PackageReference Include="ANM.Blazored.Toast" Version="0.1.1" />
-    <PackageReference Include="LiteCharms.Features.MidrandBooks" Version="1.127.0" />
+    <PackageReference Include="LiteCharms.Features.MidrandBooks" Version="1.132.0" />
     
     <!-- Global Usings -->
     <Using Include="Blazored.Toast.Services" />
@@ -54,8 +54,9 @@
     <Using Include="Microsoft.JSInterop" />
     <Using Include="System.Globalization" />
     <Using Include="System.Security.Claims" />
-    <Using Include="Microsoft.AspNetCore.HttpOverrides" />
     <Using Include="Microsoft.Extensions.Options" />
+    <Using Include="Microsoft.EntityFrameworkCore" />
+    <Using Include="Microsoft.AspNetCore.HttpOverrides" />
     <Using Include="Microsoft.AspNetCore.Components.Authorization" />
     <Using Include="Microsoft.AspNetCore.Components.Routing" />
     <Using Include="Microsoft.AspNetCore.Components.Web" />

MidrandBookshop/Program.cs

@@ -2,25 +2,27 @@ using LiteCharms.Features.Extensions;
 using LiteCharms.Features.Mediator;
 using LiteCharms.Features.MidrandBooks.Extensions;
 using LiteCharms.Features.MidrandBooks.Payments;
+using LiteCharms.Features.Postgres;
 using MidrandBookshop.Components;
+using System.Security.Cryptography.X509Certificates;
 using static LiteCharms.Features.Extensions.Quartz;
 
 var builder = WebApplication.CreateBuilder(args);
 
+builder.Services.AddAntiforgery();
+
 builder.Services.AddRazorComponents()
     .AddInteractiveServerComponents();
 
 builder.AddMonitoring();
 builder.Services.AddEndpointsApiExplorer();
 
-builder.Services.AddMediator();
-builder.Services.AddLiteCharmsWebSecurity(builder.Configuration, builder.Environment);
-
 builder.Services.AddScoped(typeof(IPipelineBehavior<,>), typeof(TelemetryPipelineBehavior<,>));
 builder.Services.AddScoped(typeof(IPipelineBehavior<,>), typeof(LoggingPipelineBehavior<,>));
 
 builder.Services.AddQuartzSchedulerClient(MidrandShopSchedulerName, builder.Configuration);
 
+builder.Services.AddMediator();
 builder.Services.AddEmailServices(builder.Configuration);
 builder.Services.AddEmailServiceBus();
 
@@ -28,10 +30,14 @@ builder.Services.AddHttpClient();
 builder.Services.AddScoped<CartService>();
 builder.Services.AddShopServices(includeLocalStorage: true);
 builder.Services.AddHashServices(builder.Configuration);
-builder.Services.AddSecurityApiSdk(builder.Configuration);
 builder.Services.AddPayfastServices(builder.Configuration);
+
+builder.Services.AddDataProtectionDatabase(builder.Configuration);
 builder.Services.AddMidrandShopDatabase(builder.Configuration);
 
+builder.Services.AddSecurityApiSdk(builder.Configuration);
+builder.Services.AddLiteCharmsWebSecurity(builder.Configuration);
+
 builder.Services.AddMidrandShopPostgresHealthCheck();
 builder.Services.AddMidrandShopQuartzHealthCheck();
 builder.Services.AddHealthChecksSupport(builder.Configuration);
@@ -44,7 +50,35 @@ builder.Services.Configure<ForwardedHeadersOptions>(options =>
 
 var app = builder.Build();
 
+builder.WebHost.ConfigureKestrel(options =>
+{
+    var certBase64 = builder.Configuration["DataProtection:Certificate"];
+    var certPassword = builder.Configuration["DataProtection:Password"];
+
+    if (!string.IsNullOrWhiteSpace(certBase64))
+    {
+        var rawBytes = Convert.FromBase64String(certBase64);
+        var kestrelCert = X509CertificateLoader.LoadPkcs12(rawBytes, certPassword);
+
+        options.ListenAnyIP(8443, listenOptions =>
+        {
+            listenOptions.UseHttps(kestrelCert);
+        });
+    }
+    else
+        options.ListenAnyIP(8080);
+});
+
 app.UseForwardedHeaders();
+app.UseCookiePolicy();
+
+using var security = app.Services.CreateScope();
+{
+    var dataProtectionContext = security.ServiceProvider.GetRequiredService<DataProtectionDbContext>();
+
+    await dataProtectionContext.Database.MigrateAsync();
+}
+
 app.AddSecurityEndpoints();
 
 var schedulerFactory = app.Services.GetRequiredService<ISchedulerFactory>();

MidrandBookshop/Properties/launchSettings.json

@@ -14,7 +14,7 @@
         "commandName": "Project",
         "dotnetRunMessages": true,
         "launchBrowser": false,
-        "applicationUrl": "https://localhost:7021;http://localhost:5053",
+        "applicationUrl": "https://localhost:8440;http://localhost:8083",
         "environmentVariables": {
           "ASPNETCORE_ENVIRONMENT": "Development"
         }

midrandbooks-uat.yml

@@ -10,8 +10,8 @@ metadata:
   name: midrandbooks-config
   namespace: midrandbooks-uat
 data:
-  ASPNETCORE_ENVIRONMENT: "Development"
-  ASPNETCORE_URLS: "http://0.0.0.0:8080"
+  ASPNETCORE_ENVIRONMENT: "Development"  
+  ASPNETCORE_URLS: "https://0.0.0.0:8443"
   Monitoring__Address: "http://aspire-dashboard-service.aspire.svc.cluster.local:18889"
   Monitoring__ServiceName: "MidrandBooks.Uat"
   HasherSettings__MinHashLength: "11"
@@ -27,7 +27,6 @@ data:
   PayfastSettings__ValidHosts__4: "payment.payfast.io"
   LiteCharmsSettings__Authority: "https://sts.security.khongisa.co.za"
   LiteCharmsSettings__Audience: "midrandbooks-api"
-  ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true"
   LiteCharmsClientSettings__Authority: "https://sts.security.khongisa.co.za"
   LiteCharmsClientSettings__GrantType: "client_credentials"
   LiteCharmsClientSettings__Scope: "midrandbooks-api"
@@ -40,6 +39,7 @@ metadata:
 type: Opaque
 data:  
   connection-string: SG9zdD0xOTIuMTY4LjEuMTcwO0RhdGFiYXNlPW1pZHJhbmRzaG9wLWRldjtVc2VybmFtZT1taWRyYW5kc2hvcC1kZXYtdXNlcjtQYXNzd29yZD1hUFh5a0tnM3RTOWNtRDtQZXJzaXN0IFNlY3VyaXR5IEluZm89VHJ1ZQ==
+  dataprotection-connection-string: SG9zdD0xOTIuMTY4LjEuMTcwO0RhdGFiYXNlPW1pZHJhbmRzaG9wLWRldjtVc2VybmFtZT1taWRyYW5kc2hvcC1kZXYtdXNlcjtQYXNzd29yZD1hUFh5a0tnM3RTOWNtRDtQZXJzaXN0IFNlY3VyaXR5IEluZm89VHJ1ZQ==
   connection-string-quartz: SG9zdD0xOTIuMTY4LjEuMTcwO0RhdGFiYXNlPXNjaGVkdWxlci1kZXY7VXNlcm5hbWU9c2NoZWR1bGVyLWRldi11c2VyO1Bhc3N3b3JkPWtWVm1vV0tKM3h6Z1FYO1BlcnNpc3QgU2VjdXJpdHkgSW5mbz1UcnVl
   aspire-apikey: bWMzRzYzSzJqNVpPRXNpMEFqTW9qTFRYbTFLRVpGY3R6SUlqU3dEaVRHdXQ4cUdTa1B1V3d4R1AxUmJzY0pVbw==
   hasher-salt: VEdsbmFIUWdRMmhoY20xekxDQk5hV1J5WVc1a1FtOXZhM01nYldGclpTQnNiM1J6SUc5bUlHMXZibVY1SUdGdVpDQmhjbVVnWVNCemRXTmpaWE56Wm5Wc0lIWnBjbUZzSUhOMGIzSjVJR2x1SUZOdmRYUm9JRUZtY21sallRPT0=  
@@ -52,6 +52,8 @@ data:
   payfast-merchantkey: anU2bmF2bjBqY2JmMA==
   litecharms-client-clientid: bWlkcmFuZGJvb2tzLWFwaS1zY2FsZXItdWF0
   litecharms-client-clientsecret: c2VjcmV0XzBhOGRjMWY5OTA2MTU5MGE1MmIxMjcyZGIzYTE4NzFkMjc2MWM3OWZiZDA1OGIyYTk2ODkxMTAyOWU0YjIwOGE=
+  dataprotection-cert: TUlJS2dBSUJBekNDQ2pZR0NTcUdTSWIzRFFFSEFhQ0NDaWNFZ2dvak1JSUtIekNDQkZJR0NTcUdTSWIzRFFFSEJxQ0NCRU13Z2dRL0FnRUFNSUlFT0FZSktvWklodmNOQVFjQk1GY0dDU3FHU0liM0RRRUZEVEJLTUNrR0NTcUdTSWIzRFFFUkREUWEwZ0F3RUFBaUFCQURBTkJnbGdoa2dCWlFNRUFnRUZBQUFTb0VFS2Y2bE55USt1REU4ZjNCOWw5T3pGNG9mSmw5cUtkK3lKTTVBNXEy d0RBRUNIMXBPL2hVRXpsTkFnSUlBQT09
+  dataprotection-password: OWlIUSMmcl41eWZYRXc=
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -71,7 +73,7 @@ metadata:
   name: midrandbooks
   namespace: midrandbooks-uat
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app: midrandbooks
@@ -99,11 +101,21 @@ spec:
               memory: "256Mi"
               cpu: "100m"
           ports:
-            - containerPort: 8080
+            - containerPort: 8443
           envFrom:
             - configMapRef:
                 name: midrandbooks-config
           env:
+            - name: DataProtection__Certificate
+              valueFrom:
+                secretKeyRef:
+                  name: midrandbooks-secrets
+                  key: dataprotection-cert
+            - name: DataProtection__Password
+              valueFrom:
+                secretKeyRef:
+                  name: midrandbooks-secrets
+                  key: dataprotection-password
             - name: LiteCharmsSettings__ClientId
               valueFrom:
                 secretKeyRef:
@@ -164,6 +176,11 @@ spec:
                 secretKeyRef:
                   name: midrandbooks-secrets
                   key: connection-string
+            - name: ConnectionStrings__PostgresDataProtection
+              valueFrom:
+                secretKeyRef:
+                  name: midrandbooks-secrets
+                  key: dataprotection-connection-string
             - name: Monitoring__ApiKey
               valueFrom:
                 secretKeyRef:
@@ -173,28 +190,24 @@ spec:
             - name: data
               mountPath: /app/wwwroot/content
               subPath: bookshop-content
-            - name: shared-keys-volume
-              mountPath: /app/shared-keys
-              subPath: dataprotection-keys
           livenessProbe:
             httpGet:
               path: /health
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 5
             periodSeconds: 10
           readinessProbe:
             httpGet:
               path: /health
-              port: 8080
+              port: 8443
+              scheme: HTTPS
             initialDelaySeconds: 3
             periodSeconds: 5
       volumes:
         - name: data
           persistentVolumeClaim:
-            claimName: midrandbooks-pvc
-        - name: shared-keys-volume
-          persistentVolumeClaim:
-            claimName: midrandbooks-pvc
+            claimName: midrandbooks-pvc        
 ---
 apiVersion: v1
 kind: Service
@@ -202,14 +215,20 @@ metadata:
   name: midrandbooks-service
   namespace: midrandbooks-uat
 spec:
-  type: ClusterIP
+  ports:
+    - name: https
+      port: 443
+      targetPort: 8443
   selector:
     app: midrandbooks
-  ports:
-    - name: http
-      protocol: TCP
-      port: 80
-      targetPort: 8080
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: midrandbooks-bypass-backend-validation
+  namespace: midrandbooks-uat
+spec:
+  insecureSkipVerify: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -224,10 +243,12 @@ spec:
       kind: Rule
       services:
         - name: midrandbooks-service
-          port: 80
+          port: 443
+          scheme: https
+          serversTransport: midrandbooks-bypass-backend-validation
           sticky:
             cookie:
               name: "lp-sticky-session"
               httpOnly: true
               secure: true
-  tls: {}
+  tls: {}