feat(helm): add nginx ConfigMap for reana-ui security headers (#945)

Author: CameronMcClymont

helm/reana/templates/nginx-config.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.components.reana_ui.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config
+  namespace: {{ .Release.Namespace }}
+data:
+  reana-ui.conf: |
+    server {
+        listen       80;
+        root   /usr/share/nginx/html;
+        server_name  localhost;
+        index  index.html index.htm;
+{{- with .Values.components.reana_ui.nginx.security_headers.hsts }}
+        add_header Strict-Transport-Security "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.x_frame_options }}
+        add_header X-Frame-Options "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.x_content_type_options }}
+        add_header X-Content-Type-Options "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.cross_origin_opener_policy }}
+        add_header Cross-Origin-Opener-Policy "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.cross_origin_resource_policy }}
+        add_header Cross-Origin-Resource-Policy "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.referrer_policy }}
+        add_header Referrer-Policy "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.permissions_policy }}
+        add_header Permissions-Policy "{{ . }}" always;
+{{- end }}
+{{- with .Values.components.reana_ui.nginx.security_headers.csp }}
+        # NOTE: keep in sync with reana-server config.py content security policy headers
+        add_header Content-Security-Policy "{{ . }}" always;
+{{- end }}
+
+        #Enable serving of pre-compressed files
+        gzip_static on;
+
+        location / {
+            try_files $uri /index.html;
+        }
+        location = /index.html {
+            # If the file for the requested URL does not exist, then `/index.html` is always
+            # served. This might cause some issues given that `index.html` is cached by
+            # the browser (e.g. in case of an URL to an interactive session).
+            # This setting makes sure that `index.html` is revalidated on each request.
+            expires -1;
+        }
+    }
+{{- end }}

helm/reana/templates/reana-ui.yaml

@@ -29,13 +29,24 @@ spec:
     metadata:
       labels:
         app: {{ include "reana.prefix" . }}-ui
+      annotations:
+        checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-config.yaml") . | sha256sum }}
     spec:
       containers:
       - name: ui
         image: {{ .Values.components.reana_ui.image }}
         imagePullPolicy: {{ .Values.components.reana_ui.imagePullPolicy }}
         ports:
         - containerPort: 80
+        volumeMounts:
+        - name: nginx-config
+          mountPath: /etc/nginx/conf.d/default.conf
+          subPath: reana-ui.conf
+      volumes:
+      - name: nginx-config
+        configMap:
+          defaultMode: 420
+          name: nginx-config
       {{- if .Values.node_label_infrastructure }}
       {{- $full_label := split "=" .Values.node_label_infrastructure }}
       nodeSelector:

helm/reana/values.yaml

@@ -93,6 +93,24 @@ components:
     file_preview_size_limit: "5242880" # 5 * 1024**2 = 5 MiB
     imagePullPolicy: IfNotPresent
     image: docker.io/reanahub/reana-ui:0.95.0-alpha.3
+    nginx:
+      security_headers:
+        hsts: "max-age=31536000; includeSubDomains"
+        x_frame_options: "DENY"
+        x_content_type_options: "nosniff"
+        cross_origin_opener_policy: "same-origin"
+        cross_origin_resource_policy: "same-origin"
+        referrer_policy: "strict-origin-when-cross-origin"
+        permissions_policy:
+          "accelerometer=(), ambient-light-sensor=(), camera=(),
+          display-capture=(), geolocation=(), gyroscope=(), magnetometer=(),
+          microphone=(), payment=(), usb=()"
+        # NOTE: keep in sync with reana-server config.py content security policy headers
+        csp:
+          "default-src 'self'; script-src 'self'; style-src 'self'
+          'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:;
+          font-src 'self' data: https://fonts.gstatic.com; connect-src 'self';
+          frame-ancestors 'none'; object-src 'none'; base-uri 'self';"
   reana_db:
     enabled: true
     image: docker.io/library/postgres:12.13