diff --git a/build_registry.sh b/build_registry.sh index 633aef44..3dc7e78a 100755 --- a/build_registry.sh +++ b/build_registry.sh @@ -19,7 +19,7 @@ # This can be useful if developing components within this repository (such as the index server or build tools) # and want to test all of the components together shopt -s expand_aliases -set -eux +set -ex # Set base registry support directory BASE_DIR=$(dirname $0) @@ -28,7 +28,7 @@ BASE_DIR=$(dirname $0) . ${BASE_DIR}/setenv.sh # Build the index server base image -. ${BASE_DIR}/index/server/build.sh +ENABLE_HTTP2=${ENABLE_HTTP2} . ${BASE_DIR}/index/server/build.sh # Build the test devfile registry image docker build -t devfile-index:latest -f ${BASE_DIR}/.ci/Dockerfile ${BASE_DIR} diff --git a/index/server/Dockerfile b/index/server/Dockerfile index 1e6333ee..9d1fad0b 100644 --- a/index/server/Dockerfile +++ b/index/server/Dockerfile @@ -40,6 +40,10 @@ RUN set -x ; \ # Modify the permissions on the necessary files to allow the container to properly run as a non-root UID RUN mkdir -p /www/data && chmod -R g+rwx /www/data +# disable http/2 on the index server by default +ARG ENABLE_HTTP2=false +ENV ENABLE_HTTP2=${ENABLE_HTTP2} + # Set env vars for the locations of the devfile stacks and index.json ENV DEVFILE_STACKS /registry/stacks ENV DEVFILE_SAMPLES /registry/samples diff --git a/index/server/README.md b/index/server/README.md index e678e6d1..7d3d5be4 100644 --- a/index/server/README.md +++ b/index/server/README.md @@ -12,26 +12,26 @@ Edit the OpenAPI spec `openapi.yaml`, under `paths` you can define your endpoint ```yaml paths: - /foo: - get: - summary: - description: - # 'serveFoo' points to handler function 'ServeFoo' - operationId: serveFoo - parameters: # the OpenAPI specifications of the endpoint parameters - # spec for passing a bar query parameter /foo?bar= - - name: bar - in: query - description: - required: false - schema: - type: string - responses: # the OpenAPI specifications for the endpoint responses - default: - description: - content: - # Content type(s) - text/html: {} + /foo: + get: + summary: + description: + # 'serveFoo' points to handler function 'ServeFoo' + operationId: serveFoo + parameters: # the OpenAPI specifications of the endpoint parameters + # spec for passing a bar query parameter /foo?bar= + - name: bar + in: query + description: + required: false + schema: + type: string + responses: # the OpenAPI specifications for the endpoint responses + default: + description: + content: + # Content type(s) + text/html: {} ``` See [swagger.io/docs](https://swagger.io/docs/specification/paths-and-operations) for more information. @@ -72,20 +72,27 @@ bash push.sh quay.io/someuser/devfile-index-base ### Source Generation -Index server build uses the CLI tool `oapi-codegen` to generate the schema types `pkg/server/types.gen.go` and endpoint definition `pkg/server/endpoint.gen.go` sources. When changing the OpenAPI specification, such as [defining endpoints](#defining-endpoints), it is required to regenerate these changes into the source. +Index server build uses the CLI tool `oapi-codegen` to generate the schema types `pkg/server/types.gen.go` and endpoint definition `pkg/server/endpoint.gen.go` sources. When changing the OpenAPI specification, such as [defining endpoints](#defining-endpoints), it is required to regenerate these changes into the source. -The source generation can be done by manually building the index server with: +The source generation can be done by manually building the index server with: ```bash bash build.sh ``` + or to just generate the source files by running: ```bash bash codegen.sh ``` -**Important**: When committing to this repository, it is *required* to include the up to date source generation in your pull requests. Not including up to date source generation will lead to the PR check to fail. +**Important**: When committing to this repository, it is _required_ to include the up to date source generation in your pull requests. Not including up to date source generation will lead to the PR check to fail. + +### Enabling HTTP/2 on the Index Server + +By default, http/2 on the index server is disabled due to [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3). + +If you want to enable http/2, build with `ENABLE_HTTP2=true bash build.sh`. ## Testing @@ -104,4 +111,4 @@ go test ./... **Environment Variables** - `DEVFILE_REGISTRY`: Optional environment variable for specifying testing registry path - - default: `../../tests/registry` + - default: `../../tests/registry` diff --git a/index/server/build.sh b/index/server/build.sh index 6e5841fe..7dcb71ea 100755 --- a/index/server/build.sh +++ b/index/server/build.sh @@ -22,4 +22,4 @@ buildfolder="$(realpath $(dirname ${BASH_SOURCE[0]}))" bash ${buildfolder}/codegen.sh # Build the index server -docker build -t devfile-index-base:latest $buildfolder +docker build -t devfile-index-base:latest --build-arg ENABLE_HTTP2=${ENABLE_HTTP2} $buildfolder diff --git a/index/server/pkg/server/index.go b/index/server/pkg/server/index.go index 3a580c29..3caab214 100644 --- a/index/server/pkg/server/index.go +++ b/index/server/pkg/server/index.go @@ -16,10 +16,12 @@ package server import ( + "crypto/tls" "encoding/json" "io/ioutil" "log" "net/http" + "os" "time" "github.com/prometheus/client_golang/prometheus" @@ -67,6 +69,13 @@ func ServeRegistry() { handler := http.NewServeMux() handler.Handle("/metrics", promhttp.Handler()) prometheus.MustRegister(getIndexLatency) + + // Retrieve the option to enable HTTP2 + enableHTTP2 := os.Getenv("ENABLE_HTTP2") + if enableHTTP2 == "" { + enableHTTP2 = "false" + } + indexServer := &http.Server{ Addr: ":7071", Handler: handler, @@ -74,6 +83,16 @@ func ServeRegistry() { WriteTimeout: 10 * time.Second, } + // Disable HTTP2 by default + if enableHTTP2 == "false" { + indexServer.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) + } + + // Disable HTTP2 by default + if enableHTTP2 == "false" { + indexServer.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) + } + go indexServer.ListenAndServe() // Wait until registry is up and running