From dfc9e020a44c51368f5f2b8c7a22a77b154cb2ab Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:33:03 +0000 Subject: [PATCH 1/9] Initial plan From ac540619ba50009c84a6887dbe300b4958653e88 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:34:58 +0000 Subject: [PATCH 2/9] Migrate console-plugin Dockerfile from httpd-24 to nginx-120 Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/Dockerfile | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/containers/console-plugin/Dockerfile b/containers/console-plugin/Dockerfile index edd9144d1..4c11bbcef 100644 --- a/containers/console-plugin/Dockerfile +++ b/containers/console-plugin/Dockerfile @@ -33,17 +33,16 @@ RUN $YARN build #################################################################################################### -FROM registry.redhat.io/rhel9/httpd-24 +FROM registry.redhat.io/ubi9/nginx-120 USER root RUN chown -R 1001:0 /opt/app-root/src USER 1001 RUN chmod g+rwx /opt/app-root/src -RUN mkdir -p /var/www/html -COPY --from=builder /workspace/gitops-console-plugin/ssl.conf /etc/httpd/conf.d -COPY --from=builder /workspace/gitops-console-plugin/dist /var/www/html/plugin +RUN mkdir -p /opt/app-root/src/plugin +COPY --from=builder /workspace/gitops-console-plugin/dist /opt/app-root/src/plugin -CMD run-httpd +CMD nginx -g 'daemon off;' LABEL \ name="openshift-gitops-1/gitops-console-plugin-rhel9" \ From 4e55eaa31241e251f4af24ca43664c5c860f9d8c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:36:09 +0000 Subject: [PATCH 3/9] Address code review: Remove unnecessary mkdir and add nginx config comment Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/console-plugin/Dockerfile b/containers/console-plugin/Dockerfile index 4c11bbcef..33d9ae543 100644 --- a/containers/console-plugin/Dockerfile +++ b/containers/console-plugin/Dockerfile @@ -39,9 +39,9 @@ RUN chown -R 1001:0 /opt/app-root/src USER 1001 RUN chmod g+rwx /opt/app-root/src -RUN mkdir -p /opt/app-root/src/plugin COPY --from=builder /workspace/gitops-console-plugin/dist /opt/app-root/src/plugin +# Default nginx configuration is used to serve static plugin files CMD nginx -g 'daemon off;' LABEL \ From dd62fc42d439b209d2c9641950bd193186c36105 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:38:02 +0000 Subject: [PATCH 4/9] Maintain /plugin path structure for nginx serving Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/console-plugin/Dockerfile b/containers/console-plugin/Dockerfile index 33d9ae543..71d3f59fd 100644 --- a/containers/console-plugin/Dockerfile +++ b/containers/console-plugin/Dockerfile @@ -39,9 +39,9 @@ RUN chown -R 1001:0 /opt/app-root/src USER 1001 RUN chmod g+rwx /opt/app-root/src +# Copy plugin files to maintain /plugin path structure COPY --from=builder /workspace/gitops-console-plugin/dist /opt/app-root/src/plugin -# Default nginx configuration is used to serve static plugin files CMD nginx -g 'daemon off;' LABEL \ From 3a0edeba5f811dfcd254c808fc0c940161489642 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:45:07 +0000 Subject: [PATCH 5/9] Add nginx SSL configuration matching original httpd setup Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/Dockerfile | 3 ++ containers/console-plugin/nginx.conf | 58 ++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 containers/console-plugin/nginx.conf diff --git a/containers/console-plugin/Dockerfile b/containers/console-plugin/Dockerfile index 71d3f59fd..20b913a72 100644 --- a/containers/console-plugin/Dockerfile +++ b/containers/console-plugin/Dockerfile @@ -39,6 +39,9 @@ RUN chown -R 1001:0 /opt/app-root/src USER 1001 RUN chmod g+rwx /opt/app-root/src +# Copy custom nginx configuration for HTTPS support +COPY containers/console-plugin/nginx.conf /etc/nginx/conf.d/console-plugin.conf + # Copy plugin files to maintain /plugin path structure COPY --from=builder /workspace/gitops-console-plugin/dist /opt/app-root/src/plugin diff --git a/containers/console-plugin/nginx.conf b/containers/console-plugin/nginx.conf new file mode 100644 index 000000000..398cacae3 --- /dev/null +++ b/containers/console-plugin/nginx.conf @@ -0,0 +1,58 @@ +# nginx configuration for GitOps Console Plugin +# Configured to serve over HTTPS on port 8443, matching the original httpd setup + +server { + listen 8443 ssl default_server; + listen [::]:8443 ssl default_server; + server_name _; + + # Document root - nginx serves from /opt/app-root/src + root /opt/app-root/src; + index index.html; + + # SSL certificate configuration + # Certificates should be mounted at runtime (e.g., via Secret volume mount) + ssl_certificate /etc/nginx/tls/tls.crt; + ssl_certificate_key /etc/nginx/tls/tls.key; + + # SSL protocols and ciphers - secure defaults + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers HIGH:!aNULL:!MD5:!3DES; + + # SSL session configuration + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Logging to stdout/stderr for container logging + access_log /dev/stdout combined; + error_log /dev/stderr warn; + + # Serve plugin files - maintains /plugin path structure + location /plugin/ { + alias /opt/app-root/src/plugin/; + try_files $uri $uri/ =404; + + # Cache control for static assets + expires 1h; + add_header Cache-Control "public, max-age=3600"; + } + + # Default location + location / { + try_files $uri $uri/ =404; + } + + # Security headers + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # Health check endpoint + location /healthz { + access_log off; + return 200 "healthy\n"; + add_header Content-Type text/plain; + } +} From 812b404b608840b155e35f8c41316858236408f0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:45:52 +0000 Subject: [PATCH 6/9] Address code review: Improve nginx SSL config and security headers Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/console-plugin/nginx.conf b/containers/console-plugin/nginx.conf index 398cacae3..5052d17c4 100644 --- a/containers/console-plugin/nginx.conf +++ b/containers/console-plugin/nginx.conf @@ -21,7 +21,7 @@ server { ssl_ciphers HIGH:!aNULL:!MD5:!3DES; # SSL session configuration - ssl_session_cache shared:SSL:10m; + ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; # Logging to stdout/stderr for container logging @@ -34,7 +34,6 @@ server { try_files $uri $uri/ =404; # Cache control for static assets - expires 1h; add_header Cache-Control "public, max-age=3600"; } @@ -48,6 +47,7 @@ server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; # Health check endpoint location /healthz { From 1b11241bfdc479a173b9dcc33aede203820676a3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:46:41 +0000 Subject: [PATCH 7/9] Use modern Mozilla Intermediate cipher suite and document CSP requirements Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/nginx.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/containers/console-plugin/nginx.conf b/containers/console-plugin/nginx.conf index 5052d17c4..80718fab3 100644 --- a/containers/console-plugin/nginx.conf +++ b/containers/console-plugin/nginx.conf @@ -15,10 +15,11 @@ server { ssl_certificate /etc/nginx/tls/tls.crt; ssl_certificate_key /etc/nginx/tls/tls.key; - # SSL protocols and ciphers - secure defaults + # SSL protocols and ciphers - modern secure defaults ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - ssl_ciphers HIGH:!aNULL:!MD5:!3DES; + # Mozilla Intermediate compatibility cipher suite + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # SSL session configuration ssl_session_cache shared:SSL:20m; @@ -47,6 +48,7 @@ server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; + # Content-Security-Policy: 'unsafe-inline' and 'unsafe-eval' are required for OpenShift Console Plugin compatibility add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; # Health check endpoint From 0e948dce664278acb81942e45e566f677db68d61 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:47:46 +0000 Subject: [PATCH 8/9] Fix nginx add_header behavior and remove deprecated X-XSS-Protection Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/nginx.conf | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/containers/console-plugin/nginx.conf b/containers/console-plugin/nginx.conf index 80718fab3..e6901e8d5 100644 --- a/containers/console-plugin/nginx.conf +++ b/containers/console-plugin/nginx.conf @@ -35,22 +35,28 @@ server { try_files $uri $uri/ =404; # Cache control for static assets - add_header Cache-Control "public, max-age=3600"; + add_header Cache-Control "public, max-age=3600" always; + + # Security headers - must be repeated in location blocks with add_header + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + # Content-Security-Policy: 'unsafe-inline' and 'unsafe-eval' are required for OpenShift Console Plugin compatibility + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; } # Default location location / { try_files $uri $uri/ =404; + + # Security headers + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + # Content-Security-Policy: 'unsafe-inline' and 'unsafe-eval' are required for OpenShift Console Plugin compatibility + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; } - # Security headers - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - # Content-Security-Policy: 'unsafe-inline' and 'unsafe-eval' are required for OpenShift Console Plugin compatibility - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:;" always; - # Health check endpoint location /healthz { access_log off; From 0d477a778ecab6a0cf72f9d0fbc8360ee1a8c561 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:48:34 +0000 Subject: [PATCH 9/9] Add comments explaining build context and nginx add_header behavior Co-authored-by: svghadi <61187612+svghadi@users.noreply.github.com> --- containers/console-plugin/Dockerfile | 1 + containers/console-plugin/nginx.conf | 3 +++ 2 files changed, 4 insertions(+) diff --git a/containers/console-plugin/Dockerfile b/containers/console-plugin/Dockerfile index 20b913a72..f0ca00c44 100644 --- a/containers/console-plugin/Dockerfile +++ b/containers/console-plugin/Dockerfile @@ -40,6 +40,7 @@ USER 1001 RUN chmod g+rwx /opt/app-root/src # Copy custom nginx configuration for HTTPS support +# Note: Build context is repository root, so full path is required COPY containers/console-plugin/nginx.conf /etc/nginx/conf.d/console-plugin.conf # Copy plugin files to maintain /plugin path structure diff --git a/containers/console-plugin/nginx.conf b/containers/console-plugin/nginx.conf index e6901e8d5..7521d98c5 100644 --- a/containers/console-plugin/nginx.conf +++ b/containers/console-plugin/nginx.conf @@ -29,6 +29,9 @@ server { access_log /dev/stdout combined; error_log /dev/stderr warn; + # Note: Security headers are repeated in each location block because nginx's add_header + # directive in a child context completely overrides parent context headers + # Serve plugin files - maintains /plugin path structure location /plugin/ { alias /opt/app-root/src/plugin/;