🏗️ Feature/Reduce container image sizes

README.md

@@ -23,23 +23,23 @@ Unguard is composed of eight microservices written in different languages that t
 
 ![Unguard Architecture](docs/images/unguard-architecture.svg)
 
-| Service                                                    | Language        | Service Account | Description                                                                                                                                 |
-|------------------------------------------------------------|-----------------|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| [envoy-proxy](./src/envoy-proxy)                           |                 | default         | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint.                                                    |
-| [frontend](./src/frontend)                                 | Node.js Express | default         | Serves HTML to the user to interact with the application.                                                                                   |
-| [ad-service](./src/ad-service)                             | .NET 5          | default         | Provide CRUD operation for images and serves a HTML page which displays an image like an ad.                                                |
-| [microblog-service](./src/microblog-service)               | Java Spring     | default         | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). |
-| [proxy-service](./src/proxy-service)                       | Java Spring     | unguard-proxy   | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL).                               |
-| [profile-service](./src/profile-service)                   | Java Spring     | default         | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks                                    |
-| [membership-service](./src/membership-service)             | .NET 7          | default         | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks                                             |
-| [like-service](./src/like-service)                         | PHP             | default         | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks                                                |
-| [user-auth-service](./src/user-auth-service)               | Node.js Express | default         | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion).                                                 |
-| [status-service](./src/status-service)                     | Go              | unguard-status  | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection)                       |
-| jaeger                                                     |                 | default         | The [Jaeger](https://www.jaegertracing.io/) stack for distributed tracing.                                                                  |
-| mariadb                                                    |                 | unguard-mariadb | Relational database that holds user and token data.                                                                                         |
-| redis                                                      |                 | default         | Key-value store that holds all user data (except authentication-related stuff).                                                             |
-| [user-simulator](./src/user-simulator)                     | Node.js Element | default         | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator.                                |
-| [malicious-load-generator](./src/malicious-load-generator) |                 | default         | Malicious load generator that makes CMD, JNDI, and SQL injections.                                                                          |
+| Service                                                    | Language            | Service Account | Description                                                                                                                                 |
+|------------------------------------------------------------|---------------------|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| [envoy-proxy](./src/envoy-proxy)                           |                     | default         | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint.                                                    |
+| [frontend](./src/frontend)                                 | Node.js Express     | default         | Serves HTML to the user to interact with the application.                                                                                   |
+| [ad-service](./src/ad-service)                             | .NET 5              | default         | Provide CRUD operation for images and serves a HTML page which displays an image like an ad.                                                |
+| [microblog-service](./src/microblog-service)               | Java Spring         | default         | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). |
+| [proxy-service](./src/proxy-service)                       | Java Spring         | unguard-proxy   | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL).                               |
+| [profile-service](./src/profile-service)                   | Java Spring         | default         | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks                                    |
+| [membership-service](./src/membership-service)             | .NET 7              | default         | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks                                             |
+| [like-service](./src/like-service)                         | PHP                 | default         | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks                                                |
+| [user-auth-service](./src/user-auth-service)               | Node.js Express     | default         | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion).                                                 |
+| [status-service](./src/status-service)                     | Go                  | unguard-status  | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection)                       |
+| jaeger                                                     |                     | default         | The [Jaeger](https://www.jaegertracing.io/) stack for distributed tracing.                                                                  |
+| mariadb                                                    |                     | unguard-mariadb | Relational database that holds user and token data.                                                                                         |
+| redis                                                      |                     | default         | Key-value store that holds all user data (except authentication-related stuff).                                                             |
+| [user-simulator](./src/user-simulator)                     | Node.js (Puppeteer) | default         | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator.                                |
+| [malicious-load-generator](./src/malicious-load-generator) |                     | default         | Malicious load generator that makes CMD, JNDI, and SQL injections.                                                                          |
 
 ## Quickstart
 

chart/templates/profile-service.yaml

@@ -67,6 +67,8 @@ spec:
               value: {{ quote .Values.profileService.deployment.container.env.SPRING_DATASOURCE_USERNAME }}
             - name: SPRING_DATASOURCE_PASSWORD
               value: {{ quote .Values.profileService.deployment.container.env.SPRING_DATASOURCE_PASSWORD }}
+            - name: OTEL_LOGS_EXPORTER
+              value: {{ quote .Values.profileService.deployment.container.env.OTEL_LOGS_EXPORTER}}
             - name: OTEL_METRICS_EXPORTER
               value: {{ quote .Values.profileService.deployment.container.env.OTEL_METRICS_EXPORTER }}
             - name: OTEL_RESOURCE_ATTRIBUTES

chart/values.yaml

@@ -80,6 +80,7 @@ profileService:
       ports:
         containerPort: 8080
       env:
+        OTEL_LOGS_EXPORTER: none
         OTEL_METRICS_EXPORTER: none
         OTEL_RESOURCE_ATTRIBUTES: service.name=unguard-profile-service
         OTEL_TRACES_EXPORTER: none

src/ad-service/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/aspnet:5.0 AS base
+FROM mcr.microsoft.com/dotnet/aspnet:5.0-alpine AS base
 WORKDIR /app
 EXPOSE 8082
 

src/frontend/.dockerignore

@@ -1,2 +1,152 @@
-node_modules
 *.swp
+
+# Created by https://www.gitignore.io/api/node,bower,osx,linux,windows,dropbox,sass,less,grunt,sublimetext,code
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+# https://docs.npmjs.com/misc/faq#should-i-check-my-node-modules-folder-into-git
+node_modules
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history
+
+
+### Bower ###
+bower_components
+.bower-cache
+.bower-registry
+.bower-tmp
+
+
+### OSX ###
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+
+### Linux ###
+*~
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+
+### Windows ###
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+
+### Dropbox ###
+# Dropbox settings and caches
+.dropbox
+.dropbox.attr
+.dropbox.cache
+
+
+### Sass ###
+.sass-cache/
+*.css.map
+
+
+### Less ###
+*.css
+
+
+### grunt ###
+# Grunt usually compiles files inside this directory
+dist/
+
+# Grunt usually preprocesses files such as coffeescript, compass... inside the .tmp directory
+.tmp/
+
+
+### SublimeText ###
+# cache files for sublime text
+*.tmlanguage.cache
+*.tmPreferences.cache
+*.stTheme.cache
+
+# workspace files are user-specific
+*.sublime-workspace
+
+# project files should be checked into the repository, unless a significant
+# proportion of contributors will probably not be using SublimeText
+# *.sublime-project
+
+# sftp configuration file
+sftp-config.json
+
+
+### Code ###
+# Visual Studio Code - https://code.visualstudio.com/
+.settings/
+.vscode/

src/frontend/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:14
+FROM node:14.21.3-slim
 
 # Create app directory
 WORKDIR /usr/src/app

src/membership-service/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/aspnet:7.0 AS base
+FROM mcr.microsoft.com/dotnet/aspnet:7.0-alpine AS base
 WORKDIR /app
 EXPOSE 8083