From b1dd1a81af482eb147ca9af8f31fcae7d45f52a2 Mon Sep 17 00:00:00 2001
From: Steve Juergens <steve@tonalitech.com>
Date: Tue, 31 Dec 2024 16:00:27 -0500
Subject: [PATCH 1/2] Initial configuration to split configuration to
 containers

---
 core/files/entrypoint.sh                      | 19 +++++++++++--
 core/files/entrypoint_fpm.sh                  |  4 +++
 core/files/entrypoint_k8s_fpm.sh              | 27 +++++++++++++++++++
 core/files/entrypoint_k8s_nginx.sh            | 10 +++++++
 core/files/entrypoint_nginx.sh                |  5 +++-
 .../supervisor/conf.d/10-supervisor.conf.k8s  | 21 +++++++++++++++
 6 files changed, 83 insertions(+), 3 deletions(-)
 create mode 100644 core/files/entrypoint_k8s_fpm.sh
 create mode 100644 core/files/entrypoint_k8s_nginx.sh
 create mode 100644 core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s

diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
index 33ee9b6..7545f8c 100755
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@@ -68,5 +68,20 @@ export PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax}
 export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
 export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
 
-# start supervisord using the main configuration file so we have a socket interface
-/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
+  case "$CONTAINER_NAME" in
+    nginx*)
+      exec /entrypoint_k8s_nginx.sh
+    ;;
+    php*)
+      exec /entrypoint_k8s_fpm.sh
+    ;;
+    cron*)
+      mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
+      exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+    ;;
+  esac
+else
+  # start supervisord using the main configuration file so we have a socket interface
+  /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+fi
\ No newline at end of file
diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh
index 5afe22f..f231e55 100755
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@@ -60,6 +60,10 @@ change_php_vars() {
     done
 }
 
+if [ -n "${BASH_SOURCE[0]}" ]; then
+    return
+fi
+
 echo "Configure PHP | Change PHP values ..." && change_php_vars
 
 echo "Configure PHP | Starting PHP FPM"
diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh
new file mode 100644
index 0000000..ba08ddf
--- /dev/null
+++ b/core/files/entrypoint_k8s_fpm.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+source /entrypoint_nginx.sh
+source /entrypoint_fpm.sh
+
+# Initialize MySQL
+echo "INIT | Initialize MySQL ..." && init_mysql
+
+# Initialize MISP
+echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
+echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
+echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
+echo "INIT | Flip NGINX live ..." && flip_nginx true true
+
+# Run configure MISP script
+echo "INIT | Configure MISP installation ..."
+/configure_misp.sh
+
+if [[ -x /custom/files/customize_misp.sh ]]; then
+    echo "INIT | Customize MISP installation ..."
+    /custom/files/customize_misp.sh
+fi
+
+echo "Configure PHP | Change PHP values ..." && change_php_vars
+
+echo "Configure PHP | Starting PHP FPM"
+exec /usr/sbin/php-fpm8.2 -R -F
diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh
new file mode 100644
index 0000000..13638d3
--- /dev/null
+++ b/core/files/entrypoint_k8s_nginx.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+source /entrypoint_nginx.sh
+
+# Initialize nginx
+echo "INIT | Initialize NGINX ..." && init_nginx
+
+# launch nginx as current shell process in container
+exec nginx -g 'daemon off;'
+
diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh
index 9c67626..085a703 100755
--- a/core/files/entrypoint_nginx.sh
+++ b/core/files/entrypoint_nginx.sh
@@ -210,7 +210,7 @@ flip_nginx() {
     echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
     sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/includes/misp
 
-    if [[ "$reload" = "true" ]]; then
+    if [[ "$reload" = "true" ]] && [[ -z "$KUBERNETES_SERVICE_HOST" ]]; then
         echo "... nginx reloaded"
         nginx -s reload
     fi
@@ -352,6 +352,9 @@ init_nginx() {
     flip_nginx false false
 }
 
+if [ -n "${BASH_SOURCE[0]}" ]; then
+    return
+fi
 
 # Initialize MySQL
 echo "INIT | Initialize MySQL ..." && init_mysql
diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
new file mode 100644
index 0000000..296e384
--- /dev/null
+++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
@@ -0,0 +1,21 @@
+[supervisord]
+nodaemon=true
+user=root
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[inet_http_server]
+port=127.0.0.1:9001
+username=supervisor
+password=supervisor
+
+[program:cron]
+command=/entrypoint_cron.sh
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

From 99eb71a4cd11f8c01733758b695a95cb7ce7c044 Mon Sep 17 00:00:00 2001
From: Jeremy Huntwork <jeremy@merelinux.org>
Date: Wed, 8 Jan 2025 10:00:24 -0500
Subject: [PATCH 2/2] Some additional fixes/changes

- Let the php container run the inet supervisord for the bg workers
  still
- Properly configure the cron container to exec cron
- Add configuration to optionally change the sock file location for
  php-fpm, allows us to specify a shared file between containers in a
  pod
- make new entrypoint files executable
- Set the php config value for `session.cookie_domain` so that it
  doesn't use the default of ''. When empty it falls back to the
  hostname which will be different per pod, meaning that each pod will
  handle session requests separately, which breaks things like OIDC.
---
 core/files/entrypoint.sh                                | 8 +++++---
 core/files/entrypoint_cron.sh                           | 5 +++++
 core/files/entrypoint_fpm.sh                            | 5 +++++
 core/files/entrypoint_k8s_fpm.sh                        | 3 +--
 core/files/entrypoint_k8s_nginx.sh                      | 3 ++-
 core/files/entrypoint_nginx.sh                          | 6 ++++++
 core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s | 9 ---------
 7 files changed, 24 insertions(+), 15 deletions(-)
 mode change 100644 => 100755 core/files/entrypoint_k8s_fpm.sh
 mode change 100644 => 100755 core/files/entrypoint_k8s_nginx.sh

diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
index 7545f8c..bb90cb2 100755
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@@ -74,14 +74,16 @@ if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
       exec /entrypoint_k8s_nginx.sh
     ;;
     php*)
+      # Not ideal, but let supervisord manage the workers still
+      mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
+      /usr/bin/supervisord -c /etc/supervisor/supervisord.conf &
       exec /entrypoint_k8s_fpm.sh
     ;;
     cron*)
-      mv /etc/supervisor/conf.d/10-supervisor.conf{.k8s,}
-      exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+      exec /entrypoint_cron.sh
     ;;
   esac
 else
   # start supervisord using the main configuration file so we have a socket interface
   /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
-fi
\ No newline at end of file
+fi
diff --git a/core/files/entrypoint_cron.sh b/core/files/entrypoint_cron.sh
index 66e5bf8..5a2640f 100755
--- a/core/files/entrypoint_cron.sh
+++ b/core/files/entrypoint_cron.sh
@@ -30,6 +30,11 @@ if [[ ! -p /tmp/cronlog ]]; then
     mkfifo -m 777 /tmp/cronlog
 fi
 
+if [ -n "$KUBERNETES_SERVICE_HOST" ]; then
+    tail -f /tmp/cronlog &
+    exec cron -l -f
+fi
+
 # Build another fifo for the cron pipe
 if [[ ! -p /tmp/cronpipe ]]; then
     mkfifo /tmp/cronpipe
diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh
index f231e55..dbb09f6 100755
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@@ -28,6 +28,7 @@ change_php_vars() {
         sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
         sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
         sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
+        sed -i "s|session.cookie_domain = .*|session.cookie_domain = ${BASE_URL}|" "$FILE"
     done
 
     for FILE in /etc/php/*/fpm/pool.d/www.conf
@@ -57,6 +58,10 @@ change_php_vars() {
             echo "Configure PHP | Disabling 'pm.status_listen'"
             sed -i -E "s/^pm.status_listen =/;pm.status_listen =/" "$FILE"
         fi
+        if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
+            echo "Configure PHP | Setting 'listen' to ${PHP_FPM_SOCK_FILE}"
+            sed -i "/^listen =/s@=.*@= ${PHP_FPM_SOCK_FILE}@" "$FILE"
+        fi
     done
 }
 
diff --git a/core/files/entrypoint_k8s_fpm.sh b/core/files/entrypoint_k8s_fpm.sh
old mode 100644
new mode 100755
index ba08ddf..c12ec83
--- a/core/files/entrypoint_k8s_fpm.sh
+++ b/core/files/entrypoint_k8s_fpm.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
 
 source /entrypoint_nginx.sh
 source /entrypoint_fpm.sh
@@ -10,7 +10,6 @@ echo "INIT | Initialize MySQL ..." && init_mysql
 echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
 echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
 echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
-echo "INIT | Flip NGINX live ..." && flip_nginx true true
 
 # Run configure MISP script
 echo "INIT | Configure MISP installation ..."
diff --git a/core/files/entrypoint_k8s_nginx.sh b/core/files/entrypoint_k8s_nginx.sh
old mode 100644
new mode 100755
index 13638d3..cc9634c
--- a/core/files/entrypoint_k8s_nginx.sh
+++ b/core/files/entrypoint_k8s_nginx.sh
@@ -1,9 +1,10 @@
-#!/bin/bash
+#!/bin/bash -e
 
 source /entrypoint_nginx.sh
 
 # Initialize nginx
 echo "INIT | Initialize NGINX ..." && init_nginx
+echo "INIT | Flip NGINX live ..." && flip_nginx true true
 
 # launch nginx as current shell process in container
 exec nginx -g 'daemon off;'
diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh
index 085a703..6a1576a 100755
--- a/core/files/entrypoint_nginx.sh
+++ b/core/files/entrypoint_nginx.sh
@@ -217,6 +217,12 @@ flip_nginx() {
 }
 
 init_nginx() {
+    # Optional location of PHP-FPM sock file
+    if [[ -n "$PHP_FPM_SOCK_FILE" ]]; then
+        echo "... setting 'fastcgi_pass' to unix:${PHP_FPM_SOCK_FILE}"
+        sed -i "s@fastcgi_pass .*;@fastcgi_pass unix:${PHP_FPM_SOCK_FILE};@" /etc/nginx/includes/misp
+    fi
+
     # Adjust timeouts
     echo "... adjusting 'fastcgi_read_timeout' to ${FASTCGI_READ_TIMEOUT}"
     sed -i "s/fastcgi_read_timeout .*;/fastcgi_read_timeout ${FASTCGI_READ_TIMEOUT};/" /etc/nginx/includes/misp
diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
index 296e384..aa929c2 100644
--- a/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
+++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf.k8s
@@ -10,12 +10,3 @@ stderr_logfile_maxbytes=0
 port=127.0.0.1:9001
 username=supervisor
 password=supervisor
-
-[program:cron]
-command=/entrypoint_cron.sh
-autorestart=true
-redirect_stderr=true
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0