# Hubble UI frontend = nginx reverse proxy. The vulnerable artifact of
# CVE-2025-23047 is the nginx config rendered from Cilium's
# install/kubernetes/cilium/templates/hubble-ui/_nginx.tpl (v1.16.5, affected
# range v1.16.0-v1.16.5). We pin a specific nginx base and drop in that exact
# rendered config UNMODIFIED, plus a co-located stub /api backend.
FROM nginx:1.27.3-bookworm

# Python for the stub /api backend (co-located with nginx, as in the real
# hubble-ui frontend pod).
RUN apt-get update \
    && apt-get install -y --no-install-recommends python3 uuid-runtime \
    && rm -rf /var/lib/apt/lists/*

# Static frontend root expected by the rendered config (root /app;).
RUN mkdir -p /app
COPY config/index.html /app/index.html

# VULNERABLE rendered nginx config (CVE-2025-23047). Replaces the default
# server block. UNMODIFIED from the v1.16.5 template render.
RUN rm -f /etc/nginx/conf.d/default.conf
COPY config/nginx.conf.vulnerable /etc/nginx/conf.d/hubble-ui.conf

COPY config/backend.py /opt/backend.py
COPY config/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh /opt/backend.py

EXPOSE 8081
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
