Skip to content

Commit

Permalink
fix: sets correct permissions for the non-root user
Browse files Browse the repository at this point in the history
  • Loading branch information
@psanders
psanders committed Jun 20, 2023
1 parent 7203af9 commit d0db749
Show file tree
Hide file tree
Showing 6 changed files with 41 additions and 6 deletions.
8 changes: 7 additions & 1 deletion mods/pgdata/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ WORKDIR /scripts
COPY .scripts/generate-certs.sh /generate-certs.sh
COPY mods/pgdata .

# Todo: We need to normalize user id and group id across all images
RUN chmod +x /generate-certs.sh \
&& apk add --no-cache openssl git tini nodejs npm python3 make cmake g++ \
&& npm pack \
Expand All @@ -22,7 +23,12 @@ RUN chmod +x /generate-certs.sh \
&& npx prisma generate \
&& ln -s /usr/local/bin/run_pgdata /usr/local/bin/run \
&& apk del git python3 make cmake g++ npm \
&& rm -rf /scripts /var/cache/apk/* /tmp/* /var/tmp/*
&& mkdir -p $PATH_TO_CERTS \
&& chown -R 1000:3000 $PATH_TO_CERTS \
&& chmod 700 $PATH_TO_CERTS \
&& rm -rf /scripts /var/cache/apk/* /tmp/* /var/tmp/*

USER 1000:3000

# Re-mapping the signal from 143 to 0
ENTRYPOINT ["tini", "-v", "-e", "143", "--"]
Expand Down
4 changes: 2 additions & 2 deletions ops/charts/connect/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: routr-connect
description: Routr Connect Helm Chart
type: application
version: 0.1.5
appVersion: 2.1.2
version: 0.1.6
appVersion: 2.1.3
dependencies:
- name: postgresql
version: 12.1.15
Expand Down
2 changes: 1 addition & 1 deletion ops/charts/connect/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1. Get the application URL by running these commands:
Success!
13 changes: 13 additions & 0 deletions ops/charts/connect/templates/apiserver/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,17 @@ spec:
runAsUser: {{ .Values.apiserver.securityContext.runAsUser }}
runAsGroup: {{ .Values.apiserver.securityContext.runAsGroup }}
fsGroup: {{ .Values.apiserver.securityContext.fsGroup }}
initContainers:
- name: wait-for-database
image: "{{ .Values.apiserver.migrationsImage.repository }}:{{ .Values.apiserver.migrationsImage.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.apiserver.migrationsImage.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |
until pg_isready -h {{ .Release.Name }}-postgresql.{{ .Release.Namespace }} -p 5432 -U {{ .Values.postgresql.auth.username }} >/dev/null 2>&1; do
echo "Waiting for the database..."
sleep 2
done
containers:
- name: apiserver
image: "{{ .Values.apiserver.image.repository }}:{{ .Values.apiserver.image.tag | default .Chart.AppVersion }}"
Expand All @@ -47,6 +58,8 @@ spec:
value: {{ .Values.global.otlExporter }}
ports:
- containerPort: 51907
# External port for the API server
- containerPort: 51908
resources:
{{- if .Values.apiserver.resources.limits }}
limits:
Expand Down
13 changes: 12 additions & 1 deletion ops/charts/connect/templates/apiserver/migration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,17 @@ metadata:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded
spec:
initContainers:
- name: wait-for-database
image: "{{ .Values.apiserver.migrationsImage.repository }}:{{ .Values.apiserver.migrationsImage.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.apiserver.migrationsImage.pullPolicy }}
command: ["/bin/sh", "-c"]
args:
- |
until pg_isready -h {{ .Release.Name }}-postgresql.{{ .Release.Namespace }} -p 5432 -U {{ .Values.postgresql.auth.username }} >/dev/null 2>&1; do
echo "Waiting for the database..."
sleep 2
done
containers:
- name: migrations
image: "{{ .Values.apiserver.migrationsImage.repository }}:{{ .Values.apiserver.migrationsImage.tag | default .Chart.AppVersion }}"
Expand All @@ -17,4 +28,4 @@ spec:
name: {{ .Release.Name }}-routr-database-url
restartPolicy: Never
terminationGracePeriodSeconds: 0
{{- end }}
{{- end }}
7 changes: 6 additions & 1 deletion ops/charts/connect/templates/apiserver/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,13 @@ metadata:
service: apiserver
spec:
ports:
- port: 51907
- name: internal
port: 51907
targetPort: 51907
# External secure port
- name: external
port: 51908
targetPort: 51908
selector:
{{- include ".helm.selectorLabels" . | nindent 4 }}
service: apiserver

0 comments on commit d0db749

Please sign in to comment.