diff --git a/helm/gohoarder/templates/deployment-frontend.yaml b/helm/gohoarder/templates/deployment-frontend.yaml index 5d91921..97dbe60 100644 --- a/helm/gohoarder/templates/deployment-frontend.yaml +++ b/helm/gohoarder/templates/deployment-frontend.yaml @@ -26,7 +26,30 @@ spec: {{- end }} serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + fsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + initContainers: + - name: copy-static-files + image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}" + command: ['sh', '-c'] + args: + - | + # Copy built frontend files to writable volume + cp -rp /usr/share/nginx/html/* /html/ + # Copy nginx config to writable volume + cp -rp /etc/nginx/conf.d/* /conf/ + volumeMounts: + - name: nginx-html + mountPath: /html + - name: nginx-conf + mountPath: /conf + securityContext: + runAsUser: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL containers: - name: frontend securityContext: @@ -35,6 +58,7 @@ spec: drop: - ALL readOnlyRootFilesystem: false + runAsUser: 101 image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.frontend.pullPolicy }} ports: @@ -64,6 +88,10 @@ spec: mountPath: /var/cache/nginx - name: nginx-run mountPath: /var/run + - name: nginx-html + mountPath: /usr/share/nginx/html + - name: nginx-conf + mountPath: /etc/nginx/conf.d volumes: - name: tmp emptyDir: {} @@ -71,6 +99,10 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-html + emptyDir: {} + - name: nginx-conf + emptyDir: {} {{- with .Values.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml index 61e8287..6edb27f 100644 --- a/helm/gohoarder/templates/deployment-scanner.yaml +++ b/helm/gohoarder/templates/deployment-scanner.yaml @@ -42,9 +42,14 @@ spec: chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder chmod 750 /var/cache/gohoarder /var/lib/gohoarder volumeMounts: - {{- include "gohoarder.storageVolume" . | nindent 8 }} - {{- include "gohoarder.metadataVolume" . | nindent 8 }} - {{- include "gohoarder.trivyCacheVolume" . | nindent 8 }} + - name: storage + mountPath: /var/cache/gohoarder + - name: metadata + mountPath: /var/lib/gohoarder/metadata + {{- if .Values.security.scanners.trivy.enabled }} + - name: trivy-cache + mountPath: {{ .Values.security.scanners.trivy.cacheDb }} + {{- end }} - name: tmp mountPath: /tmp/gohoarder securityContext: diff --git a/helm/gohoarder/templates/deployment-server.yaml b/helm/gohoarder/templates/deployment-server.yaml index bdb90e5..7b027dc 100644 --- a/helm/gohoarder/templates/deployment-server.yaml +++ b/helm/gohoarder/templates/deployment-server.yaml @@ -39,8 +39,10 @@ spec: chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder chmod 750 /var/cache/gohoarder /var/lib/gohoarder volumeMounts: - {{- include "gohoarder.storageVolume" . | nindent 8 }} - {{- include "gohoarder.metadataVolume" . | nindent 8 }} + - name: storage + mountPath: /var/cache/gohoarder + - name: metadata + mountPath: /var/lib/gohoarder/metadata - name: tmp mountPath: /tmp/gohoarder securityContext: