From 6afa55b5f5f15e20b6de567eb2fe923254b3b2fc Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Sat, 3 Jan 2026 00:52:59 +0000
Subject: [PATCH] chore(helm): enhance security context and volume handling

- [x] Add explicit security context with fsGroup and runAsUser to frontend deployment
- [x] Add initContainer to copy nginx static files and config to writable volumes
- [x] Add security context to initContainer with capability restrictions
- [x] Add runAsUser to frontend container security context
- [x] Add emptyDir volumes for nginx HTML and conf directories
- [x] Replace template includes with explicit volumeMounts in scanner deployment
- [x] Conditionally mount trivy cache volume in scanner deployment
- [x] Replace template includes with explicit volumeMounts in server deployment
---
 .../templates/deployment-frontend.yaml        | 34 ++++++++++++++++++-
 .../templates/deployment-scanner.yaml         | 11 ++++--
 .../templates/deployment-server.yaml          |  6 ++--
 3 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/helm/gohoarder/templates/deployment-frontend.yaml b/helm/gohoarder/templates/deployment-frontend.yaml
index 5d91921..97dbe60 100644
--- a/helm/gohoarder/templates/deployment-frontend.yaml
+++ b/helm/gohoarder/templates/deployment-frontend.yaml
@@ -26,7 +26,30 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "gohoarder.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        fsGroup: 101
+        runAsNonRoot: true
+        runAsUser: 101
+      initContainers:
+      - name: copy-static-files
+        image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}"
+        command: ['sh', '-c']
+        args:
+        - |
+          # Copy built frontend files to writable volume
+          cp -rp /usr/share/nginx/html/* /html/
+          # Copy nginx config to writable volume
+          cp -rp /etc/nginx/conf.d/* /conf/
+        volumeMounts:
+        - name: nginx-html
+          mountPath: /html
+        - name: nginx-conf
+          mountPath: /conf
+        securityContext:
+          runAsUser: 101
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       containers:
       - name: frontend
         securityContext:
@@ -35,6 +58,7 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: false
+          runAsUser: 101
         image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.frontend.pullPolicy }}
         ports:
@@ -64,6 +88,10 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-run
           mountPath: /var/run
+        - name: nginx-html
+          mountPath: /usr/share/nginx/html
+        - name: nginx-conf
+          mountPath: /etc/nginx/conf.d
       volumes:
       - name: tmp
         emptyDir: {}
@@ -71,6 +99,10 @@ spec:
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-html
+        emptyDir: {}
+      - name: nginx-conf
+        emptyDir: {}
       {{- with .Values.frontend.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml
index 61e8287..6edb27f 100644
--- a/helm/gohoarder/templates/deployment-scanner.yaml
+++ b/helm/gohoarder/templates/deployment-scanner.yaml
@@ -42,9 +42,14 @@ spec:
           chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
           chmod 750 /var/cache/gohoarder /var/lib/gohoarder
         volumeMounts:
-        {{- include "gohoarder.storageVolume" . | nindent 8 }}
-        {{- include "gohoarder.metadataVolume" . | nindent 8 }}
-        {{- include "gohoarder.trivyCacheVolume" . | nindent 8 }}
+        - name: storage
+          mountPath: /var/cache/gohoarder
+        - name: metadata
+          mountPath: /var/lib/gohoarder/metadata
+        {{- if .Values.security.scanners.trivy.enabled }}
+        - name: trivy-cache
+          mountPath: {{ .Values.security.scanners.trivy.cacheDb }}
+        {{- end }}
         - name: tmp
           mountPath: /tmp/gohoarder
         securityContext:
diff --git a/helm/gohoarder/templates/deployment-server.yaml b/helm/gohoarder/templates/deployment-server.yaml
index bdb90e5..7b027dc 100644
--- a/helm/gohoarder/templates/deployment-server.yaml
+++ b/helm/gohoarder/templates/deployment-server.yaml
@@ -39,8 +39,10 @@ spec:
           chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
           chmod 750 /var/cache/gohoarder /var/lib/gohoarder
         volumeMounts:
-        {{- include "gohoarder.storageVolume" . | nindent 8 }}
-        {{- include "gohoarder.metadataVolume" . | nindent 8 }}
+        - name: storage
+          mountPath: /var/cache/gohoarder
+        - name: metadata
+          mountPath: /var/lib/gohoarder/metadata
         - name: tmp
           mountPath: /tmp/gohoarder
         securityContext: