chore: move directory setup from Helm initContainers to Dockerfiles

- [x] Standardize directory structure across scanner and server Dockerfiles - [x] Use FHS-compliant paths (/var/cache, /var/lib, /tmp) - [x] Add explicit permission management (chmod 750) in build stage - [x] Remove initContainers from both Helm deployments
2026-06-05 22:53:53 +00:00 · 2026-01-03 01:15:09 +00:00
parent f03a288326
commit e6fe925dcb
4 changed files with 23 additions and 57 deletions
@@ -24,9 +24,18 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh |
 RUN addgroup -g 1000 scanner && \
    adduser -D -u 1000 -G scanner scanner

-# Create necessary directories
-RUN mkdir -p /data/cache /data/scans && \
-    chown -R scanner:scanner /data
+# Create necessary directories with proper permissions
+RUN mkdir -p /var/cache/gohoarder \
+             /var/lib/gohoarder/metadata \
+             /var/lib/trivy \
+             /tmp/gohoarder && \
+    chown -R scanner:scanner /var/cache/gohoarder \
+                              /var/lib/gohoarder \
+                              /var/lib/trivy \
+                              /tmp/gohoarder && \
+    chmod -R 750 /var/cache/gohoarder \
+                 /var/lib/gohoarder \
+                 /var/lib/trivy

 # Copy binary (from platform-specific path)
 ARG TARGETOS
@@ -37,7 +46,7 @@ RUN chmod +x /usr/local/bin/gohoarder
 # Copy example config
 COPY config.yaml.example /etc/gohoarder/config.yaml.example

-WORKDIR /data
+WORKDIR /var/cache/gohoarder
 USER scanner

 # Expose metrics port
@@ -14,9 +14,15 @@ RUN apk add --no-cache \
 RUN addgroup -g 1000 gohoarder && \
    adduser -D -u 1000 -G gohoarder gohoarder

-# Create necessary directories
-RUN mkdir -p /data/cache /data/metadata && \
-    chown -R gohoarder:gohoarder /data
+# Create necessary directories with proper permissions
+RUN mkdir -p /var/cache/gohoarder \
+             /var/lib/gohoarder/metadata \
+             /tmp/gohoarder && \
+    chown -R gohoarder:gohoarder /var/cache/gohoarder \
+                                  /var/lib/gohoarder \
+                                  /tmp/gohoarder && \
+    chmod -R 750 /var/cache/gohoarder \
+                 /var/lib/gohoarder

 # Copy binary (from platform-specific path)
 ARG TARGETOS
@@ -27,7 +33,7 @@ RUN chmod +x /usr/local/bin/gohoarder
 # Copy example config
 COPY config.yaml.example /etc/gohoarder/config.yaml.example

-WORKDIR /data
+WORKDIR /var/cache/gohoarder
 USER gohoarder

 # Expose ports
@@ -28,34 +28,6 @@ spec:
      serviceAccountName: {{ include "gohoarder.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-      - name: init-permissions
-        image: busybox:latest
-        command: ['sh', '-c']
-        args:
-        - |
-          mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
-          {{- if .Values.security.scanners.trivy.enabled }}
-          mkdir -p {{ .Values.security.scanners.trivy.cacheDb }}
-          {{- end }}
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
-        volumeMounts:
-        - name: storage
-          mountPath: /var/cache/gohoarder
-        - name: metadata
-          mountPath: /var/lib/gohoarder/metadata
-        {{- if .Values.security.scanners.trivy.enabled }}
-        - name: trivy-cache
-          mountPath: {{ .Values.security.scanners.trivy.cacheDb }}
-        {{- end }}
-        - name: tmp
-          mountPath: /tmp/gohoarder
-        securityContext:
-          runAsUser: 1000
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
      containers:
      - name: scanner
        securityContext:
@@ -29,27 +29,6 @@ spec:
      serviceAccountName: {{ include "gohoarder.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-      - name: init-permissions
-        image: busybox:latest
-        command: ['sh', '-c']
-        args:
-        - |
-          mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
-        volumeMounts:
-        - name: storage
-          mountPath: /var/cache/gohoarder
-        - name: metadata
-          mountPath: /var/lib/gohoarder/metadata
-        - name: tmp
-          mountPath: /tmp/gohoarder
-        securityContext:
-          runAsUser: 1000
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
      containers:
      - name: server
        securityContext: