diff --git a/Dockerfile.scanner b/Dockerfile.scanner index 519e0b4..b6dfd90 100644 --- a/Dockerfile.scanner +++ b/Dockerfile.scanner @@ -24,9 +24,18 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | RUN addgroup -g 1000 scanner && \ adduser -D -u 1000 -G scanner scanner -# Create necessary directories -RUN mkdir -p /data/cache /data/scans && \ - chown -R scanner:scanner /data +# Create necessary directories with proper permissions +RUN mkdir -p /var/cache/gohoarder \ + /var/lib/gohoarder/metadata \ + /var/lib/trivy \ + /tmp/gohoarder && \ + chown -R scanner:scanner /var/cache/gohoarder \ + /var/lib/gohoarder \ + /var/lib/trivy \ + /tmp/gohoarder && \ + chmod -R 750 /var/cache/gohoarder \ + /var/lib/gohoarder \ + /var/lib/trivy # Copy binary (from platform-specific path) ARG TARGETOS @@ -37,7 +46,7 @@ RUN chmod +x /usr/local/bin/gohoarder # Copy example config COPY config.yaml.example /etc/gohoarder/config.yaml.example -WORKDIR /data +WORKDIR /var/cache/gohoarder USER scanner # Expose metrics port diff --git a/Dockerfile.server b/Dockerfile.server index 089eb34..4e0cabf 100644 --- a/Dockerfile.server +++ b/Dockerfile.server @@ -14,9 +14,15 @@ RUN apk add --no-cache \ RUN addgroup -g 1000 gohoarder && \ adduser -D -u 1000 -G gohoarder gohoarder -# Create necessary directories -RUN mkdir -p /data/cache /data/metadata && \ - chown -R gohoarder:gohoarder /data +# Create necessary directories with proper permissions +RUN mkdir -p /var/cache/gohoarder \ + /var/lib/gohoarder/metadata \ + /tmp/gohoarder && \ + chown -R gohoarder:gohoarder /var/cache/gohoarder \ + /var/lib/gohoarder \ + /tmp/gohoarder && \ + chmod -R 750 /var/cache/gohoarder \ + /var/lib/gohoarder # Copy binary (from platform-specific path) ARG TARGETOS @@ -27,7 +33,7 @@ RUN chmod +x /usr/local/bin/gohoarder # Copy example config COPY config.yaml.example /etc/gohoarder/config.yaml.example -WORKDIR /data +WORKDIR /var/cache/gohoarder USER gohoarder # Expose ports diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml index a68e379..c1182f1 100644 --- a/helm/gohoarder/templates/deployment-scanner.yaml +++ b/helm/gohoarder/templates/deployment-scanner.yaml @@ -28,34 +28,6 @@ spec: serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: - - name: init-permissions - image: busybox:latest - command: ['sh', '-c'] - args: - - | - mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder - {{- if .Values.security.scanners.trivy.enabled }} - mkdir -p {{ .Values.security.scanners.trivy.cacheDb }} - {{- end }} - chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true - volumeMounts: - - name: storage - mountPath: /var/cache/gohoarder - - name: metadata - mountPath: /var/lib/gohoarder/metadata - {{- if .Values.security.scanners.trivy.enabled }} - - name: trivy-cache - mountPath: {{ .Values.security.scanners.trivy.cacheDb }} - {{- end }} - - name: tmp - mountPath: /tmp/gohoarder - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL containers: - name: scanner securityContext: diff --git a/helm/gohoarder/templates/deployment-server.yaml b/helm/gohoarder/templates/deployment-server.yaml index 915f69b..9bbd6d4 100644 --- a/helm/gohoarder/templates/deployment-server.yaml +++ b/helm/gohoarder/templates/deployment-server.yaml @@ -29,27 +29,6 @@ spec: serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: - - name: init-permissions - image: busybox:latest - command: ['sh', '-c'] - args: - - | - mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder - chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true - volumeMounts: - - name: storage - mountPath: /var/cache/gohoarder - - name: metadata - mountPath: /var/lib/gohoarder/metadata - - name: tmp - mountPath: /tmp/gohoarder - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL containers: - name: server securityContext: