Merge pull request #33 from dignajar/fix-uid-and-gid-in-dockerfile

Fixed UID and GID; Update Helm chart and K8S manifests
dignajar · Jun 25, 2021 · e7e741c · e7e741c
2 parents a5f32be + c25db4b
commit e7e741c
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -14,13 +14,19 @@ RUN apk --no-cache add build-base openldap-dev libffi-dev
 COPY files/requirements.txt /tmp/requirements.txt
 RUN pip install -r /tmp/requirements.txt --no-cache-dir
 
+# Run as non-root
 ENV USER aldap
+ENV UID 10001
+ENV GROUP aldap
+ENV GID 10001
 ENV HOME /home/$USER
-RUN adduser -D $USER
-USER $USER
-WORKDIR $HOME
+RUN addgroup -g $GID -S $GROUP && adduser -u $UID -S $USER -G $GROUP
 
+# Python code
 COPY files/* $HOME/
+RUN chown -R $USER:$GROUP $HOME
 
 EXPOSE 9000
+USER $UID:$GID
+WORKDIR $HOME
 CMD ["python3", "-u", "main.py"]
diff --git a/chart/another-ldap-auth/Chart.yaml b/chart/another-ldap-auth/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: another-ldap-auth
 description: A Helm chart using another-ldap-auth to enable AD or LDAP based basic-authentication for ingress resources
 type: application
-version: 0.2.0
-appVersion: 2.0.2
+version: 0.3.0
+appVersion: 2.2.1
 keywords:
   - ingress
   - nginx

diff --git a/chart/another-ldap-auth/README.md b/chart/another-ldap-auth/README.md
@@ -1,6 +1,6 @@
 # another-ldap-auth
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.2](https://img.shields.io/badge/AppVersion-2.0.2-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.1](https://img.shields.io/badge/AppVersion-2.2.1-informational?style=flat-square)
 
 A Helm chart using another-ldap-auth to enable AD or LDAP based basic-authentication for ingress resources
 

diff --git a/chart/another-ldap-auth/values.yaml b/chart/another-ldap-auth/values.yaml
@@ -3,7 +3,7 @@ replicaCount: 1
 image:
   repository: dignajar/another-ldap-auth
   pullPolicy: IfNotPresent
-  tag: "2.0.2"
+  tag: "2.2.1"
 
 imagePullSecrets: []
 nameOverride: ""

diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
@@ -44,4 +44,18 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: another-ldap-auth
-                  key: LDAP_MANAGER_PASSWORD
+                  key: LDAP_MANAGER_PASSWORD
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            runAsUser: 10001
+            capabilities:
+              drop:
+                - ALL
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+            requests:
+              cpu: 100m
+              memory: 128Mi