From e6a1ffb2f930e3462be7c75dc615b289bca7fddc Mon Sep 17 00:00:00 2001
From: Marek Fedorovic <marek.fedorovic@kindredgroup.com>
Date: Wed, 7 Feb 2024 15:27:30 +1100
Subject: [PATCH] fix: Add user to docker image. Add sec context to container.

---
 lock-manager/Dockerfile                             | 13 +++++++++++++
 .../deployment/helm/templates/deployment.yaml       |  2 ++
 lock-manager/deployment/helm/values.yaml            |  2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lock-manager/Dockerfile b/lock-manager/Dockerfile
index 2051441..187e60e 100644
--- a/lock-manager/Dockerfile
+++ b/lock-manager/Dockerfile
@@ -3,6 +3,17 @@ FROM node:18.18.2-alpine3.18 AS baseimage
 # Build image
 FROM baseimage AS BUILD
 
+ENV USER=pit
+ENV UID=1001
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/nonexistent" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}"
+
 WORKDIR /opt/build
 COPY package.json package-lock.json tsconfig.json ./
 RUN npm ci
@@ -21,5 +32,7 @@ COPY --from=BUILD /opt/build/node_modules/ ./node_modules
 COPY --from=BUILD /opt/build/dist/ ./dist
 COPY migrations/ ./migrations
 
+USER ${USER}:${USER}
+
 CMD ["npm", "run", "migrate_and_start"]
 
diff --git a/lock-manager/deployment/helm/templates/deployment.yaml b/lock-manager/deployment/helm/templates/deployment.yaml
index 989b1a1..4126c8a 100644
--- a/lock-manager/deployment/helm/templates/deployment.yaml
+++ b/lock-manager/deployment/helm/templates/deployment.yaml
@@ -16,6 +16,8 @@ spec:
     spec:
       containers:
         - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}        
           image: "{{ .Values.pod.repository }}:{{ .Values.IMAGE_TAG }}"
           imagePullPolicy: IfNotPresent
           ports:
diff --git a/lock-manager/deployment/helm/values.yaml b/lock-manager/deployment/helm/values.yaml
index fc3a653..1db9668 100644
--- a/lock-manager/deployment/helm/values.yaml
+++ b/lock-manager/deployment/helm/values.yaml
@@ -21,4 +21,4 @@ WEB_APP_CONTEXT_ROOT:
 securityContext:
   allowPrivilegeEscalation: false
   runAsNonRoot: true
-  runAsUser: 1000
\ No newline at end of file
+  runAsUser: 1001
\ No newline at end of file