fix(dockerfile): corepack yarn during image build

OADA · Dec 11, 2024 · 65d497b · 65d497b
1 parent 609c502
commit 65d497b
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 6 deletions.
diff --git a/charts/oada/templates/deployment.yaml b/charts/oada/templates/deployment.yaml
@@ -1,3 +1,4 @@
+# vim: set ft=helm :
 {{/*
    * Copyright 2022 Open Ag Data Alliance
    *
@@ -41,6 +42,10 @@ spec:
         app.kubernetes.io/component: {{ $k }}
         {{- include "oada.chart.selectorLabels" $ | nindent 8 }}
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       serviceAccountName: service-account-{{ $.Release.Name }}
       initContainers:
         - name: wait-for-init
@@ -51,6 +56,10 @@ spec:
           resources:
             limits: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
+          securityContext:
+            #runAsUser: 1000 # run as user node (uid 1000)
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
       containers:
         - envFrom:
             - configMapRef:
@@ -88,14 +97,13 @@ spec:
               port: prometheus
             initialDelaySeconds: 10
             periodSeconds: 10
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 1000 # run as user node (uid 1000)
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
           name: {{ $name }}
           resources:
             {{- toYaml $.Values.oada.resources | nindent 12 }}
+          securityContext:
+            #runAsUser: 1000 # run as user node (uid 1000)
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
           ports:
             {{ if $v.http -}}
             - name: http

diff --git a/charts/oada/templates/init.yaml b/charts/oada/templates/init.yaml
@@ -28,6 +28,10 @@ spec:
   backoffLimit: 10
   template:
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       restartPolicy: OnFailure
       serviceAccountName: service-account-{{ .Release.Name }}
       initContainers:
@@ -40,6 +44,9 @@ spec:
           resources:
             limits: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
         {{- end }}
         {{ if eq (include "oada.kafka.deploy" .) "true" -}}
         - name: wait-for-redpanda
@@ -50,6 +57,9 @@ spec:
           resources:
             limits: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
         {{- end }}
       containers:
         - name: init
@@ -83,4 +93,16 @@ spec:
           resources:
             limits: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+      volumes:
+        - name: tmp
+          emptyDir:
+            sizeLimit: 1Gi
+            #medium: Memory
 {{- end -}}
diff --git a/charts/oada/templates/redpanda.yaml b/charts/oada/templates/redpanda.yaml
@@ -28,6 +28,36 @@ spec:
           max: 10Gi
       #ephemeral-storage: 1Gi
       {{- end }}
+    statefulset:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsUser: 1000739999
+        runAsGroup: 1000739999
+        fsGroup: 1000739999
+      podTemplate:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1000739999
+            runAsGroup: 1000739999
+            fsGroup: 1000739999
+            fsGroupChangePolicy: "OnRootMismatch"
+    console:
+      enabled: false
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
     logging:
       logLevel: info
       usageStats:

diff --git a/charts/oada/templates/users.yaml b/charts/oada/templates/users.yaml
@@ -47,6 +47,10 @@ spec:
   backoffLimit: 10
   template:
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       restartPolicy: OnFailure
       serviceAccountName: service-account-{{ $.Release.Name }}
       initContainers:
@@ -58,6 +62,10 @@ spec:
           resources:
             limits: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
         - name: wait-for-users
           image: {{ $.Values.k8sWaitFor.image }}:{{ $.Values.k8sWaitFor.tag }}
           args:
@@ -66,6 +74,9 @@ spec:
           resources:
             limits: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.k8sWaitFor.resources.limits | nindent 14 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
         - name: user-add
           envFrom:
             - configMapRef:
@@ -110,6 +121,9 @@ spec:
           resources:
             limits: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
       containers:
         - name: token-create
           envFrom:
@@ -153,6 +167,9 @@ spec:
           resources:
             limits: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
             requests: {{- toYaml $.Values.oada.resources.limits | nindent 14 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
 ---
 {{- end -}}
 {{- end }}
diff --git a/oada-server.code-workspace b/oada-server.code-workspace
@@ -226,6 +226,8 @@
       "typescript",
       "javascript"
     ],
-    "commitPro.enableDefaultCommitlintRulesDiagnostics": false
+    "commitPro.enableDefaultCommitlintRulesDiagnostics": false,
+    "npm.packageManager": "yarn",
+    "cSpell.usePnP": true
   }
 }
diff --git a/oada/Dockerfile b/oada/Dockerfile
@@ -111,6 +111,9 @@ WORKDIR /oada/services/${OADA_SERVICE}
 USER node
 ENV PORT=8080
 
+# Have corepack download yarn
+RUN corepack yarn;
+
 FROM production as debug
 
 USER root