update deployment

bcgov · Jan 6, 2025 · 1219b6c · 1219b6c
1 parent e67d6ce
commit 1219b6c
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 22 deletions.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -1,14 +1,13 @@
 services:
   app:
-    build: .
+    build:
+      context: .
     ports:
       - "${APP_PORT}:${APP_PORT}"
     env_file:
       - .env
     depends_on:
       - db
-    volumes:
-      - .:/usr/src/app
     restart: always
     command: >
       sh -c "npx knex migrate:latest && node index.js"

diff --git a/dockerfile b/dockerfile
@@ -1,4 +1,11 @@
-FROM node:18
+FROM node:20
+
+# Set allowed UID/GID range and create non-root user
+ARG ALLOWED_UID=1007250000
+ARG ALLOWED_GID=1007250000
+
+RUN addgroup --gid ${ALLOWED_GID} appgroup && \
+    adduser --disabled-password --gecos "" --uid ${ALLOWED_UID} --gid ${ALLOWED_GID} appuser
 
 WORKDIR /usr/app
 
@@ -21,6 +28,8 @@ RUN npm run build
 
 WORKDIR /usr/app/src
 
+USER appuser
+
 ARG APP_PORT
 ENV APP_PORT=${APP_PORT}
 EXPOSE ${APP_PORT}

diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
@@ -3,7 +3,7 @@ kind: StatefulSet
 metadata:
   name: {{ .Release.Name }}-postgresql
   labels:
-    app: {{ .Release.Name }}
+    app: {{ .Release.Name }}-postgresql
 spec:
   replicas: 1
   serviceName: {{ .Release.Name }}-postgresql
@@ -16,33 +16,21 @@ spec:
         app: {{ .Release.Name }}-postgresql
     spec:
       securityContext:
-        fsGroup: 1000
-      initContainers:
-        - name: fix-permissions
-          image: busybox
-          command: ["sh", "-c", "chmod -R 777 /var/lib/postgresql/data"]
-          securityContext:
-            runAsUser: 0  
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
+        fsGroup: 999
       containers:
         - name: postgresql
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          securityContext:
-            runAsUser: 1000
-            allowPrivilegeEscalation: false
+          image: "{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}"
+          ports:
+            - containerPort: {{ .Values.service.postgresPort }}
           env:
             - name: POSTGRES_USER
               value: {{ .Values.postgresql.username }}
             - name: POSTGRES_PASSWORD
               value: {{ .Values.postgresql.password }}
             - name: POSTGRES_DB
               value: {{ .Values.postgresql.database }}
-            - name: POSTGRES_INITDB_ARGS
-              value: "--no-locale --data-checksums --no-permission-check"
           volumeMounts:
-            - name: data
+            - name: pgdata
               mountPath: /var/lib/postgresql/data
   volumeClaimTemplates:
     - metadata: