diff --git a/Dockerfile b/Dockerfile index 5e6abcca8..22e8920e5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ ################################################################################# -# Catena-X - Product Passport Consumer Frontend +# Catena-X - Digital Product Pass Frontend Application # -# Copyright (c) 2022, 2023 BASF SE, BMW AG, Henkel AG & Co. KGaA +# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA +# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -40,7 +41,7 @@ COPY . . RUN npm run build -FROM nginxinc/nginx-unprivileged:stable-alpine +FROM nginxinc/nginx-unprivileged:alpine ARG REPO_COMMIT_ID='REPO_COMMIT_ID' ARG REPO_ENDPOINT_URL='REPO_ENDPOINT_URL' @@ -50,7 +51,7 @@ ENV REPO_ENDPOINT_URL=${REPO_ENDPOINT_URL} USER root RUN addgroup -g 3000 appgroup \ - && adduser -u 10000 -g 3000 -h /home/appuser -D appuser + && adduser -u 1000 -g 3000 -h /home/nonroot -D nonroot COPY ./entrypoint.sh /entrypoint.sh @@ -62,15 +63,15 @@ COPY --from=builder /app/dist /usr/share/nginx/html HEALTHCHECK NONE # add permissions for a user -RUN chown -R 10000:3000 /app && chmod -R 775 /app/ -RUN chown 10000:3000 /entrypoint.sh && chmod -R 775 /entrypoint.sh +RUN chown -R 1000:3000 /app && chmod -R 775 /app/ +RUN chown 1000:3000 /entrypoint.sh && chmod -R 775 /entrypoint.sh # Install bash for env variables inject script RUN apk update && apk add --no-cache bash # Make nginx owner of /usr/share/nginx/html/ and change to nginx user -RUN chown -R 10000:3000 /usr/share/nginx/html/ && chmod -R 775 /usr/share/nginx/html/ +RUN chown -R 1000:3000 /usr/share/nginx/html/ && chmod -R 775 /usr/share/nginx/html/ -USER 10000:3000 +USER 1000:3000 EXPOSE 8080 diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml index f424f12f7..3e78a32a8 100644 --- a/charts/digital-product-pass/values.yaml +++ b/charts/digital-product-pass/values.yaml @@ -57,7 +57,7 @@ backend: # -- Restrict a Container's Syscalls with seccomp type: RuntimeDefault # -- Runs all processes within a pod with a special uid - runAsUser: 10000 + runAsUser: 1000 # -- Processes within a pod will belong to this guid runAsGroup: 3000 # -- The owner for volumes and any files created within volumes will belong to this guid @@ -78,7 +78,7 @@ backend: # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 10000 + runAsUser: 1000 # -- The owner for volumes and any files created within volumes will belong to this guid runAsGroup: 3000 @@ -190,7 +190,7 @@ frontend: # -- Restrict a Container's Syscalls with seccomp type: RuntimeDefault # -- Runs all processes within a pod with a special uid - runAsUser: 10000 + runAsUser: 1000 # -- Processes within a pod will belong to this guid runAsGroup: 3000 # -- The owner for volumes and any files created within volumes will belong to this guid @@ -211,7 +211,7 @@ frontend: # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 10000 + runAsUser: 1000 # -- The owner for volumes and any files created within volumes will belong to this guid runAsGroup: 3000 diff --git a/dpp-backend/charts/digital-product-pass-backend/values.yaml b/dpp-backend/charts/digital-product-pass-backend/values.yaml index 27fb6de89..f9607c5ec 100644 --- a/dpp-backend/charts/digital-product-pass-backend/values.yaml +++ b/dpp-backend/charts/digital-product-pass-backend/values.yaml @@ -1,5 +1,5 @@ ################################################################################# -# Catena-X - Product Passport Consumer Application +# Catena-X - Digital Product Pass Application # # Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA # Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation @@ -154,14 +154,14 @@ oauth: enabled: false podSecurityContext: - runAsUser: 10000 + runAsUser: 1000 fsGroup: 3000 securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true - runAsUser: 10000 + runAsUser: 1000 runAsGroup: 3000 serviceAccount: diff --git a/dpp-backend/digitalproductpass/Dockerfile b/dpp-backend/digitalproductpass/Dockerfile index bb5b6185d..8a7e26509 100644 --- a/dpp-backend/digitalproductpass/Dockerfile +++ b/dpp-backend/digitalproductpass/Dockerfile @@ -1,7 +1,8 @@ ################################################################################# -# Catena-X - Product Passport Consumer Backend +# Catena-X - Digital Product Pass Backend Application # -# Copyright (c) 2022, 2023 BASF SE, BMW AG, Henkel AG & Co. KGaA +# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA +# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -21,10 +22,10 @@ ################################################################################# -FROM eclipse-temurin:19-alpine +FROM eclipse-temurin:21-jre-alpine RUN addgroup -g 3000 appgroup \ - && adduser -u 10000 -g 3000 -h /home/appuser -D appuser + && adduser -u 1000 -g 3000 -h /home/nonroot -D nonroot WORKDIR /app @@ -39,9 +40,9 @@ COPY ./target/digitalproductpass*.jar digitalproductpass.jar HEALTHCHECK NONE # add permissions for a user -RUN chown -R 10000:3000 /app && chmod -R 775 /app/ +RUN chown -R 1000:3000 /app && chmod -R 775 /app/ -USER 10000:3000 +USER 1000:3000 EXPOSE 8080 ENTRYPOINT ["java", "-jar", "./digitalproductpass.jar"]