From 1c3df094a489e7b934b4ea641fcf3ef258cc5d88 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Wed, 3 Jul 2024 18:39:20 +0200 Subject: [PATCH] fix(userId): fixed userId issue from helm values and Dockerfiles --- charts/digital-product-pass/README.md | 14 +++++++------- charts/digital-product-pass/values.yaml | 8 ++++---- dpp-backend/digitalproductpass/Dockerfile | 6 +++--- dpp-frontend/Dockerfile | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/charts/digital-product-pass/README.md b/charts/digital-product-pass/README.md index fe0ee2011..ae7b30b81 100644 --- a/charts/digital-product-pass/README.md +++ b/charts/digital-product-pass/README.md @@ -31,7 +31,7 @@ helm install digital-product-pass tractusx/digital-product-pass | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | -| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"","xApiKey":""},"hostname":"","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:samm:io.catenax.battery.battery_pass:6.0.0#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.transmission.transmission_pass:3.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport","urn:samm:io.catenax.generic.digital_product_passport:5.0.0#DigitalProductPassport"],"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"CircularEconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}},"podSecurityContext":{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"singleApi":{"delay":1000,"maxRetries":30},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration | +| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":40,"negotiation":60,"search":50,"transfer":20}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","readiness":"/api/check/readiness","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"","xApiKey":""},"hostname":"","image":{"pullPolicy":"IfNotPresent","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"annotations":{"ingressClassName":"nginx","nginx.ingress.kubernetes.io/backend-protocol":"HTTP","nginx.ingress.kubernetes.io/force-ssl-redirect":"true","nginx.ingress.kubernetes.io/ssl-passthrough":"false"},"enabled":false,"hosts":[{"host":"","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:samm:io.catenax.battery.battery_pass:6.0.0#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass","urn:samm:io.catenax.transmission.transmission_pass:3.0.0#TransmissionPass","urn:samm:io.catenax.generic.digital_product_passport:2.0.0#DigitalProductPassport","urn:samm:io.catenax.generic.digital_product_passport:5.0.0#DigitalProductPassport"],"policyCheck":{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"CircularEconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}},"podSecurityContext":{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"},"singleApi":{"delay":1000,"maxRetries":30},"volumeMounts":[{"mountPath":"/app/config","name":"backend-config"},{"mountPath":"/app/data/process","name":"pvc-backend","subPath":"data/process"},{"mountPath":"/app/log","name":"tmpfs","subPath":"log"},{"mountPath":"/tmp","name":"tmpfs"},{"mountPath":"/app/data/VaultConfig","name":"tmpfs","subPath":"VaultConfig/vault.token.yml"},{"mountPath":"/app/tmp","name":"tmpfs"}],"volumes":[{"configMap":{"name":"{{ .Release.Name }}-backend-config"},"name":"backend-config"},{"name":"pvc-backend","persistentVolumeClaim":{"claimName":"{{ .Release.Name }}-pvc-data"}},{"emptyDir":{},"name":"tmpfs"}]}` | Backend configuration | | backend.digitalTwinRegistry.policyCheck | object | `{"enabled":true,"policies":[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}],"strictMode":false}` | policy configuration for the digital twin assets in the edc catalog | | backend.digitalTwinRegistry.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | | backend.digitalTwinRegistry.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.core.digitalTwinRegistry:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | @@ -60,10 +60,10 @@ helm install digital-product-pass tractusx/digital-product-pass | backend.passport.policyCheck.enabled | bool | `true` | condition to enable and disable the policy check | | backend.passport.policyCheck.policies | list | `[{"obligation":[],"permission":[{"action":"USE","constraints":[{"leftOperand":"cx-policy:Membership","operator":"odrl:eq","rightOperand":"active"},{"leftOperand":"cx-policy:FrameworkAgreement","operator":"odrl:eq","rightOperand":"CircularEconomy:1.0"},{"leftOperand":"cx-policy:UsagePurpose","operator":"odrl:eq","rightOperand":"cx.circular.dpp:1"}],"logicalConstraint":"odrl:and"}],"prohibition":[]}]` | list of allowed policies that can be selected from the edc catalog in negotiations | | backend.passport.policyCheck.strictMode | bool | `false` | the strict mode is quicker (uses hashes) and requires less computation complexity, the default mode is comparing against every single object value | -| backend.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| backend.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | | backend.podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | | backend.podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | -| backend.podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| backend.podSecurityContext.runAsUser | int | `10000` | Runs all processes within a pod with a special uid | | backend.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | backend.process | object | `{"encryptionKey":""}` | digital twin registry configuration | | backend.process.encryptionKey | string | `""` | unique sha512 hash key used for the passport encryption | @@ -74,7 +74,7 @@ helm install digital-product-pass tractusx/digital-product-pass | backend.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | backend.securityContext.runAsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | | backend.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | -| backend.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | +| backend.securityContext.runAsUser | int | `10000` | The container's process will run with the specified uid | | backend.serverPort | int | `8888` | configuration of the spring boot server | | backend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service | | backend.singleApi | object | `{"delay":1000,"maxRetries":30}` | configuration to the single API endpoint | @@ -104,10 +104,10 @@ helm install digital-product-pass tractusx/digital-product-pass | frontend.irs.requestDelay | int | `30000` | request timeout delay | | frontend.name | string | `"dpp-frontend"` | | | frontend.negotiation.autoSign | bool | `true` | | -| frontend.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| frontend.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | | frontend.podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | | frontend.podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | -| frontend.podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| frontend.podSecurityContext.runAsUser | int | `10000` | Runs all processes within a pod with a special uid | | frontend.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | frontend.portal.hostname | string | `""` | | | frontend.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | @@ -116,7 +116,7 @@ helm install digital-product-pass tractusx/digital-product-pass | frontend.securityContext.readOnlyRootFilesystem | bool | `false` | Whether the root filesystem is mounted in read-only mode | | frontend.securityContext.runAsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | | frontend.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | -| frontend.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | +| frontend.securityContext.runAsUser | int | `10000` | The container's process will run with the specified uid | | frontend.service.port | int | `8080` | | | frontend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service | | frontend.supportContact.adminEmail | string | `"admin@example.com"` | | diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml index 009de9c25..506687cdb 100644 --- a/charts/digital-product-pass/values.yaml +++ b/charts/digital-product-pass/values.yaml @@ -68,7 +68,7 @@ backend: # -- Restrict a Container's Syscalls with seccomp type: RuntimeDefault # -- Runs all processes within a pod with a special uid - runAsUser: 10001 + runAsUser: 10000 # -- Processes within a pod will belong to this guid runAsGroup: 10001 # -- The owner for volumes and any files created within volumes will belong to this guid @@ -89,7 +89,7 @@ backend: # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 10001 + runAsUser: 10000 # -- The owner for volumes and any files created within volumes will belong to this guid runAsGroup: 10001 @@ -305,7 +305,7 @@ frontend: # -- Restrict a Container's Syscalls with seccomp type: RuntimeDefault # -- Runs all processes within a pod with a special uid - runAsUser: 10001 + runAsUser: 10000 # -- Processes within a pod will belong to this guid runAsGroup: 10001 # -- The owner for volumes and any files created within volumes will belong to this guide @@ -326,7 +326,7 @@ frontend: # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 10001 + runAsUser: 10000 # -- The owner for volumes and any files created within volumes will belong to this guid runAsGroup: 10001 diff --git a/dpp-backend/digitalproductpass/Dockerfile b/dpp-backend/digitalproductpass/Dockerfile index e36b8b269..4dc6c04e3 100644 --- a/dpp-backend/digitalproductpass/Dockerfile +++ b/dpp-backend/digitalproductpass/Dockerfile @@ -27,7 +27,7 @@ FROM eclipse-temurin:21-jre-alpine RUN addgroup -g 10001 appgroup \ - && adduser -u 10001 -g 10001 -h /home/nonroot -D nonroot + && adduser -u 10000 -g 10001 -h /home/nonroot -D nonroot WORKDIR /app @@ -42,9 +42,9 @@ COPY ./target/digitalproductpass*.jar digitalproductpass.jar HEALTHCHECK NONE # add permissions for a user -RUN chown -R 10001:10001 /app && chmod -R 775 /app/ +RUN chown -R 10000:10001 /app && chmod -R 775 /app/ -USER 10001:10001 +USER 10000:10001 EXPOSE 8080 ENTRYPOINT ["java", "-jar", "./digitalproductpass.jar"] diff --git a/dpp-frontend/Dockerfile b/dpp-frontend/Dockerfile index dd0030ffe..a30c5b669 100644 --- a/dpp-frontend/Dockerfile +++ b/dpp-frontend/Dockerfile @@ -53,7 +53,7 @@ ENV REPO_ENDPOINT_URL=${REPO_ENDPOINT_URL} USER root RUN addgroup -g 10001 appgroup \ - && adduser -u 10001 -g 10001 -h /home/nonroot -D nonroot + && adduser -u 10000 -g 10001 -h /home/nonroot -D nonroot COPY ./entrypoint.sh /entrypoint.sh @@ -65,13 +65,13 @@ COPY --from=builder /app/dist /usr/share/nginx/html HEALTHCHECK NONE # add permissions for a user -RUN chown -R 10001:10001 /app && chmod -R 775 /app/ -RUN chown 10001:10001 /entrypoint.sh && chmod -R 775 /entrypoint.sh +RUN chown -R 10000:10001 /app && chmod -R 775 /app/ +RUN chown 10000:10001 /entrypoint.sh && chmod -R 775 /entrypoint.sh # Install bash for env variables inject script RUN apk update && apk add --no-cache bash # Make nginx owner of /usr/share/nginx/html/ and change to nginx user -RUN chown -R 10001:10001 /usr/share/nginx/html/ && chmod -R 775 /usr/share/nginx/html/ +RUN chown -R 10000:10001 /usr/share/nginx/html/ && chmod -R 775 /usr/share/nginx/html/ USER 10001:10001