feat: drop privileges in web dockerfiles

gmus-backend/Dockerfile

@@ -2,23 +2,21 @@ FROM golang:1.15-alpine
 
 RUN apk update && apk add make gcc libc-dev libvorbis-dev libvorbis
 
+RUN mkdir /app
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup && chown appuser:appgroup /app
+USER appuser
 WORKDIR /app
 
-COPY go.mod go.sum ./
-RUN go mod download
+COPY --chown=appuser:appgroup go.mod go.sum ./
+RUN go mod download && go get -u github.com/onsi/ginkgo/ginkgo
 
-COPY Makefile ./
-COPY migrations ./migrations
-COPY pkg ./pkg
-COPY cmd ./cmd
+COPY --chown=appuser:appgroup Makefile ci.env ./
+COPY --chown=appuser:appgroup migrations ./migrations
+COPY --chown=appuser:appgroup pkg ./pkg
+COPY --chown=appuser:appgroup cmd ./cmd
 
 RUN make clean && make build
 
-RUN apk del gcc libc-dev libvorbis-dev
-
-RUN addgroup -S appgroup && adduser -S appuser -G appgroup
-USER appuser
-
 ENV PATH="/app/bin:${PATH}"
 
 CMD gmus.server

gmus-web/Dockerfile

@@ -2,6 +2,10 @@ FROM docker.fela.space/gmus-web-builder:latest
 
 FROM nginx:alpine
 
+RUN mkdir /app
+RUN chown -R nginx:nginx /app /var/cache/nginx && touch /var/run/nginx.pid && chown nginx:nginx /var/run/nginx.pid
+USER nginx
 WORKDIR /app
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY --from=0 /app/build .
+
+COPY --chown=nginx:nginx nginx.conf /etc/nginx/nginx.conf
+COPY --chown=nginx:nginx --from=0 /app/build .

gmus-web/builder.Dockerfile

@@ -1,11 +1,15 @@
 FROM node:14-alpine AS builder
 
+RUN mkdir /app
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup && chown appuser:appgroup /app
+USER appuser
 WORKDIR /app
-COPY package.json yarn.lock ./
+
+COPY --chown=appuser:appgroup package.json yarn.lock ./
 RUN yarn
-COPY src ./src
-COPY public ./public
-COPY tsconfig.json .
+COPY --chown=appuser:appgroup src ./src
+COPY --chown=appuser:appgroup public ./public
+COPY --chown=appuser:appgroup README.md .env.test .prettierrc.js .eslintrc.js tsconfig.json ./
 
 ENV REACT_APP_API_URL=http://localhost:3002
 RUN yarn build

gmus-web/nginx.conf

@@ -1,10 +1,12 @@
+pid /var/run/nginx.pid;
+
 events {
   worker_connections 768;
 }
 
 http {
   server {
-    listen 80;
+    listen 8080;
 
     root /app;
 

k8s/manifest.yml

@@ -10,7 +10,7 @@ spec:
     - name: http
       protocol: TCP
       port: 8081
-      targetPort: 80
+      targetPort: 8080
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -28,13 +28,13 @@ spec:
               service:
                 name: gmus-backend
                 port:
-                  number: 80
+                  number: 8080
           - path: /(.*)
             backend:
               service:
                 name: gmus-web
                 port:
-                  number: 80
+                  number: 8080
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -58,7 +58,7 @@ spec:
         - name: gmus-backend
           image: docker.fela.space/gmus-backend:0
           ports:
-            - containerPort: 80
+            - containerPort: 8080
           envFrom:
             - configMapRef:
                 name: gmus-backend
@@ -75,13 +75,13 @@ spec:
             periodSeconds: 5
             httpGet:
               path: /liveness
-              port: 80
+              port: 8080
           readinessProbe:
             initialDelaySeconds: 5
             periodSeconds: 5
             httpGet:
               path: /readiness
-              port: 80
+              port: 8080
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -105,7 +105,7 @@ spec:
         - name: gmus-web
           image: docker.fela.space/gmus-web:0
           ports:
-            - containerPort: 80
+            - containerPort: 8080
           envFrom:
             - configMapRef:
                 name: gmus-web
@@ -114,13 +114,13 @@ spec:
             periodSeconds: 5
             httpGet:
               path: /liveness
-              port: 80
+              port: 8080
           readinessProbe:
             initialDelaySeconds: 5
             periodSeconds: 5
             httpGet:
               path: /readiness
-              port: 80
+              port: 8080
 ---
 apiVersion: v1
 kind: Service