From 56889c0bde25aabfa8f48933a0fb793604a0f608 Mon Sep 17 00:00:00 2001
From: ecaiyanlinux <martin.c.yan@est.tech>
Date: Tue, 25 Jan 2022 22:30:49 +0100
Subject: [PATCH] Use non-root user for Dockerfile of helm-manager

Signed-off-by: ecaiyanlinux <martin.c.yan@est.tech>
Issue-ID: NONRTRIC-647
Change-Id: Ic9d82606c25f63096278b22efbe670382dd73468
---
 helm-manager/Dockerfile        | 16 ++++++++++++++++
 helm-manager/docker-hm.sh      |  8 ++++----
 helm-manager/helm-manager.yaml |  9 ++++++++-
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/helm-manager/Dockerfile b/helm-manager/Dockerfile
index 5e96b60f..b50767cf 100644
--- a/helm-manager/Dockerfile
+++ b/helm-manager/Dockerfile
@@ -46,4 +46,20 @@ COPY config/application.yaml .
 WORKDIR /opt/app/helm-manager
 COPY target/app.jar app.jar
 
+ARG user=nonrtric
+ARG group=nonrtric
+
+RUN groupadd $group && \
+    useradd -r -g $group $user
+RUN chown -R $user:$group /opt/app/helm-manager
+RUN chown -R $user:$group /etc/app/helm-manager
+
+RUN mkdir /var/helm-manager-service
+RUN chown -R $user:$group /var/helm-manager-service
+
+RUN mkdir /home/$user
+RUN chown -R $user:$group /home/$user
+
+USER $user
+
 CMD [ "java", "-jar", "app.jar", "--spring.config.location=optional:file:/etc/app/helm-manager/"]
diff --git a/helm-manager/docker-hm.sh b/helm-manager/docker-hm.sh
index e51b5318..9844f4de 100755
--- a/helm-manager/docker-hm.sh
+++ b/helm-manager/docker-hm.sh
@@ -25,10 +25,10 @@ docker run \
     --name helmmanagerservice \
     --network nonrtric-docker-net \
     -v $(pwd)/mnt/database:/var/helm-manager/database \
-    -v ~/.kube:/root/.kube \
-    -v ~/.helm:/root/.helm \
-    -v ~/.config/helm:/root/.config/helm \
-    -v ~/.cache/helm:/root/.cache/helm \
+    -v ~/.kube:/home/nonrtric/.kube \
+    -v ~/.helm:/home/nonrtric/.helm \
+    -v ~/.config/helm:/home/nonrtric/.config/helm \
+    -v ~/.cache/helm:/home/nonrtric/.cache/helm \
     -v $(pwd)/config/KubernetesParticipantConfig.json:/opt/app/helm-manager/src/main/resources/config/KubernetesParticipantConfig.json \
     -v $(pwd)/config/application.yaml:/opt/app/helm-manager/src/main/resources/config/application.yaml \
     nexus3.o-ran-sc.org:10004/o-ran-sc/nonrtric-helm-manager:1.1.0-SNAPSHOT
diff --git a/helm-manager/helm-manager.yaml b/helm-manager/helm-manager.yaml
index 2dafed8e..dcc4bc5b 100644
--- a/helm-manager/helm-manager.yaml
+++ b/helm-manager/helm-manager.yaml
@@ -63,7 +63,14 @@ spec:
   - name: helm-manager-service-pv
     persistentVolumeClaim:
       claimName: helm-manager-service-pvc
-
+  initContainers:
+  - name: change-ownership-container
+    image: busybox:latest
+    command: ["sh","-c","chown -R 999:1000 /var/helm-manager-service"]
+    resources: {}
+    volumeMounts:
+    - mountPath: /var/helm-manager-service
+      name: helm-manager-service-pv
 ---
 
 apiVersion: v1
-- 
2.16.6