From f222abff6ac8ecef5531b6bff2fbb1e6b19021d9 Mon Sep 17 00:00:00 2001
From: Remi  PLANEL <rplanel@pasteur.fr>
Date: Mon, 4 Mar 2024 14:02:07 +0100
Subject: [PATCH] create worker user for backend

---
 backend/Dockerfile                    | 12 ++++++++----
 deploy/charts/djangoninja/values.yaml |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 219b34d..4471fa7 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -14,15 +14,19 @@ RUN poetry export -f requirements.txt --output requirements.txt --without-hashes
 
 FROM python:3.11.4-slim-bookworm
 
-RUN apt update -y && apt upgrade -y && apt install -y python3-dev libpq-dev
+RUN apt update -y && apt upgrade -y && apt install -y python3-dev libpq-dev cron
+
+RUN useradd -ms /bin/bash worker
+
+USER worker
 
 WORKDIR /code
 
-COPY --from=requirements-stage /tmp/requirements.txt /code/requirements.txt
+COPY --chown=worker:worker --from=requirements-stage /tmp/requirements.txt /code/requirements.txt
 
-RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt
+RUN pip install --user --no-cache-dir --upgrade -r /code/requirements.txt
 
-COPY . ./
+COPY --chown=worker:worker . ./
 
 EXPOSE 8000
 
diff --git a/deploy/charts/djangoninja/values.yaml b/deploy/charts/djangoninja/values.yaml
index 858f109..fada315 100644
--- a/deploy/charts/djangoninja/values.yaml
+++ b/deploy/charts/djangoninja/values.yaml
@@ -37,8 +37,8 @@ securityContext:
   #   - ALL
   # readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 1001
-  fsGroup: 1001
+  runAsUser: 1000
+  fsGroup: 1000
 
 service:
   type: ClusterIP
-- 
GitLab