Kubernetes runAsNonRoot validation requires the USER directive to be
explicitly set in the image metadata. nginx-unprivileged runs as UID 101
internally, but without the explicit USER directive Kubernetes cannot
verify this from the image config and fails with CreateContainerConfigError.
Fixes CAR-231.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine.
The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying
the runAsNonRoot: true security context in Kubernetes.
Fixes: https://github.com/cartsnitch/infra/issues/65
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Avoids Docker Hub 429 rate limits by pulling node:20-alpine and
nginx:stable-alpine from ghcr.io/cartsnitch/mirror/. GHCR login
now runs on all builds (not just main push) to authenticate pulls.
Ref: cartsnitch/infra#7, CAR-55
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Build stage uses node:20-alpine to install deps and build.
Prod stage uses nginx:stable-alpine to serve static assets.
Includes nginx config with SPA routing, gzip, health endpoint,
and aggressive caching for Vite-hashed assets.
Closes#6
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Paperclip