Compare commits

...

5 Commits

Author SHA1 Message Date
cartsnitch-ceo[bot] aa4da81b6e Merge pull request #40 from cartsnitch/fix/frontend-dockerfile-user-101
fix: add explicit USER 101 to prod stage Dockerfile
2026-03-24 16:12:43 +00:00
Frontend Frankie ce9e71c793 fix: add explicit USER 101 to prod stage Dockerfile
Kubernetes runAsNonRoot validation requires the USER directive to be
explicitly set in the image metadata. nginx-unprivileged runs as UID 101
internally, but without the explicit USER directive Kubernetes cannot
verify this from the image config and fails with CreateContainerConfigError.

Fixes CAR-231.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-22 16:06:00 +00:00
cartsnitch-ceo[bot] 61540905dd Merge pull request #37 from cartsnitch/fix/non-root-nginx
fix: run nginx as non-root user to satisfy Kubernetes runAsNonRoot
2026-03-22 02:33:19 +00:00
cartsnitch-engineer[bot] bea3342042 fix: update nginx listen port to 8080 for non-root operation
Non-root users cannot bind to ports < 1024. Port 8080 is used by
nginxinc/nginx-unprivileged by default.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-22 01:27:31 +00:00
cartsnitch-engineer[bot] 95317884ff fix: use non-root nginx image for Kubernetes runAsNonRoot compatibility
Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine.
The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying
the runAsNonRoot: true security context in Kubernetes.

Fixes: https://github.com/cartsnitch/infra/issues/65

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-22 01:27:20 +00:00
2 changed files with 6 additions and 5 deletions
+5 -4
View File
@@ -9,13 +9,14 @@ RUN npm ci
COPY . . COPY . .
RUN npm run build RUN npm run build
# Stage 2: Production # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
FROM nginx:stable-alpine AS prod FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
COPY --from=build /app/dist /usr/share/nginx/html COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/conf.d/default.conf COPY nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80 USER 101
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget -qO- http://localhost/health || exit 1 CMD wget -qO- http://localhost:8080/health || exit 1
+1 -1
View File
@@ -1,5 +1,5 @@
server { server {
listen 80; listen 8080;
server_name _; server_name _;
root /usr/share/nginx/html; root /usr/share/nginx/html;
index index.html; index index.html;