diff --git a/keip-integration/Dockerfile b/keip-integration/Dockerfile
index afaad59..fefcd37 100644
--- a/keip-integration/Dockerfile
+++ b/keip-integration/Dockerfile
@@ -1,7 +1,7 @@
# Local development Dockerfile. CI releases use the Jib Maven plugin (see pom.xml).
FROM eclipse-temurin:21-jre@sha256:34a58218d838035428163eb35abb629944c5906d1bedcfef8bc8864cce11dfe5
-RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+RUN groupadd --system --gid 999 appgroup && useradd --system --uid 999 --gid appgroup appuser
COPY target/app.jar /app/app.jar
-RUN chown -R appuser:appgroup /app
-USER appuser
+RUN chown -R 999:999 /app
+USER 999
ENTRYPOINT ["java", "-Djdk.httpclient.HttpClient.log=errors,requests", "-Dspring.config.location=/var/spring/config/", "-jar", "/app/app.jar"]
diff --git a/keip-integration/pom.xml b/keip-integration/pom.xml
index 5d484bb..512f65d 100644
--- a/keip-integration/pom.xml
+++ b/keip-integration/pom.xml
@@ -12,7 +12,7 @@
org.codice.keip
keip-integration
- 0.5.0
+ 0.6.0
ghcr.io/codice
@@ -108,6 +108,7 @@
eclipse-temurin:21-jre@sha256:34a58218d838035428163eb35abb629944c5906d1bedcfef8bc8864cce11dfe5
+ 999
${maven.build.timestamp}
-Dspring.config.location=/var/spring/config/
diff --git a/operator/Makefile b/operator/Makefile
index 82633de..6d0d541 100644
--- a/operator/Makefile
+++ b/operator/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.16.0
+VERSION ?= 0.17.0
GIT_TAG := operator_v$(VERSION)
KUBECTL := kubectl
diff --git a/operator/controller/keip-controller-props.yaml b/operator/controller/keip-controller-props.yaml
index f9830a7..4c3f871 100644
--- a/operator/controller/keip-controller-props.yaml
+++ b/operator/controller/keip-controller-props.yaml
@@ -4,4 +4,4 @@ metadata:
name: keip-controller-props
namespace: keip
data:
- integration-image: "ghcr.io/codice/keip/keip-integration:0.5.0"
+ integration-image: "ghcr.io/codice/keip/keip-integration:0.6.0"
diff --git a/operator/controller/webhook-deployment.yaml b/operator/controller/webhook-deployment.yaml
index 0199343..0e7dc46 100644
--- a/operator/controller/webhook-deployment.yaml
+++ b/operator/controller/webhook-deployment.yaml
@@ -27,11 +27,12 @@ spec:
serviceAccountName: keip-controller-service
securityContext:
runAsNonRoot: true
+ runAsUser: 999
seccompProfile:
type: RuntimeDefault
containers:
- name: webhook
- image: ghcr.io/codice/keip/webapp:0.19.0
+ image: ghcr.io/codice/keip/webapp:0.20.0
ports:
- containerPort: 7080
name: webhook-http
diff --git a/webapp/Dockerfile b/webapp/Dockerfile
index 2c73022..ff29cdb 100644
--- a/webapp/Dockerfile
+++ b/webapp/Dockerfile
@@ -2,7 +2,7 @@ FROM python:3.11-slim
LABEL org.opencontainers.image.source=https://github.com/codice/keip
-RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+RUN groupadd --system --gid 999 appgroup && useradd --system --uid 999 --gid appgroup appuser
WORKDIR /code/webapp
@@ -13,6 +13,6 @@ COPY . .
RUN chown -R appuser:appgroup /code
ENV PYTHONDONTWRITEBYTECODE=1
-USER appuser
+USER 999
ENTRYPOINT ["python", "-m", "uvicorn", "webapp.app:app", "--host", "0.0.0.0", "--port", "7080", "--app-dir", "/code"]
diff --git a/webapp/Makefile b/webapp/Makefile
index d2426a5..d67239c 100644
--- a/webapp/Makefile
+++ b/webapp/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.19.0
+VERSION ?= 0.20.0
HOST_PORT ?= 7080
GIT_TAG := webapp_v$(VERSION)
diff --git a/webapp/core/sync.py b/webapp/core/sync.py
index ae916c5..82c7a9e 100644
--- a/webapp/core/sync.py
+++ b/webapp/core/sync.py
@@ -341,6 +341,8 @@ def _create_pod_template(parent, labels, integration_image) -> Mapping[str, Any]
"serviceAccountName": "integrationroute-service",
"securityContext": {
"runAsNonRoot": True,
+ "runAsUser": 999,
+ "fsGroup": 999,
"seccompProfile": {"type": "RuntimeDefault"},
},
"containers": [
@@ -372,7 +374,7 @@ def _create_pod_template(parent, labels, integration_image) -> Mapping[str, Any]
"port": management_port,
"scheme": scheme,
},
- "failureThreshold": 12,
+ "failureThreshold": 24,
"timeoutSeconds": 3,
},
},
diff --git a/webapp/core/test/json/full-response.json b/webapp/core/test/json/full-response.json
index ce3df87..ea04f91 100644
--- a/webapp/core/test/json/full-response.json
+++ b/webapp/core/test/json/full-response.json
@@ -38,6 +38,8 @@
"serviceAccountName": "integrationroute-service",
"securityContext": {
"runAsNonRoot": true,
+ "runAsUser": 999,
+ "fsGroup": 999,
"seccompProfile": {
"type": "RuntimeDefault"
}
@@ -103,7 +105,7 @@
"port": 8443,
"scheme": "HTTPS"
},
- "failureThreshold": 12,
+ "failureThreshold": 24,
"timeoutSeconds": 3
},
"env": [
diff --git a/webapp/routes/test/json/full-route-response.json b/webapp/routes/test/json/full-route-response.json
index 00797e9..eb06911 100644
--- a/webapp/routes/test/json/full-route-response.json
+++ b/webapp/routes/test/json/full-route-response.json
@@ -31,6 +31,8 @@
"serviceAccountName": "integrationroute-service",
"securityContext": {
"runAsNonRoot": true,
+ "runAsUser": 999,
+ "fsGroup": 999,
"seccompProfile": {
"type": "RuntimeDefault"
}
@@ -79,7 +81,7 @@
"port": 8443,
"scheme": "HTTPS"
},
- "failureThreshold": 12,
+ "failureThreshold": 24,
"timeoutSeconds": 3
},
"env": [