Run Porch as non-root (#4028)

* Run Porch as non-root

* Remove elevated permissions requirements

- Specify where the api certs should be stored, under a path not required root access.
- Customize the api server port to not use a non-priviledge port as targetPort

Signed-off-by: Alexis de Talhouët <[email protected]>

---------

Signed-off-by: Alexis de Talhouët <[email protected]>

porch/build/Dockerfile.porch

@@ -55,5 +55,13 @@ RUN cd porch; go build -v -o /porch ./cmd/porch
 
 FROM debian:bookworm-slim
 RUN apt update && apt install -y ca-certificates && apt install -y git && rm -rf /var/lib/apt && rm -rf /var/cache/apt
-COPY --from=builder /porch /porch
-ENTRYPOINT ["/porch"]
+
+RUN useradd -s /bin/bash -d /home/porch/ -m -u 1999 porch
+WORKDIR /home/porch
+
+COPY --from=builder /porch /home/porch/porch
+RUN chown porch:porch /home/porch/porch; chmod +x /home/porch/porch
+
+USER porch
+
+ENTRYPOINT ["/home/porch/porch"]

porch/deployments/porch/3-porch-server.yaml

@@ -40,6 +40,8 @@ spec:
           emptyDir: {}
         - name: webhook-certs
           emptyDir: {}
+        - name: api-server-certs
+          emptyDir: {}
       containers:
         - name: porch-server
           # Update image to the image of your porch apiserver build.
@@ -56,6 +58,8 @@ spec:
               name: cache-volume
             - mountPath: /etc/webhook/certs
               name: webhook-certs
+            - name: api-server-certs
+              mountPath: /tmp/certs
           env:
           # Uncomment to enable trace-reporting to jaeger
           #- name: OTEL
@@ -67,6 +71,8 @@ spec:
           args:
             - --function-runner=function-runner:9445
             - --cache-directory=/cache
+            - --cert-dir=/tmp/certs
+            - --secure-port=4443
 
 ---
 apiVersion: v1
@@ -78,7 +84,7 @@ spec:
   ports:
     - port: 443
       protocol: TCP
-      targetPort: 443
+      targetPort: 4443
       name: api
     - port: 8443
       protocol: TCP