From 1c568df08cc1ab99705e64b6a0b6b892c6724bef Mon Sep 17 00:00:00 2001
From: Tim Haasdyk <tim_haasdyk@sil.org>
Date: Thu, 16 May 2024 15:24:43 +0200
Subject: [PATCH] Try to ensure we're always using the right user/group

---
 deployment/base/hg-deployment.yaml             | 4 ++++
 deployment/init-repos/hg-deployment-patch.yaml | 1 +
 2 files changed, 5 insertions(+)

diff --git a/deployment/base/hg-deployment.yaml b/deployment/base/hg-deployment.yaml
index 8f2e1272b..4c26d2592 100644
--- a/deployment/base/hg-deployment.yaml
+++ b/deployment/base/hg-deployment.yaml
@@ -79,6 +79,9 @@ spec:
     spec:
       securityContext:
         fsGroup: 33
+        runAsUser: 33
+        runAsGroup: 33 # www-data
+        runAsNonRoot: true
       containers:
       - name: hgweb
         image: ghcr.io/sillsdev/lexbox-hgweb:latest
@@ -176,6 +179,7 @@ spec:
         securityContext:
           runAsUser: 33
           runAsGroup: 33 # www-data
+          runAsNonRoot: true
         image: busybox:1.36.1
         command:
           - 'sh'
diff --git a/deployment/init-repos/hg-deployment-patch.yaml b/deployment/init-repos/hg-deployment-patch.yaml
index 82ac50d91..1fefc7d51 100644
--- a/deployment/init-repos/hg-deployment-patch.yaml
+++ b/deployment/init-repos/hg-deployment-patch.yaml
@@ -11,6 +11,7 @@ spec:
           securityContext:
             runAsUser: 33
             runAsGroup: 33 # www-data
+            runAsNonRoot: true
           image: busybox:1.36.1
           command:
             - 'sh'