Over in Kubernetes we want to specify the container user as a UID for security-hardening reasons. Right now, this is done by copying the UID set in the app's Dockerfile to the manifest.
Infra should actually own setting what that is in production, so let's not default the UID, and fail the build if it isn't passed. This means we can DRY up the situation here where we have a default arg in the Dockerfiles but also pass it through docker-compose from make. The situation with docker-compose is actually very similar, because it has to pass in the UID from the environment so that volume sharing will work. There isn't a default that will work for all dev workstation setups. So, have that be the one place it gets set.
Over in infra land we do still set the production UID in two places, but that's our problem now :). I adjusted prod-docker-compose.yml to pass in a UID that is unlikely to exist on your workstation to validate that production will be able to set it.
Finally, if the UID in dev conflicts with the recently-updated node image, go ahead and use the predefined user instead of failing the dev image build.
Over in Kubernetes we want to specify the container user as a UID for security-hardening reasons. Right now, this is done by copying the UID set in the app's Dockerfile to the manifest.
Infra should actually own setting what that is in production, so let's not default the UID, and fail the build if it isn't passed. This means we can DRY up the situation here where we have a default arg in the Dockerfiles but also pass it through
docker-composefrommake. The situation withdocker-composeis actually very similar, because it has to pass in the UID from the environment so that volume sharing will work. There isn't a default that will work for all dev workstation setups. So, have that be the one place it gets set.Over in infra land we do still set the production UID in two places, but that's our problem now :). I adjusted prod-docker-compose.yml to pass in a UID that is unlikely to exist on your workstation to validate that production will be able to set it.
Finally, if the UID in dev conflicts with the recently-updated
nodeimage, go ahead and use the predefined user instead of failing the dev image build.This pulls in https://github.com/freedomofpress/securethenews/pull/244 so I'm closing that.