Rootless container, securityContext

[C4tWithShell]

1. Change dockerfile to run it as rootless container
2. Add securityContext to the helm chart

[rndmh3ro]

Thanks for your contribution. We'll test it.

As for the code. We use helmify to automatically create the helm-charts from the yaml-files in the deploy-folder.

helmify removes the if-condition for the security-context:

96,99d95
<         {{- if .Values.securityContext.enabled }}
<         securityContext:
<           {{- toYaml .Values.operator.trivyDojoReportOperator.securityContext | nindent 10 }}
<         {{- end }}
107a104,105
>         securityContext: {{- toYaml .Values.operator.trivyDojoReportOperator.containerSecurityContext
>           | nindent 10 }}
64c64
<   namespace: '{{ .Release.Namespace }}'
---
>   namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
8,9d7
< securityContext:
<   enabled: true
12,15c10,13
<     - name: metrics
<       port: 80
<       protocol: TCP
<       targetPort: metrics
---
>   - name: metrics
>     port: 80
>     protocol: TCP
>     targetPort: metrics
17a16,26
>     containerSecurityContext:
>       allowPrivilegeEscalation: false
>       capabilities:
>         drop:
>         - ALL
>       privileged: false
>       readOnlyRootFilesystem: true
>       runAsNonRoot: true
>       runAsUser: 1000
>       seccompProfile:
>         type: RuntimeDefault
25a35
>       defectDojoEnvName: Development
26a37
>       defectDojoEvalEnvName: "false"
29d39
<       defectDojoEvalEnvName: "false"
34d43
<       defectDojoEnvName: Development
39,49d47
<     securityContext:
<       runAsUser: 1000
<       runAsNonRoot: true
<       privileged: false
<       readOnlyRootFilesystem: true
<       allowPrivilegeEscalation: false
<       seccompProfile:
<         type: RuntimeDefault
<       capabilities:
<         drop:
<         - ALL

For me this is fine, I see no use in allowing it to be disabled. Are you fine with this, too?

[C4tWithShell]

Sure